ScreenShot
| Created | 2023.09.11 10:08 | Machine | s1_win7_x6403 |
| Filename | 19flbanzy.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (AIDetectMalware, Lazy, Artemis, malicious, confidence, 100%, ZexaF, NLW@aKCa60hi, Eldorado, Attribute, HighConfidence, high confidence, Kryptik, HUBU, PWSX, Ymhl, RedLineSteal, btvdq, RedLineNET, REDLINE, YXDIJZ, Static AI, Suspicious PE, Phoenix, score, BScope, TrojanPSW, ai score=83, unsafe, Genetic, 4lBcjpu7eYJ, Outbreak) | ||
| md5 | 8e907c9833ee773ec37975c493b8b159 | ||
| sha256 | 4478d2f03a3223d84877b969498e72167855628b4c7b2c63617e3097f75626a4 | ||
| ssdeep | 24576:qoek+9ZB7gFwZlFLQ51yRV6e/jInMINsR3aR:qoWB7gFwt3Q8InMI9R | ||
| imphash | e4946bca3cf74c7fc3c827baccb3d9fe | ||
| impfuzzy | 48:MoWJcpH+PdD9vrxQSXtXqZr8bt8+zbQo3buFZGzI:MoWJcpH+P51rxHXtXqx8bt8+PQPL | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
USER32.dll
0x5362c0 CreateWindowExW
KERNEL32.dll
0x536000 GetCPInfo
0x536004 CreateFileW
0x536008 GetModuleHandleA
0x53600c FreeConsole
0x536010 RaiseException
0x536014 InitializeSRWLock
0x536018 ReleaseSRWLockExclusive
0x53601c AcquireSRWLockExclusive
0x536020 EnterCriticalSection
0x536024 LeaveCriticalSection
0x536028 InitializeCriticalSectionEx
0x53602c TryEnterCriticalSection
0x536030 DeleteCriticalSection
0x536034 GetCurrentThreadId
0x536038 InitializeConditionVariable
0x53603c WakeConditionVariable
0x536040 WakeAllConditionVariable
0x536044 SleepConditionVariableCS
0x536048 SleepConditionVariableSRW
0x53604c FormatMessageA
0x536050 WideCharToMultiByte
0x536054 MultiByteToWideChar
0x536058 GetStringTypeW
0x53605c InitOnceBeginInitialize
0x536060 InitOnceComplete
0x536064 GetLastError
0x536068 FreeLibraryWhenCallbackReturns
0x53606c CreateThreadpoolWork
0x536070 SubmitThreadpoolWork
0x536074 CloseThreadpoolWork
0x536078 GetModuleHandleExW
0x53607c RtlCaptureStackBackTrace
0x536080 IsProcessorFeaturePresent
0x536084 QueryPerformanceCounter
0x536088 QueryPerformanceFrequency
0x53608c SetFileInformationByHandle
0x536090 FlsAlloc
0x536094 FlsGetValue
0x536098 FlsSetValue
0x53609c FlsFree
0x5360a0 InitOnceExecuteOnce
0x5360a4 CreateEventExW
0x5360a8 CreateSemaphoreExW
0x5360ac FlushProcessWriteBuffers
0x5360b0 GetCurrentProcessorNumber
0x5360b4 GetSystemTimeAsFileTime
0x5360b8 GetTickCount64
0x5360bc CreateThreadpoolTimer
0x5360c0 SetThreadpoolTimer
0x5360c4 WaitForThreadpoolTimerCallbacks
0x5360c8 CloseThreadpoolTimer
0x5360cc CreateThreadpoolWait
0x5360d0 SetThreadpoolWait
0x5360d4 CloseThreadpoolWait
0x5360d8 GetModuleHandleW
0x5360dc GetProcAddress
0x5360e0 GetFileInformationByHandleEx
0x5360e4 CreateSymbolicLinkW
0x5360e8 CloseHandle
0x5360ec WaitForSingleObjectEx
0x5360f0 Sleep
0x5360f4 SwitchToThread
0x5360f8 GetExitCodeThread
0x5360fc GetNativeSystemInfo
0x536100 LocalFree
0x536104 EncodePointer
0x536108 DecodePointer
0x53610c LCMapStringEx
0x536110 GetLocaleInfoEx
0x536114 CompareStringEx
0x536118 WriteConsoleW
0x53611c InitializeCriticalSectionAndSpinCount
0x536120 SetEvent
0x536124 ResetEvent
0x536128 CreateEventW
0x53612c IsDebuggerPresent
0x536130 UnhandledExceptionFilter
0x536134 SetUnhandledExceptionFilter
0x536138 GetStartupInfoW
0x53613c GetCurrentProcess
0x536140 TerminateProcess
0x536144 GetCurrentProcessId
0x536148 InitializeSListHead
0x53614c HeapSize
0x536150 RtlUnwind
0x536154 InterlockedPushEntrySList
0x536158 InterlockedFlushSList
0x53615c SetLastError
0x536160 TlsAlloc
0x536164 TlsGetValue
0x536168 TlsSetValue
0x53616c TlsFree
0x536170 FreeLibrary
0x536174 LoadLibraryExW
0x536178 CreateThread
0x53617c ExitThread
0x536180 ResumeThread
0x536184 FreeLibraryAndExitThread
0x536188 ExitProcess
0x53618c GetModuleFileNameW
0x536190 GetStdHandle
0x536194 WriteFile
0x536198 GetCommandLineA
0x53619c GetCommandLineW
0x5361a0 GetCurrentThread
0x5361a4 HeapFree
0x5361a8 SetConsoleCtrlHandler
0x5361ac HeapAlloc
0x5361b0 GetDateFormatW
0x5361b4 GetTimeFormatW
0x5361b8 CompareStringW
0x5361bc LCMapStringW
0x5361c0 GetLocaleInfoW
0x5361c4 IsValidLocale
0x5361c8 GetUserDefaultLCID
0x5361cc EnumSystemLocalesW
0x5361d0 GetFileType
0x5361d4 GetFileSizeEx
0x5361d8 SetFilePointerEx
0x5361dc FlushFileBuffers
0x5361e0 GetConsoleOutputCP
0x5361e4 GetConsoleMode
0x5361e8 ReadFile
0x5361ec HeapReAlloc
0x5361f0 GetTimeZoneInformation
0x5361f4 FindClose
0x5361f8 FindFirstFileExW
0x5361fc FindNextFileW
0x536200 IsValidCodePage
0x536204 GetACP
0x536208 GetOEMCP
0x53620c GetEnvironmentStringsW
0x536210 FreeEnvironmentStringsW
0x536214 SetEnvironmentVariableW
0x536218 GetProcessHeap
0x53621c OutputDebugStringW
0x536220 SetStdHandle
0x536224 ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x5362c0 CreateWindowExW
KERNEL32.dll
0x536000 GetCPInfo
0x536004 CreateFileW
0x536008 GetModuleHandleA
0x53600c FreeConsole
0x536010 RaiseException
0x536014 InitializeSRWLock
0x536018 ReleaseSRWLockExclusive
0x53601c AcquireSRWLockExclusive
0x536020 EnterCriticalSection
0x536024 LeaveCriticalSection
0x536028 InitializeCriticalSectionEx
0x53602c TryEnterCriticalSection
0x536030 DeleteCriticalSection
0x536034 GetCurrentThreadId
0x536038 InitializeConditionVariable
0x53603c WakeConditionVariable
0x536040 WakeAllConditionVariable
0x536044 SleepConditionVariableCS
0x536048 SleepConditionVariableSRW
0x53604c FormatMessageA
0x536050 WideCharToMultiByte
0x536054 MultiByteToWideChar
0x536058 GetStringTypeW
0x53605c InitOnceBeginInitialize
0x536060 InitOnceComplete
0x536064 GetLastError
0x536068 FreeLibraryWhenCallbackReturns
0x53606c CreateThreadpoolWork
0x536070 SubmitThreadpoolWork
0x536074 CloseThreadpoolWork
0x536078 GetModuleHandleExW
0x53607c RtlCaptureStackBackTrace
0x536080 IsProcessorFeaturePresent
0x536084 QueryPerformanceCounter
0x536088 QueryPerformanceFrequency
0x53608c SetFileInformationByHandle
0x536090 FlsAlloc
0x536094 FlsGetValue
0x536098 FlsSetValue
0x53609c FlsFree
0x5360a0 InitOnceExecuteOnce
0x5360a4 CreateEventExW
0x5360a8 CreateSemaphoreExW
0x5360ac FlushProcessWriteBuffers
0x5360b0 GetCurrentProcessorNumber
0x5360b4 GetSystemTimeAsFileTime
0x5360b8 GetTickCount64
0x5360bc CreateThreadpoolTimer
0x5360c0 SetThreadpoolTimer
0x5360c4 WaitForThreadpoolTimerCallbacks
0x5360c8 CloseThreadpoolTimer
0x5360cc CreateThreadpoolWait
0x5360d0 SetThreadpoolWait
0x5360d4 CloseThreadpoolWait
0x5360d8 GetModuleHandleW
0x5360dc GetProcAddress
0x5360e0 GetFileInformationByHandleEx
0x5360e4 CreateSymbolicLinkW
0x5360e8 CloseHandle
0x5360ec WaitForSingleObjectEx
0x5360f0 Sleep
0x5360f4 SwitchToThread
0x5360f8 GetExitCodeThread
0x5360fc GetNativeSystemInfo
0x536100 LocalFree
0x536104 EncodePointer
0x536108 DecodePointer
0x53610c LCMapStringEx
0x536110 GetLocaleInfoEx
0x536114 CompareStringEx
0x536118 WriteConsoleW
0x53611c InitializeCriticalSectionAndSpinCount
0x536120 SetEvent
0x536124 ResetEvent
0x536128 CreateEventW
0x53612c IsDebuggerPresent
0x536130 UnhandledExceptionFilter
0x536134 SetUnhandledExceptionFilter
0x536138 GetStartupInfoW
0x53613c GetCurrentProcess
0x536140 TerminateProcess
0x536144 GetCurrentProcessId
0x536148 InitializeSListHead
0x53614c HeapSize
0x536150 RtlUnwind
0x536154 InterlockedPushEntrySList
0x536158 InterlockedFlushSList
0x53615c SetLastError
0x536160 TlsAlloc
0x536164 TlsGetValue
0x536168 TlsSetValue
0x53616c TlsFree
0x536170 FreeLibrary
0x536174 LoadLibraryExW
0x536178 CreateThread
0x53617c ExitThread
0x536180 ResumeThread
0x536184 FreeLibraryAndExitThread
0x536188 ExitProcess
0x53618c GetModuleFileNameW
0x536190 GetStdHandle
0x536194 WriteFile
0x536198 GetCommandLineA
0x53619c GetCommandLineW
0x5361a0 GetCurrentThread
0x5361a4 HeapFree
0x5361a8 SetConsoleCtrlHandler
0x5361ac HeapAlloc
0x5361b0 GetDateFormatW
0x5361b4 GetTimeFormatW
0x5361b8 CompareStringW
0x5361bc LCMapStringW
0x5361c0 GetLocaleInfoW
0x5361c4 IsValidLocale
0x5361c8 GetUserDefaultLCID
0x5361cc EnumSystemLocalesW
0x5361d0 GetFileType
0x5361d4 GetFileSizeEx
0x5361d8 SetFilePointerEx
0x5361dc FlushFileBuffers
0x5361e0 GetConsoleOutputCP
0x5361e4 GetConsoleMode
0x5361e8 ReadFile
0x5361ec HeapReAlloc
0x5361f0 GetTimeZoneInformation
0x5361f4 FindClose
0x5361f8 FindFirstFileExW
0x5361fc FindNextFileW
0x536200 IsValidCodePage
0x536204 GetACP
0x536208 GetOEMCP
0x53620c GetEnvironmentStringsW
0x536210 FreeEnvironmentStringsW
0x536214 SetEnvironmentVariableW
0x536218 GetProcessHeap
0x53621c OutputDebugStringW
0x536220 SetStdHandle
0x536224 ReadConsoleW
EAT(Export Address Table) is none