Report - dewrww7a1z.exe

RedLine stealer RedLine Infostealer RedlineStealer UPX Malicious Library .NET framework(MSIL) Confuser .NET PWS AntiDebug AntiVM OS Processor Check PE File PE32 .NET EXE
ScreenShot
Created 2023.07.25 19:01 Machine s1_win7_x6401
Filename dewrww7a1z.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
4
Behavior Score
15.2
ZERO API file : malware
VT API (file)
md5 171411305a3172ab22696c63e445ef64
sha256 9bd1edb757791ded2b625e7dcaa800346c493374e3e1126c084ae08a8b902c1f
ssdeep 49152:q5PMZ6O+sriSrmxT2+x4prtJzpaDO8wCAHN8:ysenT2+Art6O8wCAy
imphash 99618c39aafbf01419fbcd53cea0e110
impfuzzy 24:kJGrjlV90wcpVOsmrYtMS1MGzplJBlxeDoLoEOovbOZFuFZMv1GMApTm+lEZHu9c:GY97cpVOVrYtMS1MGzPXXc3fuFZGVL
  Network IP location

Signature (34cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice One or more potentially interesting buffers were extracted
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The executable uses a known packer
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (25cnts)

Level Name Description Collection
danger detect_Redline_Stealer_V2 (no description) binaries (download)
danger MALWARE_Win_VT_RedLine Detects RedLine infostealer binaries (download)
danger RedLine_Stealer_b_Zero RedLine stealer binaries (download)
danger RedLine_Stealer_m_Zero RedLine stealer memory
watch ConfuserEx_Zero Confuser .NET binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice Generic_PWS_Memory_Zero PWS Memory memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
23.67.53.17 US Akamai International B.V. 23.67.53.17 clean
176.123.9.85 MD Alexhost Srl 176.123.9.85 mailcious
176.123.9.142 MD Alexhost Srl 176.123.9.142 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

USER32.dll
 0x503208 GetClientRect
 0x50320c SetWindowDisplayAffinity
GDI32.dll
 0x503000 RestoreDC
 0x503004 DeleteObject
KERNEL32.dll
 0x503034 HeapSize
 0x503038 CreateFileW
 0x50303c TlsFree
 0x503040 CloseHandle
 0x503044 WaitForSingleObject
 0x503048 CreateThread
 0x50304c FormatMessageA
 0x503050 LocalFree
 0x503054 EncodePointer
 0x503058 DecodePointer
 0x50305c EnterCriticalSection
 0x503060 LeaveCriticalSection
 0x503064 InitializeCriticalSectionEx
 0x503068 DeleteCriticalSection
 0x50306c MultiByteToWideChar
 0x503070 WideCharToMultiByte
 0x503074 LCMapStringEx
 0x503078 GetLocaleInfoEx
 0x50307c GetStringTypeW
 0x503080 CompareStringEx
 0x503084 GetCPInfo
 0x503088 UnhandledExceptionFilter
 0x50308c SetUnhandledExceptionFilter
 0x503090 GetCurrentProcess
 0x503094 TerminateProcess
 0x503098 IsProcessorFeaturePresent
 0x50309c QueryPerformanceCounter
 0x5030a0 GetCurrentProcessId
 0x5030a4 GetCurrentThreadId
 0x5030a8 GetSystemTimeAsFileTime
 0x5030ac InitializeSListHead
 0x5030b0 IsDebuggerPresent
 0x5030b4 GetStartupInfoW
 0x5030b8 GetModuleHandleW
 0x5030bc GetProcessHeap
 0x5030c0 RaiseException
 0x5030c4 RtlUnwind
 0x5030c8 InterlockedPushEntrySList
 0x5030cc InterlockedFlushSList
 0x5030d0 GetLastError
 0x5030d4 SetLastError
 0x5030d8 InitializeCriticalSectionAndSpinCount
 0x5030dc TlsAlloc
 0x5030e0 TlsGetValue
 0x5030e4 TlsSetValue
 0x5030e8 WriteConsoleW
 0x5030ec FreeLibrary
 0x5030f0 GetProcAddress
 0x5030f4 LoadLibraryExW
 0x5030f8 GetStdHandle
 0x5030fc WriteFile
 0x503100 GetModuleFileNameW
 0x503104 ExitProcess
 0x503108 GetModuleHandleExW
 0x50310c GetCommandLineA
 0x503110 GetCommandLineW
 0x503114 GetCurrentThread
 0x503118 HeapFree
 0x50311c HeapAlloc
 0x503120 GetDateFormatW
 0x503124 GetTimeFormatW
 0x503128 CompareStringW
 0x50312c LCMapStringW
 0x503130 GetLocaleInfoW
 0x503134 IsValidLocale
 0x503138 GetUserDefaultLCID
 0x50313c EnumSystemLocalesW
 0x503140 GetFileType
 0x503144 FlushFileBuffers
 0x503148 GetConsoleOutputCP
 0x50314c GetConsoleMode
 0x503150 ReadFile
 0x503154 GetFileSizeEx
 0x503158 SetFilePointerEx
 0x50315c ReadConsoleW
 0x503160 SetConsoleCtrlHandler
 0x503164 HeapReAlloc
 0x503168 GetTimeZoneInformation
 0x50316c OutputDebugStringW
 0x503170 FindClose
 0x503174 FindFirstFileExW
 0x503178 FindNextFileW
 0x50317c IsValidCodePage
 0x503180 GetACP
 0x503184 GetOEMCP
 0x503188 GetEnvironmentStringsW
 0x50318c FreeEnvironmentStringsW
 0x503190 SetEnvironmentVariableW
 0x503194 SetStdHandle

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure