popup

Report - NvProfileUpdate.exe

UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.07.17 16:43 Machine s1_win7_x6403
Filename NvProfileUpdate.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
12.6
ZERO API file : malware
VT API (file) 33 detected (AIDetectMalware, malicious, high confidence, RedLineNET, GenericKD, unsafe, Vtfo, confidence, 100%, ZexaE, QGW@aq1x7Jdi, ABRisk, KSGQ, Attribute, HighConfidence, GenKryptik, GLWK, score, PWSX, RedLineSteal, ugxqv, Infected, Sabsik, Cordimik, Y8DLSH, Detected, GenericRXVT, StupidPInvoker, Chgt, Generic@AI, RDML, fXCblHBMcP, JG2vAglw, Redline, susgen)
md5 15eb8ad14a87788df162588c878c6789
sha256 f264b8399bdea1bdcbf1f2e70a1c185a8df97638ba9c171e51a5bf1ee0e748da
ssdeep 12288:8n1st25/ZyKB9UyTLrY1XbYcF9u2qgqqytK/YTkALrPGGyf0a3yerTZ:6O25/7rYbFZqrKAJrGGyf09c
imphash 366b889fbf8b867e33436fbbbc4d0c58
impfuzzy 48:gaDaxYWJcpH+zD9nsXtXOth1zSpU63TuFZ+b:gaDaxYWJcpH+X6XtXOth1GpUf6
  Network IP location

Signature (28cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 33 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Looks for the Windows Idle Time to determine the uptime
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (13cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
135.181.205.149
whois
DE Hetzner Online GmbH 135.181.205.149 mailcious

Suricata ids

ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response

PE API

IAT(Import Address Table) Library

ole32.dll
 0x4752bc CoCancelCall
ADVAPI32.dll
 0x475000 DeregisterEventSource
KERNEL32.dll
 0x475030 WriteConsoleW
 0x475034 RaiseException
 0x475038 Sleep
 0x47503c LoadLibraryW
 0x475040 CloseHandle
 0x475044 WaitForSingleObjectEx
 0x475048 SwitchToThread
 0x47504c GetCurrentThreadId
 0x475050 GetExitCodeThread
 0x475054 GetNativeSystemInfo
 0x475058 QueryPerformanceCounter
 0x47505c QueryPerformanceFrequency
 0x475060 InitializeSRWLock
 0x475064 ReleaseSRWLockExclusive
 0x475068 AcquireSRWLockExclusive
 0x47506c EnterCriticalSection
 0x475070 LeaveCriticalSection
 0x475074 InitializeCriticalSectionEx
 0x475078 TryEnterCriticalSection
 0x47507c DeleteCriticalSection
 0x475080 InitializeConditionVariable
 0x475084 WakeConditionVariable
 0x475088 WakeAllConditionVariable
 0x47508c SleepConditionVariableCS
 0x475090 SleepConditionVariableSRW
 0x475094 FormatMessageA
 0x475098 SetFileInformationByHandle
 0x47509c FlsAlloc
 0x4750a0 FlsGetValue
 0x4750a4 FlsSetValue
 0x4750a8 FlsFree
 0x4750ac InitOnceExecuteOnce
 0x4750b0 CreateEventExW
 0x4750b4 CreateSemaphoreExW
 0x4750b8 FlushProcessWriteBuffers
 0x4750bc GetCurrentProcessorNumber
 0x4750c0 GetSystemTimeAsFileTime
 0x4750c4 GetTickCount64
 0x4750c8 FreeLibraryWhenCallbackReturns
 0x4750cc CreateThreadpoolWork
 0x4750d0 SubmitThreadpoolWork
 0x4750d4 CloseThreadpoolWork
 0x4750d8 CreateThreadpoolTimer
 0x4750dc SetThreadpoolTimer
 0x4750e0 WaitForThreadpoolTimerCallbacks
 0x4750e4 CloseThreadpoolTimer
 0x4750e8 CreateThreadpoolWait
 0x4750ec SetThreadpoolWait
 0x4750f0 CloseThreadpoolWait
 0x4750f4 GetModuleHandleW
 0x4750f8 GetProcAddress
 0x4750fc GetFileInformationByHandleEx
 0x475100 CreateSymbolicLinkW
 0x475104 LocalFree
 0x475108 UnhandledExceptionFilter
 0x47510c SetUnhandledExceptionFilter
 0x475110 GetCurrentProcess
 0x475114 TerminateProcess
 0x475118 IsProcessorFeaturePresent
 0x47511c GetCurrentProcessId
 0x475120 InitializeSListHead
 0x475124 IsDebuggerPresent
 0x475128 GetStartupInfoW
 0x47512c CreateFileW
 0x475130 DecodePointer
 0x475134 RtlUnwind
 0x475138 InterlockedPushEntrySList
 0x47513c InterlockedFlushSList
 0x475140 GetLastError
 0x475144 SetLastError
 0x475148 EncodePointer
 0x47514c InitializeCriticalSectionAndSpinCount
 0x475150 TlsAlloc
 0x475154 TlsGetValue
 0x475158 TlsSetValue
 0x47515c TlsFree
 0x475160 FreeLibrary
 0x475164 LoadLibraryExW
 0x475168 CreateThread
 0x47516c ExitThread
 0x475170 ResumeThread
 0x475174 FreeLibraryAndExitThread
 0x475178 GetModuleHandleExW
 0x47517c GetStdHandle
 0x475180 WriteFile
 0x475184 GetModuleFileNameW
 0x475188 ExitProcess
 0x47518c GetCommandLineA
 0x475190 GetCommandLineW
 0x475194 GetCurrentThread
 0x475198 HeapAlloc
 0x47519c HeapFree
 0x4751a0 GetDateFormatW
 0x4751a4 GetTimeFormatW
 0x4751a8 CompareStringW
 0x4751ac LCMapStringW
 0x4751b0 GetLocaleInfoW
 0x4751b4 IsValidLocale
 0x4751b8 GetUserDefaultLCID
 0x4751bc EnumSystemLocalesW
 0x4751c0 SetConsoleCtrlHandler
 0x4751c4 GetFileType
 0x4751c8 GetFileSizeEx
 0x4751cc SetFilePointerEx
 0x4751d0 OutputDebugStringW
 0x4751d4 FindClose
 0x4751d8 FindFirstFileExW
 0x4751dc FindNextFileW
 0x4751e0 IsValidCodePage
 0x4751e4 GetACP
 0x4751e8 GetOEMCP
 0x4751ec GetCPInfo
 0x4751f0 MultiByteToWideChar
 0x4751f4 WideCharToMultiByte
 0x4751f8 GetEnvironmentStringsW
 0x4751fc FreeEnvironmentStringsW
 0x475200 SetEnvironmentVariableW
 0x475204 SetStdHandle
 0x475208 GetStringTypeW
 0x47520c GetProcessHeap
 0x475210 FlushFileBuffers
 0x475214 GetConsoleOutputCP
 0x475218 GetConsoleMode
 0x47521c HeapSize
 0x475220 HeapReAlloc
 0x475224 ReadFile
 0x475228 ReadConsoleW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure