ScreenShot
| Created | 2023.09.09 21:53 | Machine | s1_win7_x6403 |
| Filename | setupX.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 40 detected (AIDetectMalware, @JW@Iz1Sejbi, Eldorado, Attribute, HighConfidence, malicious, high confidence, Kryptik, HUBU, PWSX, RedLineNET, REDLINE, YXDIIZ, Artemis, Detected, ai score=81, Synder, score, BScope, TrojanPSW, unsafe, Chgt, AfLuh8jhkCS, Outbreak, confidence, 100%) | ||
| md5 | 6c98e7cbfb82fb29f4bd29fb0bd5acc0 | ||
| sha256 | e6977ee312cc10c2b7ec91ff8d3435e4ec053a48c8197f67a5b30dbfd4e7a9a2 | ||
| ssdeep | 24576:h9bty89HiG26oNONmUK+Bm6LS+vEH7hlMHJ:Y89HiGhg3+rO+vEH7hlMp | ||
| imphash | 4417ad5cbaf82aedd8c9683f18ba107a | ||
| impfuzzy | 48:EnoWJcpH+PdD9vrxQSXtXqZrLbt8GzbQo3buFZGjA:4oWJcpH+P51rxHXtXqxLbt8GPQP3 | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
PE API
IAT(Import Address Table) Library
USER32.dll
0x9d02c4 ShowWindow
0x9d02c8 CreateWindowExW
KERNEL32.dll
0x9d0000 GetCPInfo
0x9d0004 WriteConsoleW
0x9d0008 HeapSize
0x9d000c GetModuleHandleA
0x9d0010 FreeConsole
0x9d0014 RaiseException
0x9d0018 InitializeSRWLock
0x9d001c ReleaseSRWLockExclusive
0x9d0020 AcquireSRWLockExclusive
0x9d0024 EnterCriticalSection
0x9d0028 LeaveCriticalSection
0x9d002c InitializeCriticalSectionEx
0x9d0030 TryEnterCriticalSection
0x9d0034 DeleteCriticalSection
0x9d0038 GetCurrentThreadId
0x9d003c InitializeConditionVariable
0x9d0040 WakeConditionVariable
0x9d0044 WakeAllConditionVariable
0x9d0048 SleepConditionVariableCS
0x9d004c SleepConditionVariableSRW
0x9d0050 FormatMessageA
0x9d0054 WideCharToMultiByte
0x9d0058 MultiByteToWideChar
0x9d005c GetStringTypeW
0x9d0060 InitOnceBeginInitialize
0x9d0064 InitOnceComplete
0x9d0068 GetLastError
0x9d006c FreeLibraryWhenCallbackReturns
0x9d0070 CreateThreadpoolWork
0x9d0074 SubmitThreadpoolWork
0x9d0078 CloseThreadpoolWork
0x9d007c GetModuleHandleExW
0x9d0080 RtlCaptureStackBackTrace
0x9d0084 IsProcessorFeaturePresent
0x9d0088 QueryPerformanceCounter
0x9d008c QueryPerformanceFrequency
0x9d0090 SetFileInformationByHandle
0x9d0094 FlsAlloc
0x9d0098 FlsGetValue
0x9d009c FlsSetValue
0x9d00a0 FlsFree
0x9d00a4 InitOnceExecuteOnce
0x9d00a8 CreateEventExW
0x9d00ac CreateSemaphoreExW
0x9d00b0 FlushProcessWriteBuffers
0x9d00b4 GetCurrentProcessorNumber
0x9d00b8 GetSystemTimeAsFileTime
0x9d00bc GetTickCount64
0x9d00c0 CreateThreadpoolTimer
0x9d00c4 SetThreadpoolTimer
0x9d00c8 WaitForThreadpoolTimerCallbacks
0x9d00cc CloseThreadpoolTimer
0x9d00d0 CreateThreadpoolWait
0x9d00d4 SetThreadpoolWait
0x9d00d8 CloseThreadpoolWait
0x9d00dc GetModuleHandleW
0x9d00e0 GetProcAddress
0x9d00e4 GetFileInformationByHandleEx
0x9d00e8 CreateSymbolicLinkW
0x9d00ec CloseHandle
0x9d00f0 WaitForSingleObjectEx
0x9d00f4 Sleep
0x9d00f8 SwitchToThread
0x9d00fc GetExitCodeThread
0x9d0100 GetNativeSystemInfo
0x9d0104 LocalFree
0x9d0108 EncodePointer
0x9d010c DecodePointer
0x9d0110 LCMapStringEx
0x9d0114 GetLocaleInfoEx
0x9d0118 CompareStringEx
0x9d011c SetEndOfFile
0x9d0120 InitializeCriticalSectionAndSpinCount
0x9d0124 SetEvent
0x9d0128 ResetEvent
0x9d012c CreateEventW
0x9d0130 IsDebuggerPresent
0x9d0134 UnhandledExceptionFilter
0x9d0138 SetUnhandledExceptionFilter
0x9d013c GetStartupInfoW
0x9d0140 GetCurrentProcess
0x9d0144 TerminateProcess
0x9d0148 GetCurrentProcessId
0x9d014c InitializeSListHead
0x9d0150 CreateFileW
0x9d0154 RtlUnwind
0x9d0158 InterlockedPushEntrySList
0x9d015c InterlockedFlushSList
0x9d0160 SetLastError
0x9d0164 TlsAlloc
0x9d0168 TlsGetValue
0x9d016c TlsSetValue
0x9d0170 TlsFree
0x9d0174 FreeLibrary
0x9d0178 LoadLibraryExW
0x9d017c CreateThread
0x9d0180 ExitThread
0x9d0184 ResumeThread
0x9d0188 FreeLibraryAndExitThread
0x9d018c ExitProcess
0x9d0190 GetModuleFileNameW
0x9d0194 GetStdHandle
0x9d0198 WriteFile
0x9d019c GetCommandLineA
0x9d01a0 GetCommandLineW
0x9d01a4 GetCurrentThread
0x9d01a8 HeapFree
0x9d01ac SetConsoleCtrlHandler
0x9d01b0 HeapAlloc
0x9d01b4 GetDateFormatW
0x9d01b8 GetTimeFormatW
0x9d01bc CompareStringW
0x9d01c0 LCMapStringW
0x9d01c4 GetLocaleInfoW
0x9d01c8 IsValidLocale
0x9d01cc GetUserDefaultLCID
0x9d01d0 EnumSystemLocalesW
0x9d01d4 GetFileType
0x9d01d8 FlushFileBuffers
0x9d01dc GetConsoleOutputCP
0x9d01e0 GetConsoleMode
0x9d01e4 ReadFile
0x9d01e8 GetFileSizeEx
0x9d01ec SetFilePointerEx
0x9d01f0 ReadConsoleW
0x9d01f4 HeapReAlloc
0x9d01f8 GetTimeZoneInformation
0x9d01fc FindClose
0x9d0200 FindFirstFileExW
0x9d0204 FindNextFileW
0x9d0208 IsValidCodePage
0x9d020c GetACP
0x9d0210 GetOEMCP
0x9d0214 GetEnvironmentStringsW
0x9d0218 FreeEnvironmentStringsW
0x9d021c SetEnvironmentVariableW
0x9d0220 GetProcessHeap
0x9d0224 OutputDebugStringW
0x9d0228 SetStdHandle
EAT(Export Address Table) is none
USER32.dll
0x9d02c4 ShowWindow
0x9d02c8 CreateWindowExW
KERNEL32.dll
0x9d0000 GetCPInfo
0x9d0004 WriteConsoleW
0x9d0008 HeapSize
0x9d000c GetModuleHandleA
0x9d0010 FreeConsole
0x9d0014 RaiseException
0x9d0018 InitializeSRWLock
0x9d001c ReleaseSRWLockExclusive
0x9d0020 AcquireSRWLockExclusive
0x9d0024 EnterCriticalSection
0x9d0028 LeaveCriticalSection
0x9d002c InitializeCriticalSectionEx
0x9d0030 TryEnterCriticalSection
0x9d0034 DeleteCriticalSection
0x9d0038 GetCurrentThreadId
0x9d003c InitializeConditionVariable
0x9d0040 WakeConditionVariable
0x9d0044 WakeAllConditionVariable
0x9d0048 SleepConditionVariableCS
0x9d004c SleepConditionVariableSRW
0x9d0050 FormatMessageA
0x9d0054 WideCharToMultiByte
0x9d0058 MultiByteToWideChar
0x9d005c GetStringTypeW
0x9d0060 InitOnceBeginInitialize
0x9d0064 InitOnceComplete
0x9d0068 GetLastError
0x9d006c FreeLibraryWhenCallbackReturns
0x9d0070 CreateThreadpoolWork
0x9d0074 SubmitThreadpoolWork
0x9d0078 CloseThreadpoolWork
0x9d007c GetModuleHandleExW
0x9d0080 RtlCaptureStackBackTrace
0x9d0084 IsProcessorFeaturePresent
0x9d0088 QueryPerformanceCounter
0x9d008c QueryPerformanceFrequency
0x9d0090 SetFileInformationByHandle
0x9d0094 FlsAlloc
0x9d0098 FlsGetValue
0x9d009c FlsSetValue
0x9d00a0 FlsFree
0x9d00a4 InitOnceExecuteOnce
0x9d00a8 CreateEventExW
0x9d00ac CreateSemaphoreExW
0x9d00b0 FlushProcessWriteBuffers
0x9d00b4 GetCurrentProcessorNumber
0x9d00b8 GetSystemTimeAsFileTime
0x9d00bc GetTickCount64
0x9d00c0 CreateThreadpoolTimer
0x9d00c4 SetThreadpoolTimer
0x9d00c8 WaitForThreadpoolTimerCallbacks
0x9d00cc CloseThreadpoolTimer
0x9d00d0 CreateThreadpoolWait
0x9d00d4 SetThreadpoolWait
0x9d00d8 CloseThreadpoolWait
0x9d00dc GetModuleHandleW
0x9d00e0 GetProcAddress
0x9d00e4 GetFileInformationByHandleEx
0x9d00e8 CreateSymbolicLinkW
0x9d00ec CloseHandle
0x9d00f0 WaitForSingleObjectEx
0x9d00f4 Sleep
0x9d00f8 SwitchToThread
0x9d00fc GetExitCodeThread
0x9d0100 GetNativeSystemInfo
0x9d0104 LocalFree
0x9d0108 EncodePointer
0x9d010c DecodePointer
0x9d0110 LCMapStringEx
0x9d0114 GetLocaleInfoEx
0x9d0118 CompareStringEx
0x9d011c SetEndOfFile
0x9d0120 InitializeCriticalSectionAndSpinCount
0x9d0124 SetEvent
0x9d0128 ResetEvent
0x9d012c CreateEventW
0x9d0130 IsDebuggerPresent
0x9d0134 UnhandledExceptionFilter
0x9d0138 SetUnhandledExceptionFilter
0x9d013c GetStartupInfoW
0x9d0140 GetCurrentProcess
0x9d0144 TerminateProcess
0x9d0148 GetCurrentProcessId
0x9d014c InitializeSListHead
0x9d0150 CreateFileW
0x9d0154 RtlUnwind
0x9d0158 InterlockedPushEntrySList
0x9d015c InterlockedFlushSList
0x9d0160 SetLastError
0x9d0164 TlsAlloc
0x9d0168 TlsGetValue
0x9d016c TlsSetValue
0x9d0170 TlsFree
0x9d0174 FreeLibrary
0x9d0178 LoadLibraryExW
0x9d017c CreateThread
0x9d0180 ExitThread
0x9d0184 ResumeThread
0x9d0188 FreeLibraryAndExitThread
0x9d018c ExitProcess
0x9d0190 GetModuleFileNameW
0x9d0194 GetStdHandle
0x9d0198 WriteFile
0x9d019c GetCommandLineA
0x9d01a0 GetCommandLineW
0x9d01a4 GetCurrentThread
0x9d01a8 HeapFree
0x9d01ac SetConsoleCtrlHandler
0x9d01b0 HeapAlloc
0x9d01b4 GetDateFormatW
0x9d01b8 GetTimeFormatW
0x9d01bc CompareStringW
0x9d01c0 LCMapStringW
0x9d01c4 GetLocaleInfoW
0x9d01c8 IsValidLocale
0x9d01cc GetUserDefaultLCID
0x9d01d0 EnumSystemLocalesW
0x9d01d4 GetFileType
0x9d01d8 FlushFileBuffers
0x9d01dc GetConsoleOutputCP
0x9d01e0 GetConsoleMode
0x9d01e4 ReadFile
0x9d01e8 GetFileSizeEx
0x9d01ec SetFilePointerEx
0x9d01f0 ReadConsoleW
0x9d01f4 HeapReAlloc
0x9d01f8 GetTimeZoneInformation
0x9d01fc FindClose
0x9d0200 FindFirstFileExW
0x9d0204 FindNextFileW
0x9d0208 IsValidCodePage
0x9d020c GetACP
0x9d0210 GetOEMCP
0x9d0214 GetEnvironmentStringsW
0x9d0218 FreeEnvironmentStringsW
0x9d021c SetEnvironmentVariableW
0x9d0220 GetProcessHeap
0x9d0224 OutputDebugStringW
0x9d0228 SetStdHandle
EAT(Export Address Table) is none