ScreenShot
Created | 2023.08.04 10:21 | Machine | s1_win7_x6401 |
Filename | 1.exe | ||
Type | PE32 executable (console) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 20 detected (AIDetectMalware, malicious, high confidence, confidence, Attribute, HighConfidence, GenKryptik, GHTO, score, Steal, high, Redline, Wacapew, Detected, ZexaF, Aq2@a0Vj@Sdi, unsafe, Kryptik, dGZlOgVEgIaz2LxhTA, Static AI, Malicious PE) | ||
md5 | bb8b0862c3c8ac468a57d9ae32f873f2 | ||
sha256 | 498ce4ddc627a2b95a11ab521c9314fbe975d5aa4de496792906fe7bb8ce64e0 | ||
ssdeep | 6144:Uj6yKNstxo6mjbLLi7LLccO28qrVO2l5vlR4CX1SvihNAI:UpDtxZEsdBN5v3rXainAI | ||
imphash | c1d8dc34360d5ef7aa5bc95ab2a0e4a8 | ||
impfuzzy | 24:WjlNDoryPeEOovnKQFQ8RyvDh/J3ISlRT4Fmfpl/qH+X:zEK3DjhcFmfp5qHO |
Network IP location
Signature (18cnts)
Level | Description |
---|---|
warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Executes one or more WMI queries |
watch | Harvests credentials from local FTP client softwares |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Executes one or more WMI queries which can be used to identify virtual machines |
notice | One or more potentially interesting buffers were extracted |
notice | Queries for potentially installed applications |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40e008 WaitForSingleObject
0x40e00c CreateThread
0x40e010 lstrlenW
0x40e014 VirtualProtect
0x40e018 GetProcAddress
0x40e01c LoadLibraryA
0x40e020 VirtualAlloc
0x40e024 LockResource
0x40e028 LoadResource
0x40e02c Sleep
0x40e030 FindResourceW
0x40e034 GetModuleHandleW
0x40e038 GetLastError
0x40e03c CreateMutexA
0x40e040 GetModuleHandleA
0x40e044 GetConsoleWindow
0x40e048 SizeofResource
0x40e04c GetACP
0x40e050 GetCommandLineA
0x40e054 SetUnhandledExceptionFilter
0x40e058 ExitProcess
0x40e05c WriteFile
0x40e060 GetStdHandle
0x40e064 GetModuleFileNameA
0x40e068 FreeEnvironmentStringsA
0x40e06c GetEnvironmentStrings
0x40e070 FreeEnvironmentStringsW
0x40e074 WideCharToMultiByte
0x40e078 GetEnvironmentStringsW
0x40e07c SetHandleCount
0x40e080 GetFileType
0x40e084 GetStartupInfoA
0x40e088 DeleteCriticalSection
0x40e08c TlsGetValue
0x40e090 TlsAlloc
0x40e094 TlsSetValue
0x40e098 TlsFree
0x40e09c InterlockedIncrement
0x40e0a0 SetLastError
0x40e0a4 GetCurrentThreadId
0x40e0a8 InterlockedDecrement
0x40e0ac HeapCreate
0x40e0b0 VirtualFree
0x40e0b4 HeapFree
0x40e0b8 QueryPerformanceCounter
0x40e0bc GetTickCount
0x40e0c0 GetCurrentProcessId
0x40e0c4 GetSystemTimeAsFileTime
0x40e0c8 GetCPInfo
0x40e0cc GetOEMCP
0x40e0d0 IsValidCodePage
0x40e0d4 TerminateProcess
0x40e0d8 GetCurrentProcess
0x40e0dc UnhandledExceptionFilter
0x40e0e0 IsDebuggerPresent
0x40e0e4 LeaveCriticalSection
0x40e0e8 EnterCriticalSection
0x40e0ec InitializeCriticalSectionAndSpinCount
0x40e0f0 HeapAlloc
0x40e0f4 HeapReAlloc
0x40e0f8 RtlUnwind
0x40e0fc LCMapStringA
0x40e100 MultiByteToWideChar
0x40e104 LCMapStringW
0x40e108 GetStringTypeA
0x40e10c GetStringTypeW
0x40e110 GetLocaleInfoA
0x40e114 HeapSize
USER32.dll
0x40e11c ShowWindow
ADVAPI32.dll
0x40e000 RegDeleteKeyA
ole32.dll
0x40e124 OleInitialize
EAT(Export Address Table) is none
KERNEL32.dll
0x40e008 WaitForSingleObject
0x40e00c CreateThread
0x40e010 lstrlenW
0x40e014 VirtualProtect
0x40e018 GetProcAddress
0x40e01c LoadLibraryA
0x40e020 VirtualAlloc
0x40e024 LockResource
0x40e028 LoadResource
0x40e02c Sleep
0x40e030 FindResourceW
0x40e034 GetModuleHandleW
0x40e038 GetLastError
0x40e03c CreateMutexA
0x40e040 GetModuleHandleA
0x40e044 GetConsoleWindow
0x40e048 SizeofResource
0x40e04c GetACP
0x40e050 GetCommandLineA
0x40e054 SetUnhandledExceptionFilter
0x40e058 ExitProcess
0x40e05c WriteFile
0x40e060 GetStdHandle
0x40e064 GetModuleFileNameA
0x40e068 FreeEnvironmentStringsA
0x40e06c GetEnvironmentStrings
0x40e070 FreeEnvironmentStringsW
0x40e074 WideCharToMultiByte
0x40e078 GetEnvironmentStringsW
0x40e07c SetHandleCount
0x40e080 GetFileType
0x40e084 GetStartupInfoA
0x40e088 DeleteCriticalSection
0x40e08c TlsGetValue
0x40e090 TlsAlloc
0x40e094 TlsSetValue
0x40e098 TlsFree
0x40e09c InterlockedIncrement
0x40e0a0 SetLastError
0x40e0a4 GetCurrentThreadId
0x40e0a8 InterlockedDecrement
0x40e0ac HeapCreate
0x40e0b0 VirtualFree
0x40e0b4 HeapFree
0x40e0b8 QueryPerformanceCounter
0x40e0bc GetTickCount
0x40e0c0 GetCurrentProcessId
0x40e0c4 GetSystemTimeAsFileTime
0x40e0c8 GetCPInfo
0x40e0cc GetOEMCP
0x40e0d0 IsValidCodePage
0x40e0d4 TerminateProcess
0x40e0d8 GetCurrentProcess
0x40e0dc UnhandledExceptionFilter
0x40e0e0 IsDebuggerPresent
0x40e0e4 LeaveCriticalSection
0x40e0e8 EnterCriticalSection
0x40e0ec InitializeCriticalSectionAndSpinCount
0x40e0f0 HeapAlloc
0x40e0f4 HeapReAlloc
0x40e0f8 RtlUnwind
0x40e0fc LCMapStringA
0x40e100 MultiByteToWideChar
0x40e104 LCMapStringW
0x40e108 GetStringTypeA
0x40e10c GetStringTypeW
0x40e110 GetLocaleInfoA
0x40e114 HeapSize
USER32.dll
0x40e11c ShowWindow
ADVAPI32.dll
0x40e000 RegDeleteKeyA
ole32.dll
0x40e124 OleInitialize
EAT(Export Address Table) is none