ScreenShot
| Created | 2023.09.01 09:09 | Machine | s1_win7_x6401 |
| Filename | k-AMqan907JetwLo8K.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 26 detected (AIDetectMalware, malicious, high confidence, unsafe, Save, ZexaF, qq0@aO5jmSni, Attribute, HighConfidence, Kryptik, HSYN, score, FileRepMalware, high, Synder, Generic@AI, RDML, deJPOnccaZ9lgean4UEXEA, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | bf1807ec443b76a12ad675f7cb6bf23a | ||
| sha256 | f6fd042b83f85be44113bf9ed832bee5e7de2270b19704947a4da30f078998cd | ||
| ssdeep | 3072:zxWXLSyBIbiyAeqwcBbGgabMMy1AxH/HLf/Ji49WCoMY5Z+:zxWzbhdBbGgabvy1AeemZ+ | ||
| imphash | 79949fb04969b0ad00a160f76c9427ef | ||
| impfuzzy | 24:VrymDWYej2EMjOovS2cfW/J3IBtsQFQ8RyvuT4FlXKhxZA:mMCQcfcuts3ucFZK6 | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41201c LoadLibraryA
0x412020 VirtualAlloc
0x412024 LockResource
0x412028 LoadResource
0x41202c SizeofResource
0x412030 FindResourceW
0x412034 GetProcAddress
0x412038 GetLastError
0x41203c CreateMutexA
0x412040 GetModuleHandleA
0x412044 FreeConsole
0x412048 VirtualProtect
0x41204c lstrlenW
0x412050 CreateThread
0x412054 WaitForSingleObject
0x412058 Sleep
0x41205c GetModuleHandleW
0x412060 EnumResourceTypesW
0x412064 HeapFree
0x412068 RtlUnwind
0x41206c RaiseException
0x412070 GetCommandLineA
0x412074 HeapCreate
0x412078 VirtualFree
0x41207c DeleteCriticalSection
0x412080 LeaveCriticalSection
0x412084 EnterCriticalSection
0x412088 HeapAlloc
0x41208c HeapReAlloc
0x412090 TlsGetValue
0x412094 TlsAlloc
0x412098 TlsSetValue
0x41209c TlsFree
0x4120a0 InterlockedIncrement
0x4120a4 SetLastError
0x4120a8 GetCurrentThreadId
0x4120ac InterlockedDecrement
0x4120b0 TerminateProcess
0x4120b4 GetCurrentProcess
0x4120b8 UnhandledExceptionFilter
0x4120bc SetUnhandledExceptionFilter
0x4120c0 IsDebuggerPresent
0x4120c4 ExitProcess
0x4120c8 WriteFile
0x4120cc GetStdHandle
0x4120d0 GetModuleFileNameA
0x4120d4 FreeEnvironmentStringsA
0x4120d8 GetEnvironmentStrings
0x4120dc FreeEnvironmentStringsW
0x4120e0 WideCharToMultiByte
0x4120e4 GetEnvironmentStringsW
0x4120e8 SetHandleCount
0x4120ec GetFileType
0x4120f0 GetStartupInfoA
0x4120f4 QueryPerformanceCounter
0x4120f8 GetTickCount
0x4120fc GetCurrentProcessId
0x412100 GetSystemTimeAsFileTime
0x412104 GetCPInfo
0x412108 GetACP
0x41210c GetOEMCP
0x412110 IsValidCodePage
0x412114 InitializeCriticalSectionAndSpinCount
0x412118 HeapSize
0x41211c LCMapStringA
0x412120 MultiByteToWideChar
0x412124 LCMapStringW
0x412128 GetStringTypeA
0x41212c GetStringTypeW
0x412130 GetLocaleInfoA
USER32.dll
0x412138 FlashWindowEx
GDI32.dll
0x412008 SetTextColor
0x41200c CreateFontIndirectA
0x412010 SelectObject
0x412014 SetBkMode
ADVAPI32.dll
0x412000 RegDeleteKeyA
EAT(Export Address Table) is none
KERNEL32.dll
0x41201c LoadLibraryA
0x412020 VirtualAlloc
0x412024 LockResource
0x412028 LoadResource
0x41202c SizeofResource
0x412030 FindResourceW
0x412034 GetProcAddress
0x412038 GetLastError
0x41203c CreateMutexA
0x412040 GetModuleHandleA
0x412044 FreeConsole
0x412048 VirtualProtect
0x41204c lstrlenW
0x412050 CreateThread
0x412054 WaitForSingleObject
0x412058 Sleep
0x41205c GetModuleHandleW
0x412060 EnumResourceTypesW
0x412064 HeapFree
0x412068 RtlUnwind
0x41206c RaiseException
0x412070 GetCommandLineA
0x412074 HeapCreate
0x412078 VirtualFree
0x41207c DeleteCriticalSection
0x412080 LeaveCriticalSection
0x412084 EnterCriticalSection
0x412088 HeapAlloc
0x41208c HeapReAlloc
0x412090 TlsGetValue
0x412094 TlsAlloc
0x412098 TlsSetValue
0x41209c TlsFree
0x4120a0 InterlockedIncrement
0x4120a4 SetLastError
0x4120a8 GetCurrentThreadId
0x4120ac InterlockedDecrement
0x4120b0 TerminateProcess
0x4120b4 GetCurrentProcess
0x4120b8 UnhandledExceptionFilter
0x4120bc SetUnhandledExceptionFilter
0x4120c0 IsDebuggerPresent
0x4120c4 ExitProcess
0x4120c8 WriteFile
0x4120cc GetStdHandle
0x4120d0 GetModuleFileNameA
0x4120d4 FreeEnvironmentStringsA
0x4120d8 GetEnvironmentStrings
0x4120dc FreeEnvironmentStringsW
0x4120e0 WideCharToMultiByte
0x4120e4 GetEnvironmentStringsW
0x4120e8 SetHandleCount
0x4120ec GetFileType
0x4120f0 GetStartupInfoA
0x4120f4 QueryPerformanceCounter
0x4120f8 GetTickCount
0x4120fc GetCurrentProcessId
0x412100 GetSystemTimeAsFileTime
0x412104 GetCPInfo
0x412108 GetACP
0x41210c GetOEMCP
0x412110 IsValidCodePage
0x412114 InitializeCriticalSectionAndSpinCount
0x412118 HeapSize
0x41211c LCMapStringA
0x412120 MultiByteToWideChar
0x412124 LCMapStringW
0x412128 GetStringTypeA
0x41212c GetStringTypeW
0x412130 GetLocaleInfoA
USER32.dll
0x412138 FlashWindowEx
GDI32.dll
0x412008 SetTextColor
0x41200c CreateFontIndirectA
0x412010 SelectObject
0x412014 SetBkMode
ADVAPI32.dll
0x412000 RegDeleteKeyA
EAT(Export Address Table) is none