Report - 1.exe

RedLine stealer UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32
ScreenShot
Created 2023.07.25 17:22 Machine s1_win7_x6401
Filename 1.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
2
Behavior Score
13.4
ZERO API file : malware
VT API (file) 41 detected (AIDetectMalware, Emotet, Lazy, Artemis, Vuga, Kryptik, ZexaF, OLW@aSdmxA, Attribute, HighConfidence, malicious, high confidence, HUBU, score, PWSX, RedLineSteal, xmyzk, RedLineNET, USPAXGO23, Static AI, Suspicious PE, Azorult, RedLine, Cordimik, QHJOE0, Detected, R593426, ai score=86, Chgt, Reline, qm9EIMXQRuE, Outbreak, susgen, confidence, 100%)
md5 df53bb96de4749ce780bf8b939dc2cd5
sha256 0279688cc1957dc9ebc67463be23871fae9efb158042e8fce79f4cc0e4085785
ssdeep 24576:5X9hpIwG5PMZ6JgQuUAc3j6pJ/iFpjFl:25PMZ6ttz6pJ/iFNFl
imphash 99618c39aafbf01419fbcd53cea0e110
impfuzzy 24:kJGrjlV90wcpVOsmrYtMS1MGzplJBlxeDoLoEOovbOZFuFZMv1GMApTm+lEZHu9c:GY97cpVOVrYtMS1MGzPXXc3fuFZGVL
  Network IP location

Signature (30cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (14cnts)

Level Name Description Collection
danger RedLine_Stealer_m_Zero RedLine stealer memory
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://api.ip.sb/ip US CLOUDFLARENET 172.67.75.172 clean
api.ip.sb US CLOUDFLARENET 172.67.75.172 clean
62.72.23.19 DE PTGI International Carrier Services Ltd 62.72.23.19 clean
172.67.75.172 US CLOUDFLARENET 172.67.75.172 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

USER32.dll
 0x503208 GetClientRect
 0x50320c SetWindowDisplayAffinity
GDI32.dll
 0x503000 RestoreDC
 0x503004 DeleteObject
KERNEL32.dll
 0x503034 HeapSize
 0x503038 CreateFileW
 0x50303c TlsFree
 0x503040 CloseHandle
 0x503044 WaitForSingleObject
 0x503048 CreateThread
 0x50304c FormatMessageA
 0x503050 LocalFree
 0x503054 EncodePointer
 0x503058 DecodePointer
 0x50305c EnterCriticalSection
 0x503060 LeaveCriticalSection
 0x503064 InitializeCriticalSectionEx
 0x503068 DeleteCriticalSection
 0x50306c MultiByteToWideChar
 0x503070 WideCharToMultiByte
 0x503074 LCMapStringEx
 0x503078 GetLocaleInfoEx
 0x50307c GetStringTypeW
 0x503080 CompareStringEx
 0x503084 GetCPInfo
 0x503088 UnhandledExceptionFilter
 0x50308c SetUnhandledExceptionFilter
 0x503090 GetCurrentProcess
 0x503094 TerminateProcess
 0x503098 IsProcessorFeaturePresent
 0x50309c QueryPerformanceCounter
 0x5030a0 GetCurrentProcessId
 0x5030a4 GetCurrentThreadId
 0x5030a8 GetSystemTimeAsFileTime
 0x5030ac InitializeSListHead
 0x5030b0 IsDebuggerPresent
 0x5030b4 GetStartupInfoW
 0x5030b8 GetModuleHandleW
 0x5030bc GetProcessHeap
 0x5030c0 RaiseException
 0x5030c4 RtlUnwind
 0x5030c8 InterlockedPushEntrySList
 0x5030cc InterlockedFlushSList
 0x5030d0 GetLastError
 0x5030d4 SetLastError
 0x5030d8 InitializeCriticalSectionAndSpinCount
 0x5030dc TlsAlloc
 0x5030e0 TlsGetValue
 0x5030e4 TlsSetValue
 0x5030e8 WriteConsoleW
 0x5030ec FreeLibrary
 0x5030f0 GetProcAddress
 0x5030f4 LoadLibraryExW
 0x5030f8 GetStdHandle
 0x5030fc WriteFile
 0x503100 GetModuleFileNameW
 0x503104 ExitProcess
 0x503108 GetModuleHandleExW
 0x50310c GetCommandLineA
 0x503110 GetCommandLineW
 0x503114 GetCurrentThread
 0x503118 HeapFree
 0x50311c HeapAlloc
 0x503120 GetDateFormatW
 0x503124 GetTimeFormatW
 0x503128 CompareStringW
 0x50312c LCMapStringW
 0x503130 GetLocaleInfoW
 0x503134 IsValidLocale
 0x503138 GetUserDefaultLCID
 0x50313c EnumSystemLocalesW
 0x503140 GetFileType
 0x503144 FlushFileBuffers
 0x503148 GetConsoleOutputCP
 0x50314c GetConsoleMode
 0x503150 ReadFile
 0x503154 GetFileSizeEx
 0x503158 SetFilePointerEx
 0x50315c ReadConsoleW
 0x503160 SetConsoleCtrlHandler
 0x503164 HeapReAlloc
 0x503168 GetTimeZoneInformation
 0x50316c OutputDebugStringW
 0x503170 FindClose
 0x503174 FindFirstFileExW
 0x503178 FindNextFileW
 0x50317c IsValidCodePage
 0x503180 GetACP
 0x503184 GetOEMCP
 0x503188 GetEnvironmentStringsW
 0x50318c FreeEnvironmentStringsW
 0x503190 SetEnvironmentVariableW
 0x503194 SetStdHandle

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure