ScreenShot
| Created | 2023.08.27 15:33 | Machine | s1_win7_x6401 |
| Filename | autorun.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (AIDetectMalware, Artemis, Attribute, HighConfidence, malicious, high confidence, GenKryptik, GNFE, score, Exploitx, Inject4, TRICKBOT, Sabsik, Detected, ZexaF, yuW@amun2Mf, BScope, TrojanPSW, RedLine, Generic@AI, RDML, h1Kth9, ZSKgfzFye8p2Xgw, TitanStealer, susgen) | ||
| md5 | 1c4824973c92c48f44462e680827285d | ||
| sha256 | e6b91ba77ac6fd0d18084298e7fefc4320b9b39ad58c78e6cc3f9ecd65e04598 | ||
| ssdeep | 6144:2l3msOm/xvfHaU4+ewAOtNv3TJp14JTG5DFDtehpaxnx/bsvv7SvvqvvhvvYvvvc:wWsOm/93zN1pWMpt3Wx3 | ||
| imphash | a8d556a81f264cbf87707551d1515c69 | ||
| impfuzzy | 24:sDQKAWfdGakbjWjdQjDYc+OYl93t8ObJh9r9OovbOIHFZMv5GMACEZHu9s:0oWfd8TQc+OYbt8ODZo3gFZGe | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
ole32.dll
0x42417c CoGetObjectContext
0x424180 CoGetApartmentType
KERNEL32.dll
0x424000 GetCPInfo
0x424004 CreateFileW
0x424008 HeapSize
0x42400c Sleep
0x424010 RaiseException
0x424014 InitializeSRWLock
0x424018 ReleaseSRWLockExclusive
0x42401c AcquireSRWLockExclusive
0x424020 TryAcquireSRWLockExclusive
0x424024 GetCurrentThreadId
0x424028 InitializeConditionVariable
0x42402c WakeConditionVariable
0x424030 WakeAllConditionVariable
0x424034 SleepConditionVariableSRW
0x424038 InitOnceBeginInitialize
0x42403c InitOnceComplete
0x424040 GetLastError
0x424044 FreeLibraryWhenCallbackReturns
0x424048 CreateThreadpoolWork
0x42404c SubmitThreadpoolWork
0x424050 CloseThreadpoolWork
0x424054 GetModuleHandleExW
0x424058 IsProcessorFeaturePresent
0x42405c QueryPerformanceCounter
0x424060 CloseHandle
0x424064 WaitForSingleObjectEx
0x424068 EncodePointer
0x42406c DecodePointer
0x424070 InitializeCriticalSectionEx
0x424074 GetSystemTimeAsFileTime
0x424078 GetModuleHandleW
0x42407c GetProcAddress
0x424080 EnterCriticalSection
0x424084 LeaveCriticalSection
0x424088 DeleteCriticalSection
0x42408c MultiByteToWideChar
0x424090 WideCharToMultiByte
0x424094 LCMapStringEx
0x424098 GetStringTypeW
0x42409c WriteConsoleW
0x4240a0 InitializeCriticalSectionAndSpinCount
0x4240a4 SetEvent
0x4240a8 ResetEvent
0x4240ac CreateEventW
0x4240b0 IsDebuggerPresent
0x4240b4 UnhandledExceptionFilter
0x4240b8 SetUnhandledExceptionFilter
0x4240bc GetStartupInfoW
0x4240c0 GetCurrentProcess
0x4240c4 TerminateProcess
0x4240c8 GetCurrentProcessId
0x4240cc InitializeSListHead
0x4240d0 SetStdHandle
0x4240d4 RtlUnwind
0x4240d8 SetLastError
0x4240dc TlsAlloc
0x4240e0 TlsGetValue
0x4240e4 TlsSetValue
0x4240e8 TlsFree
0x4240ec FreeLibrary
0x4240f0 LoadLibraryExW
0x4240f4 ExitProcess
0x4240f8 GetModuleFileNameW
0x4240fc GetStdHandle
0x424100 WriteFile
0x424104 GetCommandLineA
0x424108 GetCommandLineW
0x42410c HeapFree
0x424110 HeapAlloc
0x424114 CompareStringW
0x424118 LCMapStringW
0x42411c GetLocaleInfoW
0x424120 IsValidLocale
0x424124 GetUserDefaultLCID
0x424128 EnumSystemLocalesW
0x42412c GetFileType
0x424130 GetFileSizeEx
0x424134 SetFilePointerEx
0x424138 FlushFileBuffers
0x42413c GetConsoleOutputCP
0x424140 GetConsoleMode
0x424144 ReadFile
0x424148 ReadConsoleW
0x42414c HeapReAlloc
0x424150 FindClose
0x424154 FindFirstFileExW
0x424158 FindNextFileW
0x42415c IsValidCodePage
0x424160 GetACP
0x424164 GetOEMCP
0x424168 GetEnvironmentStringsW
0x42416c FreeEnvironmentStringsW
0x424170 SetEnvironmentVariableW
0x424174 GetProcessHeap
EAT(Export Address Table) is none
ole32.dll
0x42417c CoGetObjectContext
0x424180 CoGetApartmentType
KERNEL32.dll
0x424000 GetCPInfo
0x424004 CreateFileW
0x424008 HeapSize
0x42400c Sleep
0x424010 RaiseException
0x424014 InitializeSRWLock
0x424018 ReleaseSRWLockExclusive
0x42401c AcquireSRWLockExclusive
0x424020 TryAcquireSRWLockExclusive
0x424024 GetCurrentThreadId
0x424028 InitializeConditionVariable
0x42402c WakeConditionVariable
0x424030 WakeAllConditionVariable
0x424034 SleepConditionVariableSRW
0x424038 InitOnceBeginInitialize
0x42403c InitOnceComplete
0x424040 GetLastError
0x424044 FreeLibraryWhenCallbackReturns
0x424048 CreateThreadpoolWork
0x42404c SubmitThreadpoolWork
0x424050 CloseThreadpoolWork
0x424054 GetModuleHandleExW
0x424058 IsProcessorFeaturePresent
0x42405c QueryPerformanceCounter
0x424060 CloseHandle
0x424064 WaitForSingleObjectEx
0x424068 EncodePointer
0x42406c DecodePointer
0x424070 InitializeCriticalSectionEx
0x424074 GetSystemTimeAsFileTime
0x424078 GetModuleHandleW
0x42407c GetProcAddress
0x424080 EnterCriticalSection
0x424084 LeaveCriticalSection
0x424088 DeleteCriticalSection
0x42408c MultiByteToWideChar
0x424090 WideCharToMultiByte
0x424094 LCMapStringEx
0x424098 GetStringTypeW
0x42409c WriteConsoleW
0x4240a0 InitializeCriticalSectionAndSpinCount
0x4240a4 SetEvent
0x4240a8 ResetEvent
0x4240ac CreateEventW
0x4240b0 IsDebuggerPresent
0x4240b4 UnhandledExceptionFilter
0x4240b8 SetUnhandledExceptionFilter
0x4240bc GetStartupInfoW
0x4240c0 GetCurrentProcess
0x4240c4 TerminateProcess
0x4240c8 GetCurrentProcessId
0x4240cc InitializeSListHead
0x4240d0 SetStdHandle
0x4240d4 RtlUnwind
0x4240d8 SetLastError
0x4240dc TlsAlloc
0x4240e0 TlsGetValue
0x4240e4 TlsSetValue
0x4240e8 TlsFree
0x4240ec FreeLibrary
0x4240f0 LoadLibraryExW
0x4240f4 ExitProcess
0x4240f8 GetModuleFileNameW
0x4240fc GetStdHandle
0x424100 WriteFile
0x424104 GetCommandLineA
0x424108 GetCommandLineW
0x42410c HeapFree
0x424110 HeapAlloc
0x424114 CompareStringW
0x424118 LCMapStringW
0x42411c GetLocaleInfoW
0x424120 IsValidLocale
0x424124 GetUserDefaultLCID
0x424128 EnumSystemLocalesW
0x42412c GetFileType
0x424130 GetFileSizeEx
0x424134 SetFilePointerEx
0x424138 FlushFileBuffers
0x42413c GetConsoleOutputCP
0x424140 GetConsoleMode
0x424144 ReadFile
0x424148 ReadConsoleW
0x42414c HeapReAlloc
0x424150 FindClose
0x424154 FindFirstFileExW
0x424158 FindNextFileW
0x42415c IsValidCodePage
0x424160 GetACP
0x424164 GetOEMCP
0x424168 GetEnvironmentStringsW
0x42416c FreeEnvironmentStringsW
0x424170 SetEnvironmentVariableW
0x424174 GetProcessHeap
EAT(Export Address Table) is none