ScreenShot
| Created | 2023.07.20 17:21 | Machine | s1_win7_x6401 |
| Filename | @zerOgr4v1ty_crypted.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 31 detected (AIDetectMalware, RedLineNET, Artemis, Save, malicious, ZexaF, WDW@aiT5zzf, Attribute, HighConfidence, high confidence, a variant of Generik, IPALZAJ, score, PWSX, Infected, moderate, Raccoon, RedLineSteal, dxcuk, Wacatac, Cordimik, QGEVLX, Detected, Generic@AI, RDML, OILjjDVqAGjQgWuD+JPodA, Static AI, Malicious PE, susgen, PossibleThreat, confidence) | ||
| md5 | b273c68306bfba8fe55a39fe29c5a160 | ||
| sha256 | 90a8447971f2150fe9ba03d2680af7bdd33de721e9e1521166a7826ed143a2d8 | ||
| ssdeep | 6144:B0TtB357yFQgb8AQ5wDsNXq+2MffwMvrgJngQ8vFr6:B0TtB357GfsN6nMfLcJgQo | ||
| imphash | 28f039ba63a716b696dd5058ca2bb671 | ||
| impfuzzy | 24:7kfdd104cHejMWHcpVGD+th4GhlJe1l39WuPLOovbO3kPvNRZHu9oGMr:AJ04cHbWHcpVLth4G6pn630nr | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
USER32.dll
0x416140 GetPhysicalCursorPos
ole32.dll
0x416148 CoCancelCall
COMCTL32.dll
0x416000 InitializeFlatSB
0x416004 FlatSB_ShowScrollBar
0x416008 None
0x41600c ImageList_SetDragCursorImage
KERNEL32.dll
0x416014 CreateFileW
0x416018 WriteConsoleW
0x41601c GetStartupInfoW
0x416020 Sleep
0x416024 CloseHandle
0x416028 WaitForSingleObjectEx
0x41602c GetCurrentThreadId
0x416030 GetExitCodeThread
0x416034 QueryPerformanceCounter
0x416038 EnterCriticalSection
0x41603c LeaveCriticalSection
0x416040 InitializeCriticalSectionEx
0x416044 DeleteCriticalSection
0x416048 GetSystemTimeAsFileTime
0x41604c GetModuleHandleW
0x416050 GetProcAddress
0x416054 UnhandledExceptionFilter
0x416058 SetUnhandledExceptionFilter
0x41605c GetCurrentProcess
0x416060 TerminateProcess
0x416064 IsProcessorFeaturePresent
0x416068 GetCurrentProcessId
0x41606c InitializeSListHead
0x416070 IsDebuggerPresent
0x416074 DecodePointer
0x416078 RaiseException
0x41607c RtlUnwind
0x416080 GetLastError
0x416084 SetLastError
0x416088 EncodePointer
0x41608c InitializeCriticalSectionAndSpinCount
0x416090 TlsAlloc
0x416094 TlsGetValue
0x416098 TlsSetValue
0x41609c TlsFree
0x4160a0 FreeLibrary
0x4160a4 LoadLibraryExW
0x4160a8 CreateThread
0x4160ac ExitThread
0x4160b0 FreeLibraryAndExitThread
0x4160b4 GetModuleHandleExW
0x4160b8 GetStdHandle
0x4160bc WriteFile
0x4160c0 GetModuleFileNameW
0x4160c4 ExitProcess
0x4160c8 GetCommandLineA
0x4160cc GetCommandLineW
0x4160d0 HeapAlloc
0x4160d4 HeapFree
0x4160d8 CompareStringW
0x4160dc LCMapStringW
0x4160e0 GetFileType
0x4160e4 GetFileSizeEx
0x4160e8 SetFilePointerEx
0x4160ec FindClose
0x4160f0 FindFirstFileExW
0x4160f4 FindNextFileW
0x4160f8 IsValidCodePage
0x4160fc GetACP
0x416100 GetOEMCP
0x416104 GetCPInfo
0x416108 MultiByteToWideChar
0x41610c WideCharToMultiByte
0x416110 GetEnvironmentStringsW
0x416114 FreeEnvironmentStringsW
0x416118 SetEnvironmentVariableW
0x41611c SetStdHandle
0x416120 GetStringTypeW
0x416124 GetProcessHeap
0x416128 FlushFileBuffers
0x41612c GetConsoleOutputCP
0x416130 GetConsoleMode
0x416134 HeapSize
0x416138 HeapReAlloc
EAT(Export Address Table) is none
USER32.dll
0x416140 GetPhysicalCursorPos
ole32.dll
0x416148 CoCancelCall
COMCTL32.dll
0x416000 InitializeFlatSB
0x416004 FlatSB_ShowScrollBar
0x416008 None
0x41600c ImageList_SetDragCursorImage
KERNEL32.dll
0x416014 CreateFileW
0x416018 WriteConsoleW
0x41601c GetStartupInfoW
0x416020 Sleep
0x416024 CloseHandle
0x416028 WaitForSingleObjectEx
0x41602c GetCurrentThreadId
0x416030 GetExitCodeThread
0x416034 QueryPerformanceCounter
0x416038 EnterCriticalSection
0x41603c LeaveCriticalSection
0x416040 InitializeCriticalSectionEx
0x416044 DeleteCriticalSection
0x416048 GetSystemTimeAsFileTime
0x41604c GetModuleHandleW
0x416050 GetProcAddress
0x416054 UnhandledExceptionFilter
0x416058 SetUnhandledExceptionFilter
0x41605c GetCurrentProcess
0x416060 TerminateProcess
0x416064 IsProcessorFeaturePresent
0x416068 GetCurrentProcessId
0x41606c InitializeSListHead
0x416070 IsDebuggerPresent
0x416074 DecodePointer
0x416078 RaiseException
0x41607c RtlUnwind
0x416080 GetLastError
0x416084 SetLastError
0x416088 EncodePointer
0x41608c InitializeCriticalSectionAndSpinCount
0x416090 TlsAlloc
0x416094 TlsGetValue
0x416098 TlsSetValue
0x41609c TlsFree
0x4160a0 FreeLibrary
0x4160a4 LoadLibraryExW
0x4160a8 CreateThread
0x4160ac ExitThread
0x4160b0 FreeLibraryAndExitThread
0x4160b4 GetModuleHandleExW
0x4160b8 GetStdHandle
0x4160bc WriteFile
0x4160c0 GetModuleFileNameW
0x4160c4 ExitProcess
0x4160c8 GetCommandLineA
0x4160cc GetCommandLineW
0x4160d0 HeapAlloc
0x4160d4 HeapFree
0x4160d8 CompareStringW
0x4160dc LCMapStringW
0x4160e0 GetFileType
0x4160e4 GetFileSizeEx
0x4160e8 SetFilePointerEx
0x4160ec FindClose
0x4160f0 FindFirstFileExW
0x4160f4 FindNextFileW
0x4160f8 IsValidCodePage
0x4160fc GetACP
0x416100 GetOEMCP
0x416104 GetCPInfo
0x416108 MultiByteToWideChar
0x41610c WideCharToMultiByte
0x416110 GetEnvironmentStringsW
0x416114 FreeEnvironmentStringsW
0x416118 SetEnvironmentVariableW
0x41611c SetStdHandle
0x416120 GetStringTypeW
0x416124 GetProcessHeap
0x416128 FlushFileBuffers
0x41612c GetConsoleOutputCP
0x416130 GetConsoleMode
0x416134 HeapSize
0x416138 HeapReAlloc
EAT(Export Address Table) is none