ScreenShot
| Created | 2023.07.28 10:35 | Machine | s1_win7_x6403 |
| Filename | 123.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 37 detected (AIDetectMalware, malicious, high confidence, score, Kryptik, V9op, Eldorado, Attribute, HighConfidence, HUBU, GenericKD, FileRepMalware, Misc, RedLineNET, REDLINE, YXDG2Z, Cordimik, XZRCXC, Nekark, prlfq, Azorult, Detected, Artemis, BScope, TrojanPSW, unsafe, Chgt, R002H0DGR23, Generic@AI, RDML, FiYRQogaXgNova2uh8gW8w, Krypt, susgen, ETBS, ZexaF, gPW@amAOavji, confidence, 100%) | ||
| md5 | 0e6d97f2465f51dadc93192c8e162f11 | ||
| sha256 | 89b95808e0af47418c6b0fb98341b70e848dae6329e68e77eb14dfd1e47a3619 | ||
| ssdeep | 12288:/hAG4fs9vrPP5ZB5Cu3fJMMvXwYu+h0NAtkDIXEPAisQyFSGsvrmmmmkmmmmmmmK:Jf9v75fJMIaNAtRXuAisQyFSW | ||
| imphash | a901d0eb1adbe5a31c345b03436952f4 | ||
| impfuzzy | 48:wBfWJcpH+zD99rxQSXtX4cRtZz2a63ruFZGb:wBfWJcpH+XDrxHXtX4cRtZqa9C | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
USER32.dll
0x4812d8 SetWindowDisplayAffinity
GDI32.dll
0x481000 RestoreDC
KERNEL32.dll
0x481030 WriteConsoleW
0x481034 IsDebuggerPresent
0x481038 VirtualProtectEx
0x48103c RaiseException
0x481040 CloseHandle
0x481044 WaitForSingleObjectEx
0x481048 Sleep
0x48104c SwitchToThread
0x481050 GetCurrentThreadId
0x481054 GetExitCodeThread
0x481058 GetNativeSystemInfo
0x48105c InitializeSRWLock
0x481060 ReleaseSRWLockExclusive
0x481064 AcquireSRWLockExclusive
0x481068 EnterCriticalSection
0x48106c LeaveCriticalSection
0x481070 InitializeCriticalSectionEx
0x481074 TryEnterCriticalSection
0x481078 DeleteCriticalSection
0x48107c InitializeConditionVariable
0x481080 WakeConditionVariable
0x481084 WakeAllConditionVariable
0x481088 SleepConditionVariableCS
0x48108c SleepConditionVariableSRW
0x481090 FormatMessageA
0x481094 InitOnceBeginInitialize
0x481098 InitOnceComplete
0x48109c GetLastError
0x4810a0 FreeLibraryWhenCallbackReturns
0x4810a4 CreateThreadpoolWork
0x4810a8 SubmitThreadpoolWork
0x4810ac CloseThreadpoolWork
0x4810b0 GetModuleHandleExW
0x4810b4 RtlCaptureStackBackTrace
0x4810b8 IsProcessorFeaturePresent
0x4810bc QueryPerformanceCounter
0x4810c0 QueryPerformanceFrequency
0x4810c4 SetFileInformationByHandle
0x4810c8 FlsAlloc
0x4810cc FlsGetValue
0x4810d0 FlsSetValue
0x4810d4 FlsFree
0x4810d8 InitOnceExecuteOnce
0x4810dc CreateEventExW
0x4810e0 CreateSemaphoreExW
0x4810e4 FlushProcessWriteBuffers
0x4810e8 GetCurrentProcessorNumber
0x4810ec GetSystemTimeAsFileTime
0x4810f0 GetTickCount64
0x4810f4 CreateThreadpoolTimer
0x4810f8 SetThreadpoolTimer
0x4810fc WaitForThreadpoolTimerCallbacks
0x481100 CloseThreadpoolTimer
0x481104 CreateThreadpoolWait
0x481108 SetThreadpoolWait
0x48110c CloseThreadpoolWait
0x481110 GetModuleHandleW
0x481114 GetProcAddress
0x481118 GetFileInformationByHandleEx
0x48111c CreateSymbolicLinkW
0x481120 LocalFree
0x481124 InitializeCriticalSectionAndSpinCount
0x481128 SetEvent
0x48112c ResetEvent
0x481130 CreateEventW
0x481134 GetCurrentProcessId
0x481138 InitializeSListHead
0x48113c DecodePointer
0x481140 UnhandledExceptionFilter
0x481144 SetUnhandledExceptionFilter
0x481148 GetStartupInfoW
0x48114c GetCurrentProcess
0x481150 TerminateProcess
0x481154 CreateFileW
0x481158 RtlUnwind
0x48115c InterlockedPushEntrySList
0x481160 InterlockedFlushSList
0x481164 SetLastError
0x481168 EncodePointer
0x48116c TlsAlloc
0x481170 TlsGetValue
0x481174 TlsSetValue
0x481178 TlsFree
0x48117c FreeLibrary
0x481180 LoadLibraryExW
0x481184 CreateThread
0x481188 ExitThread
0x48118c ResumeThread
0x481190 FreeLibraryAndExitThread
0x481194 GetStdHandle
0x481198 WriteFile
0x48119c GetModuleFileNameW
0x4811a0 ExitProcess
0x4811a4 GetCommandLineA
0x4811a8 GetCommandLineW
0x4811ac GetCurrentThread
0x4811b0 SetConsoleCtrlHandler
0x4811b4 HeapAlloc
0x4811b8 HeapFree
0x4811bc GetDateFormatW
0x4811c0 GetTimeFormatW
0x4811c4 CompareStringW
0x4811c8 LCMapStringW
0x4811cc GetLocaleInfoW
0x4811d0 IsValidLocale
0x4811d4 GetUserDefaultLCID
0x4811d8 EnumSystemLocalesW
0x4811dc GetFileType
0x4811e0 GetFileSizeEx
0x4811e4 SetFilePointerEx
0x4811e8 OutputDebugStringW
0x4811ec FindClose
0x4811f0 FindFirstFileExW
0x4811f4 FindNextFileW
0x4811f8 IsValidCodePage
0x4811fc GetACP
0x481200 GetOEMCP
0x481204 GetCPInfo
0x481208 MultiByteToWideChar
0x48120c WideCharToMultiByte
0x481210 GetEnvironmentStringsW
0x481214 FreeEnvironmentStringsW
0x481218 SetEnvironmentVariableW
0x48121c SetStdHandle
0x481220 GetStringTypeW
0x481224 GetProcessHeap
0x481228 FlushFileBuffers
0x48122c GetConsoleOutputCP
0x481230 GetConsoleMode
0x481234 HeapSize
0x481238 HeapReAlloc
0x48123c ReadFile
0x481240 ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x4812d8 SetWindowDisplayAffinity
GDI32.dll
0x481000 RestoreDC
KERNEL32.dll
0x481030 WriteConsoleW
0x481034 IsDebuggerPresent
0x481038 VirtualProtectEx
0x48103c RaiseException
0x481040 CloseHandle
0x481044 WaitForSingleObjectEx
0x481048 Sleep
0x48104c SwitchToThread
0x481050 GetCurrentThreadId
0x481054 GetExitCodeThread
0x481058 GetNativeSystemInfo
0x48105c InitializeSRWLock
0x481060 ReleaseSRWLockExclusive
0x481064 AcquireSRWLockExclusive
0x481068 EnterCriticalSection
0x48106c LeaveCriticalSection
0x481070 InitializeCriticalSectionEx
0x481074 TryEnterCriticalSection
0x481078 DeleteCriticalSection
0x48107c InitializeConditionVariable
0x481080 WakeConditionVariable
0x481084 WakeAllConditionVariable
0x481088 SleepConditionVariableCS
0x48108c SleepConditionVariableSRW
0x481090 FormatMessageA
0x481094 InitOnceBeginInitialize
0x481098 InitOnceComplete
0x48109c GetLastError
0x4810a0 FreeLibraryWhenCallbackReturns
0x4810a4 CreateThreadpoolWork
0x4810a8 SubmitThreadpoolWork
0x4810ac CloseThreadpoolWork
0x4810b0 GetModuleHandleExW
0x4810b4 RtlCaptureStackBackTrace
0x4810b8 IsProcessorFeaturePresent
0x4810bc QueryPerformanceCounter
0x4810c0 QueryPerformanceFrequency
0x4810c4 SetFileInformationByHandle
0x4810c8 FlsAlloc
0x4810cc FlsGetValue
0x4810d0 FlsSetValue
0x4810d4 FlsFree
0x4810d8 InitOnceExecuteOnce
0x4810dc CreateEventExW
0x4810e0 CreateSemaphoreExW
0x4810e4 FlushProcessWriteBuffers
0x4810e8 GetCurrentProcessorNumber
0x4810ec GetSystemTimeAsFileTime
0x4810f0 GetTickCount64
0x4810f4 CreateThreadpoolTimer
0x4810f8 SetThreadpoolTimer
0x4810fc WaitForThreadpoolTimerCallbacks
0x481100 CloseThreadpoolTimer
0x481104 CreateThreadpoolWait
0x481108 SetThreadpoolWait
0x48110c CloseThreadpoolWait
0x481110 GetModuleHandleW
0x481114 GetProcAddress
0x481118 GetFileInformationByHandleEx
0x48111c CreateSymbolicLinkW
0x481120 LocalFree
0x481124 InitializeCriticalSectionAndSpinCount
0x481128 SetEvent
0x48112c ResetEvent
0x481130 CreateEventW
0x481134 GetCurrentProcessId
0x481138 InitializeSListHead
0x48113c DecodePointer
0x481140 UnhandledExceptionFilter
0x481144 SetUnhandledExceptionFilter
0x481148 GetStartupInfoW
0x48114c GetCurrentProcess
0x481150 TerminateProcess
0x481154 CreateFileW
0x481158 RtlUnwind
0x48115c InterlockedPushEntrySList
0x481160 InterlockedFlushSList
0x481164 SetLastError
0x481168 EncodePointer
0x48116c TlsAlloc
0x481170 TlsGetValue
0x481174 TlsSetValue
0x481178 TlsFree
0x48117c FreeLibrary
0x481180 LoadLibraryExW
0x481184 CreateThread
0x481188 ExitThread
0x48118c ResumeThread
0x481190 FreeLibraryAndExitThread
0x481194 GetStdHandle
0x481198 WriteFile
0x48119c GetModuleFileNameW
0x4811a0 ExitProcess
0x4811a4 GetCommandLineA
0x4811a8 GetCommandLineW
0x4811ac GetCurrentThread
0x4811b0 SetConsoleCtrlHandler
0x4811b4 HeapAlloc
0x4811b8 HeapFree
0x4811bc GetDateFormatW
0x4811c0 GetTimeFormatW
0x4811c4 CompareStringW
0x4811c8 LCMapStringW
0x4811cc GetLocaleInfoW
0x4811d0 IsValidLocale
0x4811d4 GetUserDefaultLCID
0x4811d8 EnumSystemLocalesW
0x4811dc GetFileType
0x4811e0 GetFileSizeEx
0x4811e4 SetFilePointerEx
0x4811e8 OutputDebugStringW
0x4811ec FindClose
0x4811f0 FindFirstFileExW
0x4811f4 FindNextFileW
0x4811f8 IsValidCodePage
0x4811fc GetACP
0x481200 GetOEMCP
0x481204 GetCPInfo
0x481208 MultiByteToWideChar
0x48120c WideCharToMultiByte
0x481210 GetEnvironmentStringsW
0x481214 FreeEnvironmentStringsW
0x481218 SetEnvironmentVariableW
0x48121c SetStdHandle
0x481220 GetStringTypeW
0x481224 GetProcessHeap
0x481228 FlushFileBuffers
0x48122c GetConsoleOutputCP
0x481230 GetConsoleMode
0x481234 HeapSize
0x481238 HeapReAlloc
0x48123c ReadFile
0x481240 ReadConsoleW
EAT(Export Address Table) is none