ScreenShot
| Created | 2023.07.31 17:45 | Machine | s1_win7_x6403 |
| Filename | crypted33.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 43 detected (AIDetectMalware, GenericKD, Vsh2, malicious, Attribute, HighConfidence, high confidence, ETBS, score, FileRepMalware, u5rTsRyLxoV, Siggen3, AMADEY, YXDG4Z, Outbreak, RedLineSteal, gbmes, Casdet, Artemis, ai score=84, unsafe, Chgt, Static AI, Suspicious PE, ZexaE, uLW@aGvqORki, confidence, 100%) | ||
| md5 | daa00fb3403beb7639d582aa16345615 | ||
| sha256 | 3b9358c613ce407235633a92b5aec1be67b941b2228cc6b6698253f899e4d68a | ||
| ssdeep | 24576:95ja7/2MRukihHuPmWfhWPPjXIYLNfui8P:9LMRukip6l47I0u | ||
| imphash | 4e56c5a0933590e2f4c1321a628109f2 | ||
| impfuzzy | 24:O9scpVxgZCrttlS1DGzplJBl3eDoLoEOovbOgOuFZMvtGMAHTq+lEZHu95:O9scpV6CrttlS1DGzPpXc3TuFZGl0 | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x585000 GetModuleHandleW
0x585004 FormatMessageA
0x585008 WideCharToMultiByte
0x58500c MultiByteToWideChar
0x585010 GetStringTypeW
0x585014 EnterCriticalSection
0x585018 LeaveCriticalSection
0x58501c InitializeCriticalSectionEx
0x585020 DeleteCriticalSection
0x585024 LocalFree
0x585028 GetLocaleInfoEx
0x58502c EncodePointer
0x585030 DecodePointer
0x585034 LCMapStringEx
0x585038 CompareStringEx
0x58503c GetCPInfo
0x585040 IsProcessorFeaturePresent
0x585044 UnhandledExceptionFilter
0x585048 SetUnhandledExceptionFilter
0x58504c GetCurrentProcess
0x585050 TerminateProcess
0x585054 QueryPerformanceCounter
0x585058 GetCurrentProcessId
0x58505c GetCurrentThreadId
0x585060 GetSystemTimeAsFileTime
0x585064 InitializeSListHead
0x585068 IsDebuggerPresent
0x58506c GetStartupInfoW
0x585070 CreateFileW
0x585074 RaiseException
0x585078 RtlUnwind
0x58507c InterlockedPushEntrySList
0x585080 InterlockedFlushSList
0x585084 GetLastError
0x585088 SetLastError
0x58508c InitializeCriticalSectionAndSpinCount
0x585090 TlsAlloc
0x585094 TlsGetValue
0x585098 TlsSetValue
0x58509c TlsFree
0x5850a0 FreeLibrary
0x5850a4 GetProcAddress
0x5850a8 LoadLibraryExW
0x5850ac GetStdHandle
0x5850b0 WriteFile
0x5850b4 GetModuleFileNameW
0x5850b8 ExitProcess
0x5850bc GetModuleHandleExW
0x5850c0 GetCommandLineA
0x5850c4 GetCommandLineW
0x5850c8 GetCurrentThread
0x5850cc HeapAlloc
0x5850d0 HeapFree
0x5850d4 GetDateFormatW
0x5850d8 GetTimeFormatW
0x5850dc CompareStringW
0x5850e0 LCMapStringW
0x5850e4 GetLocaleInfoW
0x5850e8 IsValidLocale
0x5850ec GetUserDefaultLCID
0x5850f0 EnumSystemLocalesW
0x5850f4 GetFileType
0x5850f8 GetFileSizeEx
0x5850fc SetFilePointerEx
0x585100 CloseHandle
0x585104 FlushFileBuffers
0x585108 GetConsoleOutputCP
0x58510c GetConsoleMode
0x585110 ReadFile
0x585114 HeapReAlloc
0x585118 SetConsoleCtrlHandler
0x58511c GetTimeZoneInformation
0x585120 OutputDebugStringW
0x585124 FindClose
0x585128 FindFirstFileExW
0x58512c FindNextFileW
0x585130 IsValidCodePage
0x585134 GetACP
0x585138 GetOEMCP
0x58513c GetEnvironmentStringsW
0x585140 FreeEnvironmentStringsW
0x585144 SetEnvironmentVariableW
0x585148 SetStdHandle
0x58514c GetProcessHeap
0x585150 ReadConsoleW
0x585154 HeapSize
0x585158 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x585000 GetModuleHandleW
0x585004 FormatMessageA
0x585008 WideCharToMultiByte
0x58500c MultiByteToWideChar
0x585010 GetStringTypeW
0x585014 EnterCriticalSection
0x585018 LeaveCriticalSection
0x58501c InitializeCriticalSectionEx
0x585020 DeleteCriticalSection
0x585024 LocalFree
0x585028 GetLocaleInfoEx
0x58502c EncodePointer
0x585030 DecodePointer
0x585034 LCMapStringEx
0x585038 CompareStringEx
0x58503c GetCPInfo
0x585040 IsProcessorFeaturePresent
0x585044 UnhandledExceptionFilter
0x585048 SetUnhandledExceptionFilter
0x58504c GetCurrentProcess
0x585050 TerminateProcess
0x585054 QueryPerformanceCounter
0x585058 GetCurrentProcessId
0x58505c GetCurrentThreadId
0x585060 GetSystemTimeAsFileTime
0x585064 InitializeSListHead
0x585068 IsDebuggerPresent
0x58506c GetStartupInfoW
0x585070 CreateFileW
0x585074 RaiseException
0x585078 RtlUnwind
0x58507c InterlockedPushEntrySList
0x585080 InterlockedFlushSList
0x585084 GetLastError
0x585088 SetLastError
0x58508c InitializeCriticalSectionAndSpinCount
0x585090 TlsAlloc
0x585094 TlsGetValue
0x585098 TlsSetValue
0x58509c TlsFree
0x5850a0 FreeLibrary
0x5850a4 GetProcAddress
0x5850a8 LoadLibraryExW
0x5850ac GetStdHandle
0x5850b0 WriteFile
0x5850b4 GetModuleFileNameW
0x5850b8 ExitProcess
0x5850bc GetModuleHandleExW
0x5850c0 GetCommandLineA
0x5850c4 GetCommandLineW
0x5850c8 GetCurrentThread
0x5850cc HeapAlloc
0x5850d0 HeapFree
0x5850d4 GetDateFormatW
0x5850d8 GetTimeFormatW
0x5850dc CompareStringW
0x5850e0 LCMapStringW
0x5850e4 GetLocaleInfoW
0x5850e8 IsValidLocale
0x5850ec GetUserDefaultLCID
0x5850f0 EnumSystemLocalesW
0x5850f4 GetFileType
0x5850f8 GetFileSizeEx
0x5850fc SetFilePointerEx
0x585100 CloseHandle
0x585104 FlushFileBuffers
0x585108 GetConsoleOutputCP
0x58510c GetConsoleMode
0x585110 ReadFile
0x585114 HeapReAlloc
0x585118 SetConsoleCtrlHandler
0x58511c GetTimeZoneInformation
0x585120 OutputDebugStringW
0x585124 FindClose
0x585128 FindFirstFileExW
0x58512c FindNextFileW
0x585130 IsValidCodePage
0x585134 GetACP
0x585138 GetOEMCP
0x58513c GetEnvironmentStringsW
0x585140 FreeEnvironmentStringsW
0x585144 SetEnvironmentVariableW
0x585148 SetStdHandle
0x58514c GetProcessHeap
0x585150 ReadConsoleW
0x585154 HeapSize
0x585158 WriteConsoleW
EAT(Export Address Table) is none