ScreenShot
| Created | 2023.08.02 16:59 | Machine | s1_win7_x6401 |
| Filename | taskmask.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 39 detected (AIDetectMalware, Lazy, unsafe, malicious, confidence, 100%, Kryptik, Eldorado, Attribute, HighConfidence, high confidence, HUBU, score, RedLineSteal, stlwu, RedLineNET, Artemis, Outbreak, Redline, NetStealer, 3DW5F6, Detected, ai score=84, Chgt, R002H0DH123, b0dAeSxavKO, susgen) | ||
| md5 | f8f7c8c4cc25ba49c5b591aab8bfdc04 | ||
| sha256 | 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb | ||
| ssdeep | 24576:XJKheI128AofpfewMUGeIFtOVkWvhr/qSJ:zIs8AofpfcfFavFz | ||
| imphash | 6775d129202f77e37e1827c229c8d773 | ||
| impfuzzy | 24:ugD69scpVXZsCrYtMS14GzplJBl3ELoEOovbOZOuFZVvtGMAHTq+lEZHu93:e9scpVJZrYtMS14GzPpSc3EuFZdl4 | ||
Network IP location
Signature (30cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
USER32.dll
0x4bc200 SetWindowDisplayAffinity
GDI32.dll
0x4bc000 AngleArc
0x4bc004 RestoreDC
KERNEL32.dll
0x4bc034 CreateFileW
0x4bc038 GetProcAddress
0x4bc03c FormatMessageA
0x4bc040 WideCharToMultiByte
0x4bc044 MultiByteToWideChar
0x4bc048 GetStringTypeW
0x4bc04c EnterCriticalSection
0x4bc050 LeaveCriticalSection
0x4bc054 InitializeCriticalSectionEx
0x4bc058 DeleteCriticalSection
0x4bc05c LocalFree
0x4bc060 EncodePointer
0x4bc064 DecodePointer
0x4bc068 LCMapStringEx
0x4bc06c GetLocaleInfoEx
0x4bc070 CompareStringEx
0x4bc074 GetCPInfo
0x4bc078 UnhandledExceptionFilter
0x4bc07c SetUnhandledExceptionFilter
0x4bc080 GetCurrentProcess
0x4bc084 TerminateProcess
0x4bc088 IsProcessorFeaturePresent
0x4bc08c QueryPerformanceCounter
0x4bc090 GetCurrentProcessId
0x4bc094 GetCurrentThreadId
0x4bc098 GetSystemTimeAsFileTime
0x4bc09c InitializeSListHead
0x4bc0a0 IsDebuggerPresent
0x4bc0a4 GetStartupInfoW
0x4bc0a8 GetModuleHandleW
0x4bc0ac HeapSize
0x4bc0b0 RaiseException
0x4bc0b4 RtlUnwind
0x4bc0b8 InterlockedPushEntrySList
0x4bc0bc InterlockedFlushSList
0x4bc0c0 GetLastError
0x4bc0c4 SetLastError
0x4bc0c8 InitializeCriticalSectionAndSpinCount
0x4bc0cc TlsAlloc
0x4bc0d0 TlsGetValue
0x4bc0d4 TlsSetValue
0x4bc0d8 TlsFree
0x4bc0dc FreeLibrary
0x4bc0e0 WriteConsoleW
0x4bc0e4 LoadLibraryExW
0x4bc0e8 GetStdHandle
0x4bc0ec WriteFile
0x4bc0f0 GetModuleFileNameW
0x4bc0f4 ExitProcess
0x4bc0f8 GetModuleHandleExW
0x4bc0fc GetCommandLineA
0x4bc100 GetCommandLineW
0x4bc104 GetCurrentThread
0x4bc108 HeapFree
0x4bc10c GetDateFormatW
0x4bc110 GetTimeFormatW
0x4bc114 CompareStringW
0x4bc118 LCMapStringW
0x4bc11c GetLocaleInfoW
0x4bc120 IsValidLocale
0x4bc124 GetUserDefaultLCID
0x4bc128 EnumSystemLocalesW
0x4bc12c HeapAlloc
0x4bc130 GetFileType
0x4bc134 GetFileSizeEx
0x4bc138 SetFilePointerEx
0x4bc13c CloseHandle
0x4bc140 FlushFileBuffers
0x4bc144 GetConsoleOutputCP
0x4bc148 GetConsoleMode
0x4bc14c ReadFile
0x4bc150 HeapReAlloc
0x4bc154 SetConsoleCtrlHandler
0x4bc158 GetTimeZoneInformation
0x4bc15c OutputDebugStringW
0x4bc160 FindClose
0x4bc164 FindFirstFileExW
0x4bc168 FindNextFileW
0x4bc16c IsValidCodePage
0x4bc170 GetACP
0x4bc174 GetOEMCP
0x4bc178 GetEnvironmentStringsW
0x4bc17c FreeEnvironmentStringsW
0x4bc180 SetEnvironmentVariableW
0x4bc184 SetStdHandle
0x4bc188 GetProcessHeap
0x4bc18c ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x4bc200 SetWindowDisplayAffinity
GDI32.dll
0x4bc000 AngleArc
0x4bc004 RestoreDC
KERNEL32.dll
0x4bc034 CreateFileW
0x4bc038 GetProcAddress
0x4bc03c FormatMessageA
0x4bc040 WideCharToMultiByte
0x4bc044 MultiByteToWideChar
0x4bc048 GetStringTypeW
0x4bc04c EnterCriticalSection
0x4bc050 LeaveCriticalSection
0x4bc054 InitializeCriticalSectionEx
0x4bc058 DeleteCriticalSection
0x4bc05c LocalFree
0x4bc060 EncodePointer
0x4bc064 DecodePointer
0x4bc068 LCMapStringEx
0x4bc06c GetLocaleInfoEx
0x4bc070 CompareStringEx
0x4bc074 GetCPInfo
0x4bc078 UnhandledExceptionFilter
0x4bc07c SetUnhandledExceptionFilter
0x4bc080 GetCurrentProcess
0x4bc084 TerminateProcess
0x4bc088 IsProcessorFeaturePresent
0x4bc08c QueryPerformanceCounter
0x4bc090 GetCurrentProcessId
0x4bc094 GetCurrentThreadId
0x4bc098 GetSystemTimeAsFileTime
0x4bc09c InitializeSListHead
0x4bc0a0 IsDebuggerPresent
0x4bc0a4 GetStartupInfoW
0x4bc0a8 GetModuleHandleW
0x4bc0ac HeapSize
0x4bc0b0 RaiseException
0x4bc0b4 RtlUnwind
0x4bc0b8 InterlockedPushEntrySList
0x4bc0bc InterlockedFlushSList
0x4bc0c0 GetLastError
0x4bc0c4 SetLastError
0x4bc0c8 InitializeCriticalSectionAndSpinCount
0x4bc0cc TlsAlloc
0x4bc0d0 TlsGetValue
0x4bc0d4 TlsSetValue
0x4bc0d8 TlsFree
0x4bc0dc FreeLibrary
0x4bc0e0 WriteConsoleW
0x4bc0e4 LoadLibraryExW
0x4bc0e8 GetStdHandle
0x4bc0ec WriteFile
0x4bc0f0 GetModuleFileNameW
0x4bc0f4 ExitProcess
0x4bc0f8 GetModuleHandleExW
0x4bc0fc GetCommandLineA
0x4bc100 GetCommandLineW
0x4bc104 GetCurrentThread
0x4bc108 HeapFree
0x4bc10c GetDateFormatW
0x4bc110 GetTimeFormatW
0x4bc114 CompareStringW
0x4bc118 LCMapStringW
0x4bc11c GetLocaleInfoW
0x4bc120 IsValidLocale
0x4bc124 GetUserDefaultLCID
0x4bc128 EnumSystemLocalesW
0x4bc12c HeapAlloc
0x4bc130 GetFileType
0x4bc134 GetFileSizeEx
0x4bc138 SetFilePointerEx
0x4bc13c CloseHandle
0x4bc140 FlushFileBuffers
0x4bc144 GetConsoleOutputCP
0x4bc148 GetConsoleMode
0x4bc14c ReadFile
0x4bc150 HeapReAlloc
0x4bc154 SetConsoleCtrlHandler
0x4bc158 GetTimeZoneInformation
0x4bc15c OutputDebugStringW
0x4bc160 FindClose
0x4bc164 FindFirstFileExW
0x4bc168 FindNextFileW
0x4bc16c IsValidCodePage
0x4bc170 GetACP
0x4bc174 GetOEMCP
0x4bc178 GetEnvironmentStringsW
0x4bc17c FreeEnvironmentStringsW
0x4bc180 SetEnvironmentVariableW
0x4bc184 SetStdHandle
0x4bc188 GetProcessHeap
0x4bc18c ReadConsoleW
EAT(Export Address Table) is none