popup

Report - @facebyk_packlab.exe

RedLine stealer Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.11 17:56 Machine s1_win7_x6401
Filename @facebyk_packlab.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
11.6
ZERO API file : clean
VT API (file) 32 detected (AIDetectMalware, malicious, high confidence, Inject4, Midie, confidence, ZexaF, wuW@aa6YTMn, Eldorado, Attribute, HighConfidence, GenKryptik, GNRA, score, Mokes, GenericKDZ, CrypterX, Static AI, Suspicious PE, ai score=89, Sabsik, Detected, Generic@AI, RDML, 0Yw8ygLXMznZ7eB, eLz6bA, susgen)
md5 7c6d12dcd138418691419f9783f8d3bd
sha256 d52795d63ad44b0820ec52756b38b8f94c6d73f607200d7f2cf255f0c7e0dde2
ssdeep 6144:I5tRVoHUWbkvb6ZzlU9o2gLBiiAOe20LRhX+w4WfPS3sCJTty:I80WYvbgBlXczLRhXZMsCJTty
imphash 2627254264278e0e80567712e48122f4
impfuzzy 24:QcpVWZjS1jt2GhlJBl3eDoLoEOovbOIHFZMvtGMA+EZHu95:QcpVejS1jt2GnpXc3gFZGz
  Network IP location

Signature (25cnts)

Level Description
danger Executed a process and injected code into it
danger File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (14cnts)

Level Name Description Collection
danger RedLine_Stealer_m_Zero RedLine stealer memory
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
5.42.65.101
whois
RU CJSC Kolomna-Sviaz TV 5.42.65.101 mailcious

Suricata ids

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x425000 FreeConsole
 0x425004 WideCharToMultiByte
 0x425008 MultiByteToWideChar
 0x42500c GetStringTypeW
 0x425010 EnterCriticalSection
 0x425014 LeaveCriticalSection
 0x425018 InitializeCriticalSectionEx
 0x42501c DeleteCriticalSection
 0x425020 EncodePointer
 0x425024 DecodePointer
 0x425028 LCMapStringEx
 0x42502c GetCPInfo
 0x425030 IsProcessorFeaturePresent
 0x425034 QueryPerformanceCounter
 0x425038 GetCurrentProcessId
 0x42503c GetCurrentThreadId
 0x425040 GetSystemTimeAsFileTime
 0x425044 InitializeSListHead
 0x425048 IsDebuggerPresent
 0x42504c UnhandledExceptionFilter
 0x425050 SetUnhandledExceptionFilter
 0x425054 GetStartupInfoW
 0x425058 GetModuleHandleW
 0x42505c GetCurrentProcess
 0x425060 TerminateProcess
 0x425064 CreateFileW
 0x425068 RaiseException
 0x42506c RtlUnwind
 0x425070 GetLastError
 0x425074 SetLastError
 0x425078 InitializeCriticalSectionAndSpinCount
 0x42507c TlsAlloc
 0x425080 TlsGetValue
 0x425084 TlsSetValue
 0x425088 TlsFree
 0x42508c FreeLibrary
 0x425090 GetProcAddress
 0x425094 LoadLibraryExW
 0x425098 GetStdHandle
 0x42509c WriteFile
 0x4250a0 GetModuleFileNameW
 0x4250a4 ExitProcess
 0x4250a8 GetModuleHandleExW
 0x4250ac GetCommandLineA
 0x4250b0 GetCommandLineW
 0x4250b4 HeapFree
 0x4250b8 HeapAlloc
 0x4250bc CompareStringW
 0x4250c0 LCMapStringW
 0x4250c4 GetLocaleInfoW
 0x4250c8 IsValidLocale
 0x4250cc GetUserDefaultLCID
 0x4250d0 EnumSystemLocalesW
 0x4250d4 GetFileType
 0x4250d8 GetFileSizeEx
 0x4250dc SetFilePointerEx
 0x4250e0 CloseHandle
 0x4250e4 FlushFileBuffers
 0x4250e8 GetConsoleOutputCP
 0x4250ec GetConsoleMode
 0x4250f0 ReadFile
 0x4250f4 HeapReAlloc
 0x4250f8 FindClose
 0x4250fc FindFirstFileExW
 0x425100 FindNextFileW
 0x425104 IsValidCodePage
 0x425108 GetACP
 0x42510c GetOEMCP
 0x425110 GetEnvironmentStringsW
 0x425114 FreeEnvironmentStringsW
 0x425118 SetEnvironmentVariableW
 0x42511c SetStdHandle
 0x425120 GetProcessHeap
 0x425124 ReadConsoleW
 0x425128 HeapSize
 0x42512c WriteConsoleW

EAT(Export Address Table) Library

0x4058d0 _vyvUAGA782kjAbsyuA@4

Similarity measure (PE file only) - Checking for service failure