ScreenShot
| Created | 2023.07.28 17:41 | Machine | s1_win7_x6403 |
| Filename | 1751181521.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 43 detected (AIDetectMalware, Malicious, score, Artemis, unsafe, Zusy, Kryptik, Vloc, confidence, 100%, GenKryptik, Eldorado, Attribute, HighConfidence, high confidence, GGPO, PWSX, high, Cordimik, 17KACU, RedLine, Wacatac, Detected, R593899, ZexaF, pq2@a85bfafi, Mikey, ai score=81, Genetic, CLOUD, Static AI, Malicious PE) | ||
| md5 | 3ceea9ca97ab640b53ce77eccb5da1fd | ||
| sha256 | f4176527bdf62c32828872ba6a55723aa4617de791e19776c96b185061aa5b4b | ||
| ssdeep | 3072:ZUeC7J7zQuEwIgYYzgyiHjYtvqgaf095FoPQnfBEPL09hMByRYq9Yz:Z8h7rtiHjYtv5FoPQnfBE52Yq90 | ||
| imphash | 3a0110c54bb5043d58c014fce2c1ce05 | ||
| impfuzzy | 24:JjlNDoryqYAdHOovb/J3InKQFQ8RyvDklRT470afplDbM:RSuYQK3D+c70afpxbM | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f000 GetStringTypeW
0x40f004 Sleep
0x40f008 WaitForSingleObject
0x40f00c CreateThread
0x40f010 lstrlenW
0x40f014 VirtualProtect
0x40f018 GetProcAddress
0x40f01c LoadLibraryA
0x40f020 VirtualAlloc
0x40f024 LockResource
0x40f028 LoadResource
0x40f02c SizeofResource
0x40f030 FindResourceW
0x40f034 GetModuleHandleW
0x40f038 GetLastError
0x40f03c CreateMutexA
0x40f040 GetModuleHandleA
0x40f044 GetDriveTypeA
0x40f048 GetConsoleWindow
0x40f04c RtlUnwind
0x40f050 GetCommandLineA
0x40f054 TlsGetValue
0x40f058 TlsAlloc
0x40f05c TlsSetValue
0x40f060 TlsFree
0x40f064 InterlockedIncrement
0x40f068 SetLastError
0x40f06c GetCurrentThreadId
0x40f070 InterlockedDecrement
0x40f074 SetUnhandledExceptionFilter
0x40f078 ExitProcess
0x40f07c WriteFile
0x40f080 GetStdHandle
0x40f084 GetModuleFileNameA
0x40f088 FreeEnvironmentStringsA
0x40f08c GetEnvironmentStrings
0x40f090 FreeEnvironmentStringsW
0x40f094 WideCharToMultiByte
0x40f098 GetEnvironmentStringsW
0x40f09c SetHandleCount
0x40f0a0 GetFileType
0x40f0a4 GetStartupInfoA
0x40f0a8 DeleteCriticalSection
0x40f0ac HeapCreate
0x40f0b0 VirtualFree
0x40f0b4 HeapFree
0x40f0b8 QueryPerformanceCounter
0x40f0bc GetTickCount
0x40f0c0 GetCurrentProcessId
0x40f0c4 GetSystemTimeAsFileTime
0x40f0c8 GetCPInfo
0x40f0cc GetACP
0x40f0d0 GetOEMCP
0x40f0d4 IsValidCodePage
0x40f0d8 TerminateProcess
0x40f0dc GetCurrentProcess
0x40f0e0 UnhandledExceptionFilter
0x40f0e4 IsDebuggerPresent
0x40f0e8 RaiseException
0x40f0ec LeaveCriticalSection
0x40f0f0 EnterCriticalSection
0x40f0f4 InitializeCriticalSectionAndSpinCount
0x40f0f8 HeapAlloc
0x40f0fc HeapReAlloc
0x40f100 LCMapStringA
0x40f104 MultiByteToWideChar
0x40f108 LCMapStringW
0x40f10c GetStringTypeA
0x40f110 GetLocaleInfoA
0x40f114 HeapSize
USER32.dll
0x40f11c ShowWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x40f000 GetStringTypeW
0x40f004 Sleep
0x40f008 WaitForSingleObject
0x40f00c CreateThread
0x40f010 lstrlenW
0x40f014 VirtualProtect
0x40f018 GetProcAddress
0x40f01c LoadLibraryA
0x40f020 VirtualAlloc
0x40f024 LockResource
0x40f028 LoadResource
0x40f02c SizeofResource
0x40f030 FindResourceW
0x40f034 GetModuleHandleW
0x40f038 GetLastError
0x40f03c CreateMutexA
0x40f040 GetModuleHandleA
0x40f044 GetDriveTypeA
0x40f048 GetConsoleWindow
0x40f04c RtlUnwind
0x40f050 GetCommandLineA
0x40f054 TlsGetValue
0x40f058 TlsAlloc
0x40f05c TlsSetValue
0x40f060 TlsFree
0x40f064 InterlockedIncrement
0x40f068 SetLastError
0x40f06c GetCurrentThreadId
0x40f070 InterlockedDecrement
0x40f074 SetUnhandledExceptionFilter
0x40f078 ExitProcess
0x40f07c WriteFile
0x40f080 GetStdHandle
0x40f084 GetModuleFileNameA
0x40f088 FreeEnvironmentStringsA
0x40f08c GetEnvironmentStrings
0x40f090 FreeEnvironmentStringsW
0x40f094 WideCharToMultiByte
0x40f098 GetEnvironmentStringsW
0x40f09c SetHandleCount
0x40f0a0 GetFileType
0x40f0a4 GetStartupInfoA
0x40f0a8 DeleteCriticalSection
0x40f0ac HeapCreate
0x40f0b0 VirtualFree
0x40f0b4 HeapFree
0x40f0b8 QueryPerformanceCounter
0x40f0bc GetTickCount
0x40f0c0 GetCurrentProcessId
0x40f0c4 GetSystemTimeAsFileTime
0x40f0c8 GetCPInfo
0x40f0cc GetACP
0x40f0d0 GetOEMCP
0x40f0d4 IsValidCodePage
0x40f0d8 TerminateProcess
0x40f0dc GetCurrentProcess
0x40f0e0 UnhandledExceptionFilter
0x40f0e4 IsDebuggerPresent
0x40f0e8 RaiseException
0x40f0ec LeaveCriticalSection
0x40f0f0 EnterCriticalSection
0x40f0f4 InitializeCriticalSectionAndSpinCount
0x40f0f8 HeapAlloc
0x40f0fc HeapReAlloc
0x40f100 LCMapStringA
0x40f104 MultiByteToWideChar
0x40f108 LCMapStringW
0x40f10c GetStringTypeA
0x40f110 GetLocaleInfoA
0x40f114 HeapSize
USER32.dll
0x40f11c ShowWindow
EAT(Export Address Table) is none