ScreenShot
| Created | 2023.09.11 08:01 | Machine | s1_win7_x6401 |
| Filename | xk555wjbvnhf3f.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 1a18fc4db3affaacf43f4022df7a2c32 | ||
| sha256 | b76a4488c5fa797828b85f998054f6e879b4c213d639f4501c725337b71e6c32 | ||
| ssdeep | 24576:RlG6qqgrdGA97sAVkIk3T+CBlrVd/3IaCWzHrDh:OqgrdGApsKkzplpOaCCDh | ||
| imphash | 33ede84b4cb0967ffb7b14e9a46c056b | ||
| impfuzzy | 48:bSBfWJcpH+zD9vrxQSXtXvZrKGt/zba63buFZGz4:bSBfWJcpH+X1rxHXtXvxKGt/Pa9z | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
USER32.dll
0x51c2bc CreateWindowExW
KERNEL32.dll
0x51c000 InitializeCriticalSectionAndSpinCount
0x51c004 CreateFileW
0x51c008 GetModuleHandleA
0x51c00c RaiseException
0x51c010 CloseHandle
0x51c014 WaitForSingleObjectEx
0x51c018 Sleep
0x51c01c SwitchToThread
0x51c020 GetCurrentThreadId
0x51c024 GetExitCodeThread
0x51c028 GetNativeSystemInfo
0x51c02c InitializeSRWLock
0x51c030 ReleaseSRWLockExclusive
0x51c034 AcquireSRWLockExclusive
0x51c038 EnterCriticalSection
0x51c03c LeaveCriticalSection
0x51c040 InitializeCriticalSectionEx
0x51c044 TryEnterCriticalSection
0x51c048 DeleteCriticalSection
0x51c04c InitializeConditionVariable
0x51c050 WakeConditionVariable
0x51c054 WakeAllConditionVariable
0x51c058 SleepConditionVariableCS
0x51c05c SleepConditionVariableSRW
0x51c060 FormatMessageA
0x51c064 WideCharToMultiByte
0x51c068 MultiByteToWideChar
0x51c06c GetStringTypeW
0x51c070 InitOnceBeginInitialize
0x51c074 InitOnceComplete
0x51c078 GetLastError
0x51c07c FreeLibraryWhenCallbackReturns
0x51c080 CreateThreadpoolWork
0x51c084 SubmitThreadpoolWork
0x51c088 CloseThreadpoolWork
0x51c08c GetModuleHandleExW
0x51c090 RtlCaptureStackBackTrace
0x51c094 IsProcessorFeaturePresent
0x51c098 QueryPerformanceCounter
0x51c09c QueryPerformanceFrequency
0x51c0a0 SetFileInformationByHandle
0x51c0a4 FlsAlloc
0x51c0a8 FlsGetValue
0x51c0ac FlsSetValue
0x51c0b0 FlsFree
0x51c0b4 InitOnceExecuteOnce
0x51c0b8 CreateEventExW
0x51c0bc CreateSemaphoreExW
0x51c0c0 FlushProcessWriteBuffers
0x51c0c4 GetCurrentProcessorNumber
0x51c0c8 GetSystemTimeAsFileTime
0x51c0cc GetTickCount64
0x51c0d0 CreateThreadpoolTimer
0x51c0d4 SetThreadpoolTimer
0x51c0d8 WaitForThreadpoolTimerCallbacks
0x51c0dc CloseThreadpoolTimer
0x51c0e0 CreateThreadpoolWait
0x51c0e4 SetThreadpoolWait
0x51c0e8 CloseThreadpoolWait
0x51c0ec GetModuleHandleW
0x51c0f0 GetProcAddress
0x51c0f4 GetFileInformationByHandleEx
0x51c0f8 CreateSymbolicLinkW
0x51c0fc LocalFree
0x51c100 EncodePointer
0x51c104 DecodePointer
0x51c108 LCMapStringEx
0x51c10c GetLocaleInfoEx
0x51c110 CompareStringEx
0x51c114 GetCPInfo
0x51c118 WriteConsoleW
0x51c11c SetEvent
0x51c120 ResetEvent
0x51c124 CreateEventW
0x51c128 GetCurrentProcessId
0x51c12c InitializeSListHead
0x51c130 IsDebuggerPresent
0x51c134 UnhandledExceptionFilter
0x51c138 SetUnhandledExceptionFilter
0x51c13c GetStartupInfoW
0x51c140 GetCurrentProcess
0x51c144 TerminateProcess
0x51c148 HeapSize
0x51c14c RtlUnwind
0x51c150 InterlockedPushEntrySList
0x51c154 InterlockedFlushSList
0x51c158 SetLastError
0x51c15c TlsAlloc
0x51c160 TlsGetValue
0x51c164 TlsSetValue
0x51c168 TlsFree
0x51c16c FreeLibrary
0x51c170 LoadLibraryExW
0x51c174 CreateThread
0x51c178 ExitThread
0x51c17c ResumeThread
0x51c180 FreeLibraryAndExitThread
0x51c184 GetStdHandle
0x51c188 WriteFile
0x51c18c GetModuleFileNameW
0x51c190 ExitProcess
0x51c194 GetCommandLineA
0x51c198 GetCommandLineW
0x51c19c GetCurrentThread
0x51c1a0 HeapFree
0x51c1a4 SetConsoleCtrlHandler
0x51c1a8 HeapAlloc
0x51c1ac GetDateFormatW
0x51c1b0 GetTimeFormatW
0x51c1b4 CompareStringW
0x51c1b8 LCMapStringW
0x51c1bc GetLocaleInfoW
0x51c1c0 IsValidLocale
0x51c1c4 GetUserDefaultLCID
0x51c1c8 EnumSystemLocalesW
0x51c1cc GetFileType
0x51c1d0 GetFileSizeEx
0x51c1d4 SetFilePointerEx
0x51c1d8 FlushFileBuffers
0x51c1dc GetConsoleOutputCP
0x51c1e0 GetConsoleMode
0x51c1e4 ReadFile
0x51c1e8 HeapReAlloc
0x51c1ec GetTimeZoneInformation
0x51c1f0 OutputDebugStringW
0x51c1f4 FindClose
0x51c1f8 FindFirstFileExW
0x51c1fc FindNextFileW
0x51c200 IsValidCodePage
0x51c204 GetACP
0x51c208 GetOEMCP
0x51c20c GetEnvironmentStringsW
0x51c210 FreeEnvironmentStringsW
0x51c214 SetEnvironmentVariableW
0x51c218 SetStdHandle
0x51c21c GetProcessHeap
0x51c220 ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x51c2bc CreateWindowExW
KERNEL32.dll
0x51c000 InitializeCriticalSectionAndSpinCount
0x51c004 CreateFileW
0x51c008 GetModuleHandleA
0x51c00c RaiseException
0x51c010 CloseHandle
0x51c014 WaitForSingleObjectEx
0x51c018 Sleep
0x51c01c SwitchToThread
0x51c020 GetCurrentThreadId
0x51c024 GetExitCodeThread
0x51c028 GetNativeSystemInfo
0x51c02c InitializeSRWLock
0x51c030 ReleaseSRWLockExclusive
0x51c034 AcquireSRWLockExclusive
0x51c038 EnterCriticalSection
0x51c03c LeaveCriticalSection
0x51c040 InitializeCriticalSectionEx
0x51c044 TryEnterCriticalSection
0x51c048 DeleteCriticalSection
0x51c04c InitializeConditionVariable
0x51c050 WakeConditionVariable
0x51c054 WakeAllConditionVariable
0x51c058 SleepConditionVariableCS
0x51c05c SleepConditionVariableSRW
0x51c060 FormatMessageA
0x51c064 WideCharToMultiByte
0x51c068 MultiByteToWideChar
0x51c06c GetStringTypeW
0x51c070 InitOnceBeginInitialize
0x51c074 InitOnceComplete
0x51c078 GetLastError
0x51c07c FreeLibraryWhenCallbackReturns
0x51c080 CreateThreadpoolWork
0x51c084 SubmitThreadpoolWork
0x51c088 CloseThreadpoolWork
0x51c08c GetModuleHandleExW
0x51c090 RtlCaptureStackBackTrace
0x51c094 IsProcessorFeaturePresent
0x51c098 QueryPerformanceCounter
0x51c09c QueryPerformanceFrequency
0x51c0a0 SetFileInformationByHandle
0x51c0a4 FlsAlloc
0x51c0a8 FlsGetValue
0x51c0ac FlsSetValue
0x51c0b0 FlsFree
0x51c0b4 InitOnceExecuteOnce
0x51c0b8 CreateEventExW
0x51c0bc CreateSemaphoreExW
0x51c0c0 FlushProcessWriteBuffers
0x51c0c4 GetCurrentProcessorNumber
0x51c0c8 GetSystemTimeAsFileTime
0x51c0cc GetTickCount64
0x51c0d0 CreateThreadpoolTimer
0x51c0d4 SetThreadpoolTimer
0x51c0d8 WaitForThreadpoolTimerCallbacks
0x51c0dc CloseThreadpoolTimer
0x51c0e0 CreateThreadpoolWait
0x51c0e4 SetThreadpoolWait
0x51c0e8 CloseThreadpoolWait
0x51c0ec GetModuleHandleW
0x51c0f0 GetProcAddress
0x51c0f4 GetFileInformationByHandleEx
0x51c0f8 CreateSymbolicLinkW
0x51c0fc LocalFree
0x51c100 EncodePointer
0x51c104 DecodePointer
0x51c108 LCMapStringEx
0x51c10c GetLocaleInfoEx
0x51c110 CompareStringEx
0x51c114 GetCPInfo
0x51c118 WriteConsoleW
0x51c11c SetEvent
0x51c120 ResetEvent
0x51c124 CreateEventW
0x51c128 GetCurrentProcessId
0x51c12c InitializeSListHead
0x51c130 IsDebuggerPresent
0x51c134 UnhandledExceptionFilter
0x51c138 SetUnhandledExceptionFilter
0x51c13c GetStartupInfoW
0x51c140 GetCurrentProcess
0x51c144 TerminateProcess
0x51c148 HeapSize
0x51c14c RtlUnwind
0x51c150 InterlockedPushEntrySList
0x51c154 InterlockedFlushSList
0x51c158 SetLastError
0x51c15c TlsAlloc
0x51c160 TlsGetValue
0x51c164 TlsSetValue
0x51c168 TlsFree
0x51c16c FreeLibrary
0x51c170 LoadLibraryExW
0x51c174 CreateThread
0x51c178 ExitThread
0x51c17c ResumeThread
0x51c180 FreeLibraryAndExitThread
0x51c184 GetStdHandle
0x51c188 WriteFile
0x51c18c GetModuleFileNameW
0x51c190 ExitProcess
0x51c194 GetCommandLineA
0x51c198 GetCommandLineW
0x51c19c GetCurrentThread
0x51c1a0 HeapFree
0x51c1a4 SetConsoleCtrlHandler
0x51c1a8 HeapAlloc
0x51c1ac GetDateFormatW
0x51c1b0 GetTimeFormatW
0x51c1b4 CompareStringW
0x51c1b8 LCMapStringW
0x51c1bc GetLocaleInfoW
0x51c1c0 IsValidLocale
0x51c1c4 GetUserDefaultLCID
0x51c1c8 EnumSystemLocalesW
0x51c1cc GetFileType
0x51c1d0 GetFileSizeEx
0x51c1d4 SetFilePointerEx
0x51c1d8 FlushFileBuffers
0x51c1dc GetConsoleOutputCP
0x51c1e0 GetConsoleMode
0x51c1e4 ReadFile
0x51c1e8 HeapReAlloc
0x51c1ec GetTimeZoneInformation
0x51c1f0 OutputDebugStringW
0x51c1f4 FindClose
0x51c1f8 FindFirstFileExW
0x51c1fc FindNextFileW
0x51c200 IsValidCodePage
0x51c204 GetACP
0x51c208 GetOEMCP
0x51c20c GetEnvironmentStringsW
0x51c210 FreeEnvironmentStringsW
0x51c214 SetEnvironmentVariableW
0x51c218 SetStdHandle
0x51c21c GetProcessHeap
0x51c220 ReadConsoleW
EAT(Export Address Table) is none