ScreenShot
Created | 2023.09.11 17:56 | Machine | s1_win7_x6401 |
Filename | @facebyk_packlab.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 32 detected (AIDetectMalware, malicious, high confidence, Inject4, Midie, confidence, ZexaF, wuW@aa6YTMn, Eldorado, Attribute, HighConfidence, GenKryptik, GNRA, score, Mokes, GenericKDZ, CrypterX, Static AI, Suspicious PE, ai score=89, Sabsik, Detected, Generic@AI, RDML, 0Yw8ygLXMznZ7eB, eLz6bA, susgen) | ||
md5 | 7c6d12dcd138418691419f9783f8d3bd | ||
sha256 | d52795d63ad44b0820ec52756b38b8f94c6d73f607200d7f2cf255f0c7e0dde2 | ||
ssdeep | 6144:I5tRVoHUWbkvb6ZzlU9o2gLBiiAOe20LRhX+w4WfPS3sCJTty:I80WYvbgBlXczLRhXZMsCJTty | ||
imphash | 2627254264278e0e80567712e48122f4 | ||
impfuzzy | 24:QcpVWZjS1jt2GhlJBl3eDoLoEOovbOIHFZMvtGMA+EZHu95:QcpVejS1jt2GnpXc3gFZGz |
Network IP location
Signature (25cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Executes one or more WMI queries |
watch | Harvests credentials from local FTP client softwares |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Executes one or more WMI queries which can be used to identify virtual machines |
notice | One or more potentially interesting buffers were extracted |
notice | Queries for potentially installed applications |
notice | Steals private information from local Internet browsers |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x425000 FreeConsole
0x425004 WideCharToMultiByte
0x425008 MultiByteToWideChar
0x42500c GetStringTypeW
0x425010 EnterCriticalSection
0x425014 LeaveCriticalSection
0x425018 InitializeCriticalSectionEx
0x42501c DeleteCriticalSection
0x425020 EncodePointer
0x425024 DecodePointer
0x425028 LCMapStringEx
0x42502c GetCPInfo
0x425030 IsProcessorFeaturePresent
0x425034 QueryPerformanceCounter
0x425038 GetCurrentProcessId
0x42503c GetCurrentThreadId
0x425040 GetSystemTimeAsFileTime
0x425044 InitializeSListHead
0x425048 IsDebuggerPresent
0x42504c UnhandledExceptionFilter
0x425050 SetUnhandledExceptionFilter
0x425054 GetStartupInfoW
0x425058 GetModuleHandleW
0x42505c GetCurrentProcess
0x425060 TerminateProcess
0x425064 CreateFileW
0x425068 RaiseException
0x42506c RtlUnwind
0x425070 GetLastError
0x425074 SetLastError
0x425078 InitializeCriticalSectionAndSpinCount
0x42507c TlsAlloc
0x425080 TlsGetValue
0x425084 TlsSetValue
0x425088 TlsFree
0x42508c FreeLibrary
0x425090 GetProcAddress
0x425094 LoadLibraryExW
0x425098 GetStdHandle
0x42509c WriteFile
0x4250a0 GetModuleFileNameW
0x4250a4 ExitProcess
0x4250a8 GetModuleHandleExW
0x4250ac GetCommandLineA
0x4250b0 GetCommandLineW
0x4250b4 HeapFree
0x4250b8 HeapAlloc
0x4250bc CompareStringW
0x4250c0 LCMapStringW
0x4250c4 GetLocaleInfoW
0x4250c8 IsValidLocale
0x4250cc GetUserDefaultLCID
0x4250d0 EnumSystemLocalesW
0x4250d4 GetFileType
0x4250d8 GetFileSizeEx
0x4250dc SetFilePointerEx
0x4250e0 CloseHandle
0x4250e4 FlushFileBuffers
0x4250e8 GetConsoleOutputCP
0x4250ec GetConsoleMode
0x4250f0 ReadFile
0x4250f4 HeapReAlloc
0x4250f8 FindClose
0x4250fc FindFirstFileExW
0x425100 FindNextFileW
0x425104 IsValidCodePage
0x425108 GetACP
0x42510c GetOEMCP
0x425110 GetEnvironmentStringsW
0x425114 FreeEnvironmentStringsW
0x425118 SetEnvironmentVariableW
0x42511c SetStdHandle
0x425120 GetProcessHeap
0x425124 ReadConsoleW
0x425128 HeapSize
0x42512c WriteConsoleW
EAT(Export Address Table) Library
0x4058d0 _vyvUAGA782kjAbsyuA@4
KERNEL32.dll
0x425000 FreeConsole
0x425004 WideCharToMultiByte
0x425008 MultiByteToWideChar
0x42500c GetStringTypeW
0x425010 EnterCriticalSection
0x425014 LeaveCriticalSection
0x425018 InitializeCriticalSectionEx
0x42501c DeleteCriticalSection
0x425020 EncodePointer
0x425024 DecodePointer
0x425028 LCMapStringEx
0x42502c GetCPInfo
0x425030 IsProcessorFeaturePresent
0x425034 QueryPerformanceCounter
0x425038 GetCurrentProcessId
0x42503c GetCurrentThreadId
0x425040 GetSystemTimeAsFileTime
0x425044 InitializeSListHead
0x425048 IsDebuggerPresent
0x42504c UnhandledExceptionFilter
0x425050 SetUnhandledExceptionFilter
0x425054 GetStartupInfoW
0x425058 GetModuleHandleW
0x42505c GetCurrentProcess
0x425060 TerminateProcess
0x425064 CreateFileW
0x425068 RaiseException
0x42506c RtlUnwind
0x425070 GetLastError
0x425074 SetLastError
0x425078 InitializeCriticalSectionAndSpinCount
0x42507c TlsAlloc
0x425080 TlsGetValue
0x425084 TlsSetValue
0x425088 TlsFree
0x42508c FreeLibrary
0x425090 GetProcAddress
0x425094 LoadLibraryExW
0x425098 GetStdHandle
0x42509c WriteFile
0x4250a0 GetModuleFileNameW
0x4250a4 ExitProcess
0x4250a8 GetModuleHandleExW
0x4250ac GetCommandLineA
0x4250b0 GetCommandLineW
0x4250b4 HeapFree
0x4250b8 HeapAlloc
0x4250bc CompareStringW
0x4250c0 LCMapStringW
0x4250c4 GetLocaleInfoW
0x4250c8 IsValidLocale
0x4250cc GetUserDefaultLCID
0x4250d0 EnumSystemLocalesW
0x4250d4 GetFileType
0x4250d8 GetFileSizeEx
0x4250dc SetFilePointerEx
0x4250e0 CloseHandle
0x4250e4 FlushFileBuffers
0x4250e8 GetConsoleOutputCP
0x4250ec GetConsoleMode
0x4250f0 ReadFile
0x4250f4 HeapReAlloc
0x4250f8 FindClose
0x4250fc FindFirstFileExW
0x425100 FindNextFileW
0x425104 IsValidCodePage
0x425108 GetACP
0x42510c GetOEMCP
0x425110 GetEnvironmentStringsW
0x425114 FreeEnvironmentStringsW
0x425118 SetEnvironmentVariableW
0x42511c SetStdHandle
0x425120 GetProcessHeap
0x425124 ReadConsoleW
0x425128 HeapSize
0x42512c WriteConsoleW
EAT(Export Address Table) Library
0x4058d0 _vyvUAGA782kjAbsyuA@4