ScreenShot
| Created | 2023.08.02 10:03 | Machine | s1_win7_x6401 |
| Filename | redlkript.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 17 detected (AIDetectMalware, malicious, high confidence, unsafe, Attribute, HighConfidence, GenKryptik, GHTO, score, high, Static AI, Malicious PE, Detected, ZexaF, pq2@aCH6YWki, BScope, confidence, 100%) | ||
| md5 | c3b8d601e3e591f86694bf495397b8d7 | ||
| sha256 | d940cb43e9c0bc8abbe36a5ff2ee5949aba5cdc122323f14e80d87b37b76f106 | ||
| ssdeep | 6144:B10zISkw1ShQlcdVFfD+vt65R57398jmF6UAI:B1EISL1SilcdDKvt65R57398jmFrAI | ||
| imphash | 4bb494acf9e1f9289cc636105d75ac2b | ||
| impfuzzy | 24:WjlNDoryPxEOovnKQFQ8RyvDh/J3ISlRT4Fmfpl/qH+A:uEK3DjhcFmfp5qHt | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 17 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40e008 WaitForSingleObject
0x40e00c CreateThread
0x40e010 lstrlenW
0x40e014 VirtualProtect
0x40e018 GetProcAddress
0x40e01c LoadLibraryA
0x40e020 VirtualAlloc
0x40e024 LockResource
0x40e028 LoadResource
0x40e02c Sleep
0x40e030 FindResourceW
0x40e034 GetModuleHandleW
0x40e038 GetLastError
0x40e03c CreateMutexA
0x40e040 GetModuleHandleA
0x40e044 GetWindowsDirectoryW
0x40e048 GetConsoleWindow
0x40e04c SizeofResource
0x40e050 GetACP
0x40e054 GetCommandLineA
0x40e058 SetUnhandledExceptionFilter
0x40e05c ExitProcess
0x40e060 WriteFile
0x40e064 GetStdHandle
0x40e068 GetModuleFileNameA
0x40e06c FreeEnvironmentStringsA
0x40e070 GetEnvironmentStrings
0x40e074 FreeEnvironmentStringsW
0x40e078 WideCharToMultiByte
0x40e07c GetEnvironmentStringsW
0x40e080 SetHandleCount
0x40e084 GetFileType
0x40e088 GetStartupInfoA
0x40e08c DeleteCriticalSection
0x40e090 TlsGetValue
0x40e094 TlsAlloc
0x40e098 TlsSetValue
0x40e09c TlsFree
0x40e0a0 InterlockedIncrement
0x40e0a4 SetLastError
0x40e0a8 GetCurrentThreadId
0x40e0ac InterlockedDecrement
0x40e0b0 HeapCreate
0x40e0b4 VirtualFree
0x40e0b8 HeapFree
0x40e0bc QueryPerformanceCounter
0x40e0c0 GetTickCount
0x40e0c4 GetCurrentProcessId
0x40e0c8 GetSystemTimeAsFileTime
0x40e0cc GetCPInfo
0x40e0d0 GetOEMCP
0x40e0d4 IsValidCodePage
0x40e0d8 TerminateProcess
0x40e0dc GetCurrentProcess
0x40e0e0 UnhandledExceptionFilter
0x40e0e4 IsDebuggerPresent
0x40e0e8 LeaveCriticalSection
0x40e0ec EnterCriticalSection
0x40e0f0 InitializeCriticalSectionAndSpinCount
0x40e0f4 HeapAlloc
0x40e0f8 HeapReAlloc
0x40e0fc RtlUnwind
0x40e100 LCMapStringA
0x40e104 MultiByteToWideChar
0x40e108 LCMapStringW
0x40e10c GetStringTypeA
0x40e110 GetStringTypeW
0x40e114 GetLocaleInfoA
0x40e118 HeapSize
USER32.dll
0x40e120 ShowWindow
ADVAPI32.dll
0x40e000 RegDeleteKeyA
EAT(Export Address Table) is none
KERNEL32.dll
0x40e008 WaitForSingleObject
0x40e00c CreateThread
0x40e010 lstrlenW
0x40e014 VirtualProtect
0x40e018 GetProcAddress
0x40e01c LoadLibraryA
0x40e020 VirtualAlloc
0x40e024 LockResource
0x40e028 LoadResource
0x40e02c Sleep
0x40e030 FindResourceW
0x40e034 GetModuleHandleW
0x40e038 GetLastError
0x40e03c CreateMutexA
0x40e040 GetModuleHandleA
0x40e044 GetWindowsDirectoryW
0x40e048 GetConsoleWindow
0x40e04c SizeofResource
0x40e050 GetACP
0x40e054 GetCommandLineA
0x40e058 SetUnhandledExceptionFilter
0x40e05c ExitProcess
0x40e060 WriteFile
0x40e064 GetStdHandle
0x40e068 GetModuleFileNameA
0x40e06c FreeEnvironmentStringsA
0x40e070 GetEnvironmentStrings
0x40e074 FreeEnvironmentStringsW
0x40e078 WideCharToMultiByte
0x40e07c GetEnvironmentStringsW
0x40e080 SetHandleCount
0x40e084 GetFileType
0x40e088 GetStartupInfoA
0x40e08c DeleteCriticalSection
0x40e090 TlsGetValue
0x40e094 TlsAlloc
0x40e098 TlsSetValue
0x40e09c TlsFree
0x40e0a0 InterlockedIncrement
0x40e0a4 SetLastError
0x40e0a8 GetCurrentThreadId
0x40e0ac InterlockedDecrement
0x40e0b0 HeapCreate
0x40e0b4 VirtualFree
0x40e0b8 HeapFree
0x40e0bc QueryPerformanceCounter
0x40e0c0 GetTickCount
0x40e0c4 GetCurrentProcessId
0x40e0c8 GetSystemTimeAsFileTime
0x40e0cc GetCPInfo
0x40e0d0 GetOEMCP
0x40e0d4 IsValidCodePage
0x40e0d8 TerminateProcess
0x40e0dc GetCurrentProcess
0x40e0e0 UnhandledExceptionFilter
0x40e0e4 IsDebuggerPresent
0x40e0e8 LeaveCriticalSection
0x40e0ec EnterCriticalSection
0x40e0f0 InitializeCriticalSectionAndSpinCount
0x40e0f4 HeapAlloc
0x40e0f8 HeapReAlloc
0x40e0fc RtlUnwind
0x40e100 LCMapStringA
0x40e104 MultiByteToWideChar
0x40e108 LCMapStringW
0x40e10c GetStringTypeA
0x40e110 GetStringTypeW
0x40e114 GetLocaleInfoA
0x40e118 HeapSize
USER32.dll
0x40e120 ShowWindow
ADVAPI32.dll
0x40e000 RegDeleteKeyA
EAT(Export Address Table) is none