ScreenShot
| Created | 2023.08.21 18:44 | Machine | s1_win7_x6403 |
| Filename | balalaika.php | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 8ef99b7b22cd9da6c37bc5bb56d94b62 | ||
| sha256 | 59835a3f4ca0edc1491196024e33c0e0c0a0d399527a9d00f3cb9aec4f1e6a6a | ||
| ssdeep | 24576:lvv1/j4b9vK4PeFlM+EIPugGW8xDu2wpz:lvqb9vK4EMYFGvCx | ||
| imphash | fa0f76338375d3e60669765a50375aa1 | ||
| impfuzzy | 48:eBfWJcpH+zD9vrxQSXtXvZrmcGtZzba63buFZGz0:eBfWJcpH+X1rxHXtXvxmcGtZPa9V | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
PE API
IAT(Import Address Table) Library
GDI32.dll
0x508000 RestoreDC
KERNEL32.dll
0x508030 RaiseException
0x508034 CloseHandle
0x508038 WaitForSingleObjectEx
0x50803c Sleep
0x508040 SwitchToThread
0x508044 GetCurrentThreadId
0x508048 GetExitCodeThread
0x50804c GetNativeSystemInfo
0x508050 InitializeSRWLock
0x508054 ReleaseSRWLockExclusive
0x508058 AcquireSRWLockExclusive
0x50805c EnterCriticalSection
0x508060 LeaveCriticalSection
0x508064 InitializeCriticalSectionEx
0x508068 TryEnterCriticalSection
0x50806c DeleteCriticalSection
0x508070 InitializeConditionVariable
0x508074 WakeConditionVariable
0x508078 WakeAllConditionVariable
0x50807c SleepConditionVariableCS
0x508080 SleepConditionVariableSRW
0x508084 FormatMessageA
0x508088 WideCharToMultiByte
0x50808c MultiByteToWideChar
0x508090 GetStringTypeW
0x508094 InitOnceBeginInitialize
0x508098 InitOnceComplete
0x50809c GetLastError
0x5080a0 FreeLibraryWhenCallbackReturns
0x5080a4 CreateThreadpoolWork
0x5080a8 SubmitThreadpoolWork
0x5080ac CloseThreadpoolWork
0x5080b0 GetModuleHandleExW
0x5080b4 RtlCaptureStackBackTrace
0x5080b8 IsProcessorFeaturePresent
0x5080bc QueryPerformanceCounter
0x5080c0 QueryPerformanceFrequency
0x5080c4 SetFileInformationByHandle
0x5080c8 FlsAlloc
0x5080cc FlsGetValue
0x5080d0 FlsSetValue
0x5080d4 FlsFree
0x5080d8 InitOnceExecuteOnce
0x5080dc CreateEventExW
0x5080e0 CreateSemaphoreExW
0x5080e4 FlushProcessWriteBuffers
0x5080e8 GetCurrentProcessorNumber
0x5080ec GetSystemTimeAsFileTime
0x5080f0 GetTickCount64
0x5080f4 CreateThreadpoolTimer
0x5080f8 SetThreadpoolTimer
0x5080fc WaitForThreadpoolTimerCallbacks
0x508100 CloseThreadpoolTimer
0x508104 CreateThreadpoolWait
0x508108 SetThreadpoolWait
0x50810c CloseThreadpoolWait
0x508110 GetModuleHandleW
0x508114 GetProcAddress
0x508118 GetFileInformationByHandleEx
0x50811c CreateSymbolicLinkW
0x508120 LocalFree
0x508124 EncodePointer
0x508128 DecodePointer
0x50812c LCMapStringEx
0x508130 GetLocaleInfoEx
0x508134 CompareStringEx
0x508138 GetCPInfo
0x50813c InitializeCriticalSectionAndSpinCount
0x508140 SetEvent
0x508144 ResetEvent
0x508148 CreateEventW
0x50814c GetCurrentProcessId
0x508150 InitializeSListHead
0x508154 IsDebuggerPresent
0x508158 UnhandledExceptionFilter
0x50815c SetUnhandledExceptionFilter
0x508160 GetStartupInfoW
0x508164 GetCurrentProcess
0x508168 TerminateProcess
0x50816c CreateFileW
0x508170 RtlUnwind
0x508174 InterlockedPushEntrySList
0x508178 InterlockedFlushSList
0x50817c SetLastError
0x508180 TlsAlloc
0x508184 TlsGetValue
0x508188 TlsSetValue
0x50818c TlsFree
0x508190 FreeLibrary
0x508194 LoadLibraryExW
0x508198 CreateThread
0x50819c ExitThread
0x5081a0 ResumeThread
0x5081a4 FreeLibraryAndExitThread
0x5081a8 GetStdHandle
0x5081ac WriteFile
0x5081b0 GetModuleFileNameW
0x5081b4 ExitProcess
0x5081b8 GetCommandLineA
0x5081bc GetCommandLineW
0x5081c0 GetCurrentThread
0x5081c4 HeapFree
0x5081c8 SetConsoleCtrlHandler
0x5081cc HeapAlloc
0x5081d0 GetDateFormatW
0x5081d4 GetTimeFormatW
0x5081d8 CompareStringW
0x5081dc LCMapStringW
0x5081e0 GetLocaleInfoW
0x5081e4 IsValidLocale
0x5081e8 GetUserDefaultLCID
0x5081ec EnumSystemLocalesW
0x5081f0 GetFileType
0x5081f4 GetFileSizeEx
0x5081f8 SetFilePointerEx
0x5081fc FlushFileBuffers
0x508200 GetConsoleOutputCP
0x508204 GetConsoleMode
0x508208 ReadFile
0x50820c HeapReAlloc
0x508210 GetTimeZoneInformation
0x508214 OutputDebugStringW
0x508218 FindClose
0x50821c FindFirstFileExW
0x508220 FindNextFileW
0x508224 IsValidCodePage
0x508228 GetACP
0x50822c GetOEMCP
0x508230 GetEnvironmentStringsW
0x508234 FreeEnvironmentStringsW
0x508238 SetEnvironmentVariableW
0x50823c SetStdHandle
0x508240 GetProcessHeap
0x508244 ReadConsoleW
0x508248 HeapSize
0x50824c WriteConsoleW
EAT(Export Address Table) is none
GDI32.dll
0x508000 RestoreDC
KERNEL32.dll
0x508030 RaiseException
0x508034 CloseHandle
0x508038 WaitForSingleObjectEx
0x50803c Sleep
0x508040 SwitchToThread
0x508044 GetCurrentThreadId
0x508048 GetExitCodeThread
0x50804c GetNativeSystemInfo
0x508050 InitializeSRWLock
0x508054 ReleaseSRWLockExclusive
0x508058 AcquireSRWLockExclusive
0x50805c EnterCriticalSection
0x508060 LeaveCriticalSection
0x508064 InitializeCriticalSectionEx
0x508068 TryEnterCriticalSection
0x50806c DeleteCriticalSection
0x508070 InitializeConditionVariable
0x508074 WakeConditionVariable
0x508078 WakeAllConditionVariable
0x50807c SleepConditionVariableCS
0x508080 SleepConditionVariableSRW
0x508084 FormatMessageA
0x508088 WideCharToMultiByte
0x50808c MultiByteToWideChar
0x508090 GetStringTypeW
0x508094 InitOnceBeginInitialize
0x508098 InitOnceComplete
0x50809c GetLastError
0x5080a0 FreeLibraryWhenCallbackReturns
0x5080a4 CreateThreadpoolWork
0x5080a8 SubmitThreadpoolWork
0x5080ac CloseThreadpoolWork
0x5080b0 GetModuleHandleExW
0x5080b4 RtlCaptureStackBackTrace
0x5080b8 IsProcessorFeaturePresent
0x5080bc QueryPerformanceCounter
0x5080c0 QueryPerformanceFrequency
0x5080c4 SetFileInformationByHandle
0x5080c8 FlsAlloc
0x5080cc FlsGetValue
0x5080d0 FlsSetValue
0x5080d4 FlsFree
0x5080d8 InitOnceExecuteOnce
0x5080dc CreateEventExW
0x5080e0 CreateSemaphoreExW
0x5080e4 FlushProcessWriteBuffers
0x5080e8 GetCurrentProcessorNumber
0x5080ec GetSystemTimeAsFileTime
0x5080f0 GetTickCount64
0x5080f4 CreateThreadpoolTimer
0x5080f8 SetThreadpoolTimer
0x5080fc WaitForThreadpoolTimerCallbacks
0x508100 CloseThreadpoolTimer
0x508104 CreateThreadpoolWait
0x508108 SetThreadpoolWait
0x50810c CloseThreadpoolWait
0x508110 GetModuleHandleW
0x508114 GetProcAddress
0x508118 GetFileInformationByHandleEx
0x50811c CreateSymbolicLinkW
0x508120 LocalFree
0x508124 EncodePointer
0x508128 DecodePointer
0x50812c LCMapStringEx
0x508130 GetLocaleInfoEx
0x508134 CompareStringEx
0x508138 GetCPInfo
0x50813c InitializeCriticalSectionAndSpinCount
0x508140 SetEvent
0x508144 ResetEvent
0x508148 CreateEventW
0x50814c GetCurrentProcessId
0x508150 InitializeSListHead
0x508154 IsDebuggerPresent
0x508158 UnhandledExceptionFilter
0x50815c SetUnhandledExceptionFilter
0x508160 GetStartupInfoW
0x508164 GetCurrentProcess
0x508168 TerminateProcess
0x50816c CreateFileW
0x508170 RtlUnwind
0x508174 InterlockedPushEntrySList
0x508178 InterlockedFlushSList
0x50817c SetLastError
0x508180 TlsAlloc
0x508184 TlsGetValue
0x508188 TlsSetValue
0x50818c TlsFree
0x508190 FreeLibrary
0x508194 LoadLibraryExW
0x508198 CreateThread
0x50819c ExitThread
0x5081a0 ResumeThread
0x5081a4 FreeLibraryAndExitThread
0x5081a8 GetStdHandle
0x5081ac WriteFile
0x5081b0 GetModuleFileNameW
0x5081b4 ExitProcess
0x5081b8 GetCommandLineA
0x5081bc GetCommandLineW
0x5081c0 GetCurrentThread
0x5081c4 HeapFree
0x5081c8 SetConsoleCtrlHandler
0x5081cc HeapAlloc
0x5081d0 GetDateFormatW
0x5081d4 GetTimeFormatW
0x5081d8 CompareStringW
0x5081dc LCMapStringW
0x5081e0 GetLocaleInfoW
0x5081e4 IsValidLocale
0x5081e8 GetUserDefaultLCID
0x5081ec EnumSystemLocalesW
0x5081f0 GetFileType
0x5081f4 GetFileSizeEx
0x5081f8 SetFilePointerEx
0x5081fc FlushFileBuffers
0x508200 GetConsoleOutputCP
0x508204 GetConsoleMode
0x508208 ReadFile
0x50820c HeapReAlloc
0x508210 GetTimeZoneInformation
0x508214 OutputDebugStringW
0x508218 FindClose
0x50821c FindFirstFileExW
0x508220 FindNextFileW
0x508224 IsValidCodePage
0x508228 GetACP
0x50822c GetOEMCP
0x508230 GetEnvironmentStringsW
0x508234 FreeEnvironmentStringsW
0x508238 SetEnvironmentVariableW
0x50823c SetStdHandle
0x508240 GetProcessHeap
0x508244 ReadConsoleW
0x508248 HeapSize
0x50824c WriteConsoleW
EAT(Export Address Table) is none