ScreenShot
| Created | 2023.07.25 19:17 | Machine | s1_win7_x6403 |
| Filename | heaoyam78.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 25 detected (AIDetectMalware, malicious, high confidence, Save, ZexaF, qq2@au4q, Kryptik, Eldorado, Attribute, HighConfidence, GenKryptik, GMEO, score, PWSX, high, Sabsik, Detected, unsafe, Generic@AI, RDML, G1BRsC45oj, Z9A1QtwFR1A, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | 48761f8b0576e7bed627120ff51b4863 | ||
| sha256 | cc499fffbab36b8cf303fa4f9bc26799497c0dfa94eb71ef1480ba774d71637a | ||
| ssdeep | 3072:1KnQwd/gQU58zzwfyVjjs5D7ONGydJpXGU+UzgyFa0Um0GH5L8QVxDj+:1KnX/MITs1SpXIUzgyIF4ZL8QG | ||
| imphash | 49a974ece3bbf5d3a2072773ace1c1b7 | ||
| impfuzzy | 24:DjlNDoryqP1jdHOovb/J3InKQFQ8RyvDklRT4F0afplDHM:A1JuYQK3D+cF0afpxHM | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process heaoyam78.exe |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f000 GetACP
0x40f004 Sleep
0x40f008 WaitForSingleObject
0x40f00c CreateThread
0x40f010 lstrlenW
0x40f014 VirtualProtect
0x40f018 GetProcAddress
0x40f01c LoadLibraryA
0x40f020 VirtualAlloc
0x40f024 LockResource
0x40f028 LoadResource
0x40f02c SizeofResource
0x40f030 FindResourceW
0x40f034 GetModuleHandleW
0x40f038 GetLastError
0x40f03c CreateMutexA
0x40f040 GetModuleHandleA
0x40f044 OpenWaitableTimerA
0x40f048 GetConsoleWindow
0x40f04c RtlUnwind
0x40f050 GetCommandLineA
0x40f054 TlsGetValue
0x40f058 TlsAlloc
0x40f05c TlsSetValue
0x40f060 TlsFree
0x40f064 InterlockedIncrement
0x40f068 SetLastError
0x40f06c GetCurrentThreadId
0x40f070 InterlockedDecrement
0x40f074 SetUnhandledExceptionFilter
0x40f078 ExitProcess
0x40f07c WriteFile
0x40f080 GetStdHandle
0x40f084 GetModuleFileNameA
0x40f088 FreeEnvironmentStringsA
0x40f08c GetEnvironmentStrings
0x40f090 FreeEnvironmentStringsW
0x40f094 WideCharToMultiByte
0x40f098 GetEnvironmentStringsW
0x40f09c SetHandleCount
0x40f0a0 GetFileType
0x40f0a4 GetStartupInfoA
0x40f0a8 DeleteCriticalSection
0x40f0ac HeapCreate
0x40f0b0 VirtualFree
0x40f0b4 HeapFree
0x40f0b8 QueryPerformanceCounter
0x40f0bc GetTickCount
0x40f0c0 GetCurrentProcessId
0x40f0c4 GetSystemTimeAsFileTime
0x40f0c8 GetCPInfo
0x40f0cc GetOEMCP
0x40f0d0 IsValidCodePage
0x40f0d4 TerminateProcess
0x40f0d8 GetCurrentProcess
0x40f0dc UnhandledExceptionFilter
0x40f0e0 IsDebuggerPresent
0x40f0e4 RaiseException
0x40f0e8 LeaveCriticalSection
0x40f0ec EnterCriticalSection
0x40f0f0 InitializeCriticalSectionAndSpinCount
0x40f0f4 HeapAlloc
0x40f0f8 HeapReAlloc
0x40f0fc LCMapStringA
0x40f100 MultiByteToWideChar
0x40f104 LCMapStringW
0x40f108 GetStringTypeA
0x40f10c GetStringTypeW
0x40f110 GetLocaleInfoA
0x40f114 HeapSize
USER32.dll
0x40f11c ShowWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x40f000 GetACP
0x40f004 Sleep
0x40f008 WaitForSingleObject
0x40f00c CreateThread
0x40f010 lstrlenW
0x40f014 VirtualProtect
0x40f018 GetProcAddress
0x40f01c LoadLibraryA
0x40f020 VirtualAlloc
0x40f024 LockResource
0x40f028 LoadResource
0x40f02c SizeofResource
0x40f030 FindResourceW
0x40f034 GetModuleHandleW
0x40f038 GetLastError
0x40f03c CreateMutexA
0x40f040 GetModuleHandleA
0x40f044 OpenWaitableTimerA
0x40f048 GetConsoleWindow
0x40f04c RtlUnwind
0x40f050 GetCommandLineA
0x40f054 TlsGetValue
0x40f058 TlsAlloc
0x40f05c TlsSetValue
0x40f060 TlsFree
0x40f064 InterlockedIncrement
0x40f068 SetLastError
0x40f06c GetCurrentThreadId
0x40f070 InterlockedDecrement
0x40f074 SetUnhandledExceptionFilter
0x40f078 ExitProcess
0x40f07c WriteFile
0x40f080 GetStdHandle
0x40f084 GetModuleFileNameA
0x40f088 FreeEnvironmentStringsA
0x40f08c GetEnvironmentStrings
0x40f090 FreeEnvironmentStringsW
0x40f094 WideCharToMultiByte
0x40f098 GetEnvironmentStringsW
0x40f09c SetHandleCount
0x40f0a0 GetFileType
0x40f0a4 GetStartupInfoA
0x40f0a8 DeleteCriticalSection
0x40f0ac HeapCreate
0x40f0b0 VirtualFree
0x40f0b4 HeapFree
0x40f0b8 QueryPerformanceCounter
0x40f0bc GetTickCount
0x40f0c0 GetCurrentProcessId
0x40f0c4 GetSystemTimeAsFileTime
0x40f0c8 GetCPInfo
0x40f0cc GetOEMCP
0x40f0d0 IsValidCodePage
0x40f0d4 TerminateProcess
0x40f0d8 GetCurrentProcess
0x40f0dc UnhandledExceptionFilter
0x40f0e0 IsDebuggerPresent
0x40f0e4 RaiseException
0x40f0e8 LeaveCriticalSection
0x40f0ec EnterCriticalSection
0x40f0f0 InitializeCriticalSectionAndSpinCount
0x40f0f4 HeapAlloc
0x40f0f8 HeapReAlloc
0x40f0fc LCMapStringA
0x40f100 MultiByteToWideChar
0x40f104 LCMapStringW
0x40f108 GetStringTypeA
0x40f10c GetStringTypeW
0x40f110 GetLocaleInfoA
0x40f114 HeapSize
USER32.dll
0x40f11c ShowWindow
EAT(Export Address Table) is none