popup

Report - crypted.exe

RedLine stealer UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.06 07:29 Machine s1_win7_x6403
Filename crypted.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
8.4
ZERO API
VT API (file)
md5 a526acd18299b8959a660ad70ab45acf
sha256 5c30f8ef14364338b6ae9ebe416f1c650eed9c40d514d66d40bf5ca5dc6090a6
ssdeep 12288:6Mra6wNZ0m4DXC19mwjRA844sZ/FLMyf:6MzwLTGXCXH284HLMyf
imphash cba2b01ef63841504879f03f82c47db9
impfuzzy 24:s+5ikbZETKAWJjGHcpVWZLDsl9dtWObJh9r9OovbO3kFZMv1GMAkEZHu9s:D5BOWoHcpVeMptWODZo30FZGm
  Network IP location

Signature (21cnts)

Level Description
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (15cnts)

Level Name Description Collection
danger RedLine_Stealer_m_Zero RedLine stealer memory
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
185.157.120.11
whois
Unknown 185.157.120.11

Suricata ids

ET MALWARE RedLine Stealer TCP CnC net.tcp Init

PE API

IAT(Import Address Table) Library

ole32.dll
 0x42c180 CoGetObjectContext
 0x42c184 CoGetApartmentType
KERNEL32.dll
 0x42c000 CreateFileW
 0x42c004 HeapSize
 0x42c008 GetModuleHandleA
 0x42c00c FreeConsole
 0x42c010 GetModuleHandleW
 0x42c014 RaiseException
 0x42c018 GetCurrentThreadId
 0x42c01c IsProcessorFeaturePresent
 0x42c020 GetLastError
 0x42c024 FreeLibraryWhenCallbackReturns
 0x42c028 CreateThreadpoolWork
 0x42c02c SubmitThreadpoolWork
 0x42c030 CloseThreadpoolWork
 0x42c034 GetModuleHandleExW
 0x42c038 MultiByteToWideChar
 0x42c03c InitializeConditionVariable
 0x42c040 WakeConditionVariable
 0x42c044 WakeAllConditionVariable
 0x42c048 SleepConditionVariableSRW
 0x42c04c InitOnceComplete
 0x42c050 InitOnceBeginInitialize
 0x42c054 GetStringTypeW
 0x42c058 InitializeSRWLock
 0x42c05c ReleaseSRWLockExclusive
 0x42c060 AcquireSRWLockExclusive
 0x42c064 TryAcquireSRWLockExclusive
 0x42c068 WideCharToMultiByte
 0x42c06c CloseHandle
 0x42c070 WaitForSingleObjectEx
 0x42c074 QueryPerformanceCounter
 0x42c078 EnterCriticalSection
 0x42c07c LeaveCriticalSection
 0x42c080 InitializeCriticalSectionEx
 0x42c084 DeleteCriticalSection
 0x42c088 EncodePointer
 0x42c08c DecodePointer
 0x42c090 LCMapStringEx
 0x42c094 GetSystemTimeAsFileTime
 0x42c098 GetProcAddress
 0x42c09c WriteConsoleW
 0x42c0a0 GetCPInfo
 0x42c0a4 InitializeCriticalSectionAndSpinCount
 0x42c0a8 SetEvent
 0x42c0ac ResetEvent
 0x42c0b0 CreateEventW
 0x42c0b4 UnhandledExceptionFilter
 0x42c0b8 SetUnhandledExceptionFilter
 0x42c0bc GetCurrentProcess
 0x42c0c0 TerminateProcess
 0x42c0c4 IsDebuggerPresent
 0x42c0c8 GetStartupInfoW
 0x42c0cc GetCurrentProcessId
 0x42c0d0 InitializeSListHead
 0x42c0d4 SetStdHandle
 0x42c0d8 RtlUnwind
 0x42c0dc SetLastError
 0x42c0e0 TlsAlloc
 0x42c0e4 TlsGetValue
 0x42c0e8 TlsSetValue
 0x42c0ec TlsFree
 0x42c0f0 FreeLibrary
 0x42c0f4 LoadLibraryExW
 0x42c0f8 ExitProcess
 0x42c0fc GetModuleFileNameW
 0x42c100 GetStdHandle
 0x42c104 WriteFile
 0x42c108 GetCommandLineA
 0x42c10c GetCommandLineW
 0x42c110 HeapAlloc
 0x42c114 HeapFree
 0x42c118 CompareStringW
 0x42c11c LCMapStringW
 0x42c120 GetLocaleInfoW
 0x42c124 IsValidLocale
 0x42c128 GetUserDefaultLCID
 0x42c12c EnumSystemLocalesW
 0x42c130 GetFileType
 0x42c134 FlushFileBuffers
 0x42c138 GetConsoleOutputCP
 0x42c13c GetConsoleMode
 0x42c140 ReadFile
 0x42c144 GetFileSizeEx
 0x42c148 SetFilePointerEx
 0x42c14c ReadConsoleW
 0x42c150 HeapReAlloc
 0x42c154 FindClose
 0x42c158 FindFirstFileExW
 0x42c15c FindNextFileW
 0x42c160 IsValidCodePage
 0x42c164 GetACP
 0x42c168 GetOEMCP
 0x42c16c GetEnvironmentStringsW
 0x42c170 FreeEnvironmentStringsW
 0x42c174 SetEnvironmentVariableW
 0x42c178 GetProcessHeap

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure