ScreenShot
| Created | 2023.08.14 07:49 | Machine | s1_win7_x6403 |
| Filename | file.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 049a6d9199bd6efe409b0ab9fc4cdee6 | ||
| sha256 | 68a90fbe2b08f26df6b5ee291bbe6ccce6e322ba3475e1ce2a42631a69d9a8ba | ||
| ssdeep | 12288:uB5Ic+MX5pMvp36InFJj6WjK3W/Ii2DP6HHZ4CI1u/DQ8qTav755t:lc+MJpMvpKCjQDP6H5lI+v75 | ||
| imphash | b1baadc7cd565683e6ca39782aebf267 | ||
| impfuzzy | 24:689scpVXZsCrMS1jtJGzplJBl3eDYoEOovbOZOuFZVvtGMAHTq+lEZHu93:z9scpVJZrMS1jtJGzPpLc3EuFZdl4 | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x5031fc SetWindowDisplayAffinity
GDI32.dll
0x503000 RestoreDC
KERNEL32.dll
0x503030 CreateFileW
0x503034 LoadLibraryExW
0x503038 FormatMessageA
0x50303c WideCharToMultiByte
0x503040 MultiByteToWideChar
0x503044 GetStringTypeW
0x503048 EnterCriticalSection
0x50304c LeaveCriticalSection
0x503050 InitializeCriticalSectionEx
0x503054 DeleteCriticalSection
0x503058 LocalFree
0x50305c EncodePointer
0x503060 DecodePointer
0x503064 LCMapStringEx
0x503068 GetLocaleInfoEx
0x50306c CompareStringEx
0x503070 GetCPInfo
0x503074 QueryPerformanceCounter
0x503078 GetCurrentProcessId
0x50307c GetCurrentThreadId
0x503080 GetSystemTimeAsFileTime
0x503084 InitializeSListHead
0x503088 IsDebuggerPresent
0x50308c UnhandledExceptionFilter
0x503090 SetUnhandledExceptionFilter
0x503094 GetStartupInfoW
0x503098 IsProcessorFeaturePresent
0x50309c GetModuleHandleW
0x5030a0 GetCurrentProcess
0x5030a4 TerminateProcess
0x5030a8 HeapSize
0x5030ac RaiseException
0x5030b0 RtlUnwind
0x5030b4 InterlockedPushEntrySList
0x5030b8 InterlockedFlushSList
0x5030bc GetLastError
0x5030c0 SetLastError
0x5030c4 InitializeCriticalSectionAndSpinCount
0x5030c8 TlsAlloc
0x5030cc TlsGetValue
0x5030d0 TlsSetValue
0x5030d4 TlsFree
0x5030d8 FreeLibrary
0x5030dc GetProcAddress
0x5030e0 WriteConsoleW
0x5030e4 GetStdHandle
0x5030e8 WriteFile
0x5030ec GetModuleFileNameW
0x5030f0 ExitProcess
0x5030f4 GetModuleHandleExW
0x5030f8 GetCommandLineA
0x5030fc GetCommandLineW
0x503100 GetCurrentThread
0x503104 HeapFree
0x503108 GetDateFormatW
0x50310c GetTimeFormatW
0x503110 CompareStringW
0x503114 LCMapStringW
0x503118 GetLocaleInfoW
0x50311c IsValidLocale
0x503120 GetUserDefaultLCID
0x503124 EnumSystemLocalesW
0x503128 HeapAlloc
0x50312c GetFileType
0x503130 GetFileSizeEx
0x503134 SetFilePointerEx
0x503138 CloseHandle
0x50313c FlushFileBuffers
0x503140 GetConsoleOutputCP
0x503144 GetConsoleMode
0x503148 ReadFile
0x50314c HeapReAlloc
0x503150 SetConsoleCtrlHandler
0x503154 GetTimeZoneInformation
0x503158 OutputDebugStringW
0x50315c FindClose
0x503160 FindFirstFileExW
0x503164 FindNextFileW
0x503168 IsValidCodePage
0x50316c GetACP
0x503170 GetOEMCP
0x503174 GetEnvironmentStringsW
0x503178 FreeEnvironmentStringsW
0x50317c SetEnvironmentVariableW
0x503180 SetStdHandle
0x503184 GetProcessHeap
0x503188 ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x5031fc SetWindowDisplayAffinity
GDI32.dll
0x503000 RestoreDC
KERNEL32.dll
0x503030 CreateFileW
0x503034 LoadLibraryExW
0x503038 FormatMessageA
0x50303c WideCharToMultiByte
0x503040 MultiByteToWideChar
0x503044 GetStringTypeW
0x503048 EnterCriticalSection
0x50304c LeaveCriticalSection
0x503050 InitializeCriticalSectionEx
0x503054 DeleteCriticalSection
0x503058 LocalFree
0x50305c EncodePointer
0x503060 DecodePointer
0x503064 LCMapStringEx
0x503068 GetLocaleInfoEx
0x50306c CompareStringEx
0x503070 GetCPInfo
0x503074 QueryPerformanceCounter
0x503078 GetCurrentProcessId
0x50307c GetCurrentThreadId
0x503080 GetSystemTimeAsFileTime
0x503084 InitializeSListHead
0x503088 IsDebuggerPresent
0x50308c UnhandledExceptionFilter
0x503090 SetUnhandledExceptionFilter
0x503094 GetStartupInfoW
0x503098 IsProcessorFeaturePresent
0x50309c GetModuleHandleW
0x5030a0 GetCurrentProcess
0x5030a4 TerminateProcess
0x5030a8 HeapSize
0x5030ac RaiseException
0x5030b0 RtlUnwind
0x5030b4 InterlockedPushEntrySList
0x5030b8 InterlockedFlushSList
0x5030bc GetLastError
0x5030c0 SetLastError
0x5030c4 InitializeCriticalSectionAndSpinCount
0x5030c8 TlsAlloc
0x5030cc TlsGetValue
0x5030d0 TlsSetValue
0x5030d4 TlsFree
0x5030d8 FreeLibrary
0x5030dc GetProcAddress
0x5030e0 WriteConsoleW
0x5030e4 GetStdHandle
0x5030e8 WriteFile
0x5030ec GetModuleFileNameW
0x5030f0 ExitProcess
0x5030f4 GetModuleHandleExW
0x5030f8 GetCommandLineA
0x5030fc GetCommandLineW
0x503100 GetCurrentThread
0x503104 HeapFree
0x503108 GetDateFormatW
0x50310c GetTimeFormatW
0x503110 CompareStringW
0x503114 LCMapStringW
0x503118 GetLocaleInfoW
0x50311c IsValidLocale
0x503120 GetUserDefaultLCID
0x503124 EnumSystemLocalesW
0x503128 HeapAlloc
0x50312c GetFileType
0x503130 GetFileSizeEx
0x503134 SetFilePointerEx
0x503138 CloseHandle
0x50313c FlushFileBuffers
0x503140 GetConsoleOutputCP
0x503144 GetConsoleMode
0x503148 ReadFile
0x50314c HeapReAlloc
0x503150 SetConsoleCtrlHandler
0x503154 GetTimeZoneInformation
0x503158 OutputDebugStringW
0x50315c FindClose
0x503160 FindFirstFileExW
0x503164 FindNextFileW
0x503168 IsValidCodePage
0x50316c GetACP
0x503170 GetOEMCP
0x503174 GetEnvironmentStringsW
0x503178 FreeEnvironmentStringsW
0x50317c SetEnvironmentVariableW
0x503180 SetStdHandle
0x503184 GetProcessHeap
0x503188 ReadConsoleW
EAT(Export Address Table) is none