ScreenShot
| Created | 2023.07.26 07:51 | Machine | s1_win7_x6401 |
| Filename | sw9u9z1xm9z43h.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (AIDetectMalware, Emotet, Malicious, score, Artemis, Kryptik, Vl33, confidence, 100%, Eldorado, Attribute, HighConfidence, high confidence, HUBU, NMW@Ij4oKFgi, Reline, qm9EIMXQRuE, Static AI, Suspicious PE, ai score=82, RedLine, Detected, R593612, BScope, TrojanPSW, unsafe, USPAXGP23, susgen) | ||
| md5 | 9b90639e6d0fe5ca34c15011adc922b1 | ||
| sha256 | e347d2c37800e83e391725e58e82a1901d3b91c04f4707bc340499bf2e6a6fe1 | ||
| ssdeep | 49152:x5PMZ6O+TGIxheIomTXVRyDEEhqvIf/g:DTGCheUTODVhqvIw | ||
| imphash | 99618c39aafbf01419fbcd53cea0e110 | ||
| impfuzzy | 24:kJGrjlV90wcpVOsmrYtMS1MGzplJBlxeDoLoEOovbOZFuFZMv1GMApTm+lEZHu9c:GY97cpVOVrYtMS1MGzPXXc3fuFZGVL | ||
Network IP location
Signature (33cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (25cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | detect_Redline_Stealer_V2 | (no description) | binaries (download) |
| danger | MALWARE_Win_VT_RedLine | Detects RedLine infostealer | binaries (download) |
| danger | RedLine_Stealer_b_Zero | RedLine stealer | binaries (download) |
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | ConfuserEx_Zero | Confuser .NET | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
PE API
IAT(Import Address Table) Library
USER32.dll
0x503208 GetClientRect
0x50320c SetWindowDisplayAffinity
GDI32.dll
0x503000 RestoreDC
0x503004 DeleteObject
KERNEL32.dll
0x503034 HeapSize
0x503038 CreateFileW
0x50303c TlsFree
0x503040 CloseHandle
0x503044 WaitForSingleObject
0x503048 CreateThread
0x50304c FormatMessageA
0x503050 LocalFree
0x503054 EncodePointer
0x503058 DecodePointer
0x50305c EnterCriticalSection
0x503060 LeaveCriticalSection
0x503064 InitializeCriticalSectionEx
0x503068 DeleteCriticalSection
0x50306c MultiByteToWideChar
0x503070 WideCharToMultiByte
0x503074 LCMapStringEx
0x503078 GetLocaleInfoEx
0x50307c GetStringTypeW
0x503080 CompareStringEx
0x503084 GetCPInfo
0x503088 UnhandledExceptionFilter
0x50308c SetUnhandledExceptionFilter
0x503090 GetCurrentProcess
0x503094 TerminateProcess
0x503098 IsProcessorFeaturePresent
0x50309c QueryPerformanceCounter
0x5030a0 GetCurrentProcessId
0x5030a4 GetCurrentThreadId
0x5030a8 GetSystemTimeAsFileTime
0x5030ac InitializeSListHead
0x5030b0 IsDebuggerPresent
0x5030b4 GetStartupInfoW
0x5030b8 GetModuleHandleW
0x5030bc GetProcessHeap
0x5030c0 RaiseException
0x5030c4 RtlUnwind
0x5030c8 InterlockedPushEntrySList
0x5030cc InterlockedFlushSList
0x5030d0 GetLastError
0x5030d4 SetLastError
0x5030d8 InitializeCriticalSectionAndSpinCount
0x5030dc TlsAlloc
0x5030e0 TlsGetValue
0x5030e4 TlsSetValue
0x5030e8 WriteConsoleW
0x5030ec FreeLibrary
0x5030f0 GetProcAddress
0x5030f4 LoadLibraryExW
0x5030f8 GetStdHandle
0x5030fc WriteFile
0x503100 GetModuleFileNameW
0x503104 ExitProcess
0x503108 GetModuleHandleExW
0x50310c GetCommandLineA
0x503110 GetCommandLineW
0x503114 GetCurrentThread
0x503118 HeapFree
0x50311c HeapAlloc
0x503120 GetDateFormatW
0x503124 GetTimeFormatW
0x503128 CompareStringW
0x50312c LCMapStringW
0x503130 GetLocaleInfoW
0x503134 IsValidLocale
0x503138 GetUserDefaultLCID
0x50313c EnumSystemLocalesW
0x503140 GetFileType
0x503144 FlushFileBuffers
0x503148 GetConsoleOutputCP
0x50314c GetConsoleMode
0x503150 ReadFile
0x503154 GetFileSizeEx
0x503158 SetFilePointerEx
0x50315c ReadConsoleW
0x503160 SetConsoleCtrlHandler
0x503164 HeapReAlloc
0x503168 GetTimeZoneInformation
0x50316c OutputDebugStringW
0x503170 FindClose
0x503174 FindFirstFileExW
0x503178 FindNextFileW
0x50317c IsValidCodePage
0x503180 GetACP
0x503184 GetOEMCP
0x503188 GetEnvironmentStringsW
0x50318c FreeEnvironmentStringsW
0x503190 SetEnvironmentVariableW
0x503194 SetStdHandle
EAT(Export Address Table) is none
USER32.dll
0x503208 GetClientRect
0x50320c SetWindowDisplayAffinity
GDI32.dll
0x503000 RestoreDC
0x503004 DeleteObject
KERNEL32.dll
0x503034 HeapSize
0x503038 CreateFileW
0x50303c TlsFree
0x503040 CloseHandle
0x503044 WaitForSingleObject
0x503048 CreateThread
0x50304c FormatMessageA
0x503050 LocalFree
0x503054 EncodePointer
0x503058 DecodePointer
0x50305c EnterCriticalSection
0x503060 LeaveCriticalSection
0x503064 InitializeCriticalSectionEx
0x503068 DeleteCriticalSection
0x50306c MultiByteToWideChar
0x503070 WideCharToMultiByte
0x503074 LCMapStringEx
0x503078 GetLocaleInfoEx
0x50307c GetStringTypeW
0x503080 CompareStringEx
0x503084 GetCPInfo
0x503088 UnhandledExceptionFilter
0x50308c SetUnhandledExceptionFilter
0x503090 GetCurrentProcess
0x503094 TerminateProcess
0x503098 IsProcessorFeaturePresent
0x50309c QueryPerformanceCounter
0x5030a0 GetCurrentProcessId
0x5030a4 GetCurrentThreadId
0x5030a8 GetSystemTimeAsFileTime
0x5030ac InitializeSListHead
0x5030b0 IsDebuggerPresent
0x5030b4 GetStartupInfoW
0x5030b8 GetModuleHandleW
0x5030bc GetProcessHeap
0x5030c0 RaiseException
0x5030c4 RtlUnwind
0x5030c8 InterlockedPushEntrySList
0x5030cc InterlockedFlushSList
0x5030d0 GetLastError
0x5030d4 SetLastError
0x5030d8 InitializeCriticalSectionAndSpinCount
0x5030dc TlsAlloc
0x5030e0 TlsGetValue
0x5030e4 TlsSetValue
0x5030e8 WriteConsoleW
0x5030ec FreeLibrary
0x5030f0 GetProcAddress
0x5030f4 LoadLibraryExW
0x5030f8 GetStdHandle
0x5030fc WriteFile
0x503100 GetModuleFileNameW
0x503104 ExitProcess
0x503108 GetModuleHandleExW
0x50310c GetCommandLineA
0x503110 GetCommandLineW
0x503114 GetCurrentThread
0x503118 HeapFree
0x50311c HeapAlloc
0x503120 GetDateFormatW
0x503124 GetTimeFormatW
0x503128 CompareStringW
0x50312c LCMapStringW
0x503130 GetLocaleInfoW
0x503134 IsValidLocale
0x503138 GetUserDefaultLCID
0x50313c EnumSystemLocalesW
0x503140 GetFileType
0x503144 FlushFileBuffers
0x503148 GetConsoleOutputCP
0x50314c GetConsoleMode
0x503150 ReadFile
0x503154 GetFileSizeEx
0x503158 SetFilePointerEx
0x50315c ReadConsoleW
0x503160 SetConsoleCtrlHandler
0x503164 HeapReAlloc
0x503168 GetTimeZoneInformation
0x50316c OutputDebugStringW
0x503170 FindClose
0x503174 FindFirstFileExW
0x503178 FindNextFileW
0x50317c IsValidCodePage
0x503180 GetACP
0x503184 GetOEMCP
0x503188 GetEnvironmentStringsW
0x50318c FreeEnvironmentStringsW
0x503190 SetEnvironmentVariableW
0x503194 SetStdHandle
EAT(Export Address Table) is none