ScreenShot
| Created | 2023.08.07 18:35 | Machine | s1_win7_x6403 |
| Filename | somefile.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (AIDetectMalware, malicious, high confidence, Lazy, Eldorado, Attribute, HighConfidence, Kryptik, HUBU, score, esdn, PWSX, PxpVmt6UTpB, RedLineSteal, ppsls, RedLineNET, Sabsik, Detected, ai score=80, susgen, ETBS, ZexaF, 7UW@ai3JCLg) | ||
| md5 | 54631210ad8202513b794956c59e67a7 | ||
| sha256 | 1decacd4ba1021711f1a1ff1d14a2453965e211bee8e50533c4d6a2997ace6d4 | ||
| ssdeep | 12288:KjwLxC80uONQttjvbLu0jiwhKF/De22pudOLVedf6ImE5umQnf4JDic0PcYyU:ZxC8yQttjvbS0lhKtEVedf66oPPR5 | ||
| imphash | bc1813b6b941bb3c0b066ce291c237d8 | ||
| impfuzzy | 48:DMi9scpVJxYWaz14sXtXVrYtCgGzPpU63fuFZ+z4:DMiOcpVJxYWap7XtXtYtCgGTpUrr | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
PE API
IAT(Import Address Table) Library
USER32.dll
0x5072fc SetWindowDisplayAffinity
GDI32.dll
0x507030 RestoreDC
ADVAPI32.dll
0x507000 EqualPrefixSid
KERNEL32.dll
0x507060 CreateFileW
0x507064 GetCurrentProcess
0x507068 CloseHandle
0x50706c WaitForSingleObjectEx
0x507070 Sleep
0x507074 SwitchToThread
0x507078 GetCurrentThreadId
0x50707c GetExitCodeThread
0x507080 GetNativeSystemInfo
0x507084 FormatMessageA
0x507088 WideCharToMultiByte
0x50708c MultiByteToWideChar
0x507090 GetStringTypeW
0x507094 EnterCriticalSection
0x507098 LeaveCriticalSection
0x50709c InitializeCriticalSectionEx
0x5070a0 DeleteCriticalSection
0x5070a4 QueryPerformanceCounter
0x5070a8 QueryPerformanceFrequency
0x5070ac InitializeSRWLock
0x5070b0 ReleaseSRWLockExclusive
0x5070b4 AcquireSRWLockExclusive
0x5070b8 TryEnterCriticalSection
0x5070bc InitializeConditionVariable
0x5070c0 WakeConditionVariable
0x5070c4 WakeAllConditionVariable
0x5070c8 SleepConditionVariableCS
0x5070cc SleepConditionVariableSRW
0x5070d0 LocalFree
0x5070d4 EncodePointer
0x5070d8 DecodePointer
0x5070dc LCMapStringEx
0x5070e0 SetFileInformationByHandle
0x5070e4 FlsAlloc
0x5070e8 FlsGetValue
0x5070ec FlsSetValue
0x5070f0 FlsFree
0x5070f4 InitOnceExecuteOnce
0x5070f8 CreateEventExW
0x5070fc CreateSemaphoreExW
0x507100 FlushProcessWriteBuffers
0x507104 GetCurrentProcessorNumber
0x507108 GetSystemTimeAsFileTime
0x50710c GetTickCount64
0x507110 FreeLibraryWhenCallbackReturns
0x507114 CreateThreadpoolWork
0x507118 SubmitThreadpoolWork
0x50711c CloseThreadpoolWork
0x507120 CreateThreadpoolTimer
0x507124 SetThreadpoolTimer
0x507128 WaitForThreadpoolTimerCallbacks
0x50712c CloseThreadpoolTimer
0x507130 CreateThreadpoolWait
0x507134 SetThreadpoolWait
0x507138 CloseThreadpoolWait
0x50713c GetModuleHandleW
0x507140 GetProcAddress
0x507144 GetFileInformationByHandleEx
0x507148 CreateSymbolicLinkW
0x50714c GetLocaleInfoEx
0x507150 CompareStringEx
0x507154 GetCPInfo
0x507158 UnhandledExceptionFilter
0x50715c SetUnhandledExceptionFilter
0x507160 WriteConsoleW
0x507164 TerminateProcess
0x507168 IsProcessorFeaturePresent
0x50716c GetCurrentProcessId
0x507170 InitializeSListHead
0x507174 IsDebuggerPresent
0x507178 GetStartupInfoW
0x50717c HeapSize
0x507180 RaiseException
0x507184 RtlUnwind
0x507188 InterlockedPushEntrySList
0x50718c InterlockedFlushSList
0x507190 GetLastError
0x507194 SetLastError
0x507198 InitializeCriticalSectionAndSpinCount
0x50719c TlsAlloc
0x5071a0 TlsGetValue
0x5071a4 TlsSetValue
0x5071a8 TlsFree
0x5071ac FreeLibrary
0x5071b0 LoadLibraryExW
0x5071b4 CreateThread
0x5071b8 ExitThread
0x5071bc ResumeThread
0x5071c0 FreeLibraryAndExitThread
0x5071c4 GetModuleHandleExW
0x5071c8 GetStdHandle
0x5071cc WriteFile
0x5071d0 GetModuleFileNameW
0x5071d4 ExitProcess
0x5071d8 GetCommandLineA
0x5071dc GetCommandLineW
0x5071e0 GetCurrentThread
0x5071e4 HeapFree
0x5071e8 HeapAlloc
0x5071ec GetDateFormatW
0x5071f0 GetTimeFormatW
0x5071f4 CompareStringW
0x5071f8 LCMapStringW
0x5071fc GetLocaleInfoW
0x507200 IsValidLocale
0x507204 GetUserDefaultLCID
0x507208 EnumSystemLocalesW
0x50720c SetConsoleCtrlHandler
0x507210 GetFileType
0x507214 GetFileSizeEx
0x507218 SetFilePointerEx
0x50721c FlushFileBuffers
0x507220 GetConsoleOutputCP
0x507224 GetConsoleMode
0x507228 ReadFile
0x50722c HeapReAlloc
0x507230 GetTimeZoneInformation
0x507234 OutputDebugStringW
0x507238 FindClose
0x50723c FindFirstFileExW
0x507240 FindNextFileW
0x507244 IsValidCodePage
0x507248 GetACP
0x50724c GetOEMCP
0x507250 GetEnvironmentStringsW
0x507254 FreeEnvironmentStringsW
0x507258 SetEnvironmentVariableW
0x50725c SetStdHandle
0x507260 GetProcessHeap
0x507264 ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x5072fc SetWindowDisplayAffinity
GDI32.dll
0x507030 RestoreDC
ADVAPI32.dll
0x507000 EqualPrefixSid
KERNEL32.dll
0x507060 CreateFileW
0x507064 GetCurrentProcess
0x507068 CloseHandle
0x50706c WaitForSingleObjectEx
0x507070 Sleep
0x507074 SwitchToThread
0x507078 GetCurrentThreadId
0x50707c GetExitCodeThread
0x507080 GetNativeSystemInfo
0x507084 FormatMessageA
0x507088 WideCharToMultiByte
0x50708c MultiByteToWideChar
0x507090 GetStringTypeW
0x507094 EnterCriticalSection
0x507098 LeaveCriticalSection
0x50709c InitializeCriticalSectionEx
0x5070a0 DeleteCriticalSection
0x5070a4 QueryPerformanceCounter
0x5070a8 QueryPerformanceFrequency
0x5070ac InitializeSRWLock
0x5070b0 ReleaseSRWLockExclusive
0x5070b4 AcquireSRWLockExclusive
0x5070b8 TryEnterCriticalSection
0x5070bc InitializeConditionVariable
0x5070c0 WakeConditionVariable
0x5070c4 WakeAllConditionVariable
0x5070c8 SleepConditionVariableCS
0x5070cc SleepConditionVariableSRW
0x5070d0 LocalFree
0x5070d4 EncodePointer
0x5070d8 DecodePointer
0x5070dc LCMapStringEx
0x5070e0 SetFileInformationByHandle
0x5070e4 FlsAlloc
0x5070e8 FlsGetValue
0x5070ec FlsSetValue
0x5070f0 FlsFree
0x5070f4 InitOnceExecuteOnce
0x5070f8 CreateEventExW
0x5070fc CreateSemaphoreExW
0x507100 FlushProcessWriteBuffers
0x507104 GetCurrentProcessorNumber
0x507108 GetSystemTimeAsFileTime
0x50710c GetTickCount64
0x507110 FreeLibraryWhenCallbackReturns
0x507114 CreateThreadpoolWork
0x507118 SubmitThreadpoolWork
0x50711c CloseThreadpoolWork
0x507120 CreateThreadpoolTimer
0x507124 SetThreadpoolTimer
0x507128 WaitForThreadpoolTimerCallbacks
0x50712c CloseThreadpoolTimer
0x507130 CreateThreadpoolWait
0x507134 SetThreadpoolWait
0x507138 CloseThreadpoolWait
0x50713c GetModuleHandleW
0x507140 GetProcAddress
0x507144 GetFileInformationByHandleEx
0x507148 CreateSymbolicLinkW
0x50714c GetLocaleInfoEx
0x507150 CompareStringEx
0x507154 GetCPInfo
0x507158 UnhandledExceptionFilter
0x50715c SetUnhandledExceptionFilter
0x507160 WriteConsoleW
0x507164 TerminateProcess
0x507168 IsProcessorFeaturePresent
0x50716c GetCurrentProcessId
0x507170 InitializeSListHead
0x507174 IsDebuggerPresent
0x507178 GetStartupInfoW
0x50717c HeapSize
0x507180 RaiseException
0x507184 RtlUnwind
0x507188 InterlockedPushEntrySList
0x50718c InterlockedFlushSList
0x507190 GetLastError
0x507194 SetLastError
0x507198 InitializeCriticalSectionAndSpinCount
0x50719c TlsAlloc
0x5071a0 TlsGetValue
0x5071a4 TlsSetValue
0x5071a8 TlsFree
0x5071ac FreeLibrary
0x5071b0 LoadLibraryExW
0x5071b4 CreateThread
0x5071b8 ExitThread
0x5071bc ResumeThread
0x5071c0 FreeLibraryAndExitThread
0x5071c4 GetModuleHandleExW
0x5071c8 GetStdHandle
0x5071cc WriteFile
0x5071d0 GetModuleFileNameW
0x5071d4 ExitProcess
0x5071d8 GetCommandLineA
0x5071dc GetCommandLineW
0x5071e0 GetCurrentThread
0x5071e4 HeapFree
0x5071e8 HeapAlloc
0x5071ec GetDateFormatW
0x5071f0 GetTimeFormatW
0x5071f4 CompareStringW
0x5071f8 LCMapStringW
0x5071fc GetLocaleInfoW
0x507200 IsValidLocale
0x507204 GetUserDefaultLCID
0x507208 EnumSystemLocalesW
0x50720c SetConsoleCtrlHandler
0x507210 GetFileType
0x507214 GetFileSizeEx
0x507218 SetFilePointerEx
0x50721c FlushFileBuffers
0x507220 GetConsoleOutputCP
0x507224 GetConsoleMode
0x507228 ReadFile
0x50722c HeapReAlloc
0x507230 GetTimeZoneInformation
0x507234 OutputDebugStringW
0x507238 FindClose
0x50723c FindFirstFileExW
0x507240 FindNextFileW
0x507244 IsValidCodePage
0x507248 GetACP
0x50724c GetOEMCP
0x507250 GetEnvironmentStringsW
0x507254 FreeEnvironmentStringsW
0x507258 SetEnvironmentVariableW
0x50725c SetStdHandle
0x507260 GetProcessHeap
0x507264 ReadConsoleW
EAT(Export Address Table) is none