ScreenShot
| Created | 2023.09.12 17:08 | Machine | s1_win7_x6401 |
| Filename | oogwayy666_crypted_FOX.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (AIDetectMalware, malicious, high confidence, RedLineStealer, Eldorado, Attribute, HighConfidence, Kryptik, HUBU, score, eubk, Midie, PWSX, RedLineNET, Static AI, Suspicious PE, ai score=82, Sabsik, Detected, Injection, ZexaF, pPW@a4vFMXoi, BScope, TrojanPSW, RedLine, vXeAMG2MKIM, susgen, confidence) | ||
| md5 | d62a54fccfd3b480e0a76925d6d6b0ad | ||
| sha256 | d86ca9c9798dd5d44498f48697e27880acef26c3e96b22ae0bbab6eee7c763f3 | ||
| ssdeep | 24576:momUvj2RbB4h6qsldOF88c7Ahz055QepWuhREP46i:mtbB4h6/p0hz0PjWUv | ||
| imphash | f41494c19ae73e620f9d89fefd36075a | ||
| impfuzzy | 48:MBfWJcpH+zD9vrxQSXtXvZr8cGt/zba63buFZGLw:MBfWJcpH+X1rxHXtXvx8cGt/Pa9j | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
PE API
IAT(Import Address Table) Library
USER32.dll
0x5202c0 CreateWindowExW
KERNEL32.dll
0x520000 GetCPInfo
0x520004 CreateFileW
0x520008 GetModuleHandleA
0x52000c FreeConsole
0x520010 RaiseException
0x520014 CloseHandle
0x520018 WaitForSingleObjectEx
0x52001c Sleep
0x520020 SwitchToThread
0x520024 GetCurrentThreadId
0x520028 GetExitCodeThread
0x52002c GetNativeSystemInfo
0x520030 InitializeSRWLock
0x520034 ReleaseSRWLockExclusive
0x520038 AcquireSRWLockExclusive
0x52003c EnterCriticalSection
0x520040 LeaveCriticalSection
0x520044 InitializeCriticalSectionEx
0x520048 TryEnterCriticalSection
0x52004c DeleteCriticalSection
0x520050 InitializeConditionVariable
0x520054 WakeConditionVariable
0x520058 WakeAllConditionVariable
0x52005c SleepConditionVariableCS
0x520060 SleepConditionVariableSRW
0x520064 FormatMessageA
0x520068 WideCharToMultiByte
0x52006c MultiByteToWideChar
0x520070 GetStringTypeW
0x520074 InitOnceBeginInitialize
0x520078 InitOnceComplete
0x52007c GetLastError
0x520080 FreeLibraryWhenCallbackReturns
0x520084 CreateThreadpoolWork
0x520088 SubmitThreadpoolWork
0x52008c CloseThreadpoolWork
0x520090 GetModuleHandleExW
0x520094 RtlCaptureStackBackTrace
0x520098 IsProcessorFeaturePresent
0x52009c QueryPerformanceCounter
0x5200a0 QueryPerformanceFrequency
0x5200a4 SetFileInformationByHandle
0x5200a8 FlsAlloc
0x5200ac FlsGetValue
0x5200b0 FlsSetValue
0x5200b4 FlsFree
0x5200b8 InitOnceExecuteOnce
0x5200bc CreateEventExW
0x5200c0 CreateSemaphoreExW
0x5200c4 FlushProcessWriteBuffers
0x5200c8 GetCurrentProcessorNumber
0x5200cc GetSystemTimeAsFileTime
0x5200d0 GetTickCount64
0x5200d4 CreateThreadpoolTimer
0x5200d8 SetThreadpoolTimer
0x5200dc WaitForThreadpoolTimerCallbacks
0x5200e0 CloseThreadpoolTimer
0x5200e4 CreateThreadpoolWait
0x5200e8 SetThreadpoolWait
0x5200ec CloseThreadpoolWait
0x5200f0 GetModuleHandleW
0x5200f4 GetProcAddress
0x5200f8 GetFileInformationByHandleEx
0x5200fc CreateSymbolicLinkW
0x520100 LocalFree
0x520104 EncodePointer
0x520108 DecodePointer
0x52010c LCMapStringEx
0x520110 GetLocaleInfoEx
0x520114 CompareStringEx
0x520118 WriteConsoleW
0x52011c InitializeCriticalSectionAndSpinCount
0x520120 SetEvent
0x520124 ResetEvent
0x520128 CreateEventW
0x52012c GetCurrentProcessId
0x520130 InitializeSListHead
0x520134 IsDebuggerPresent
0x520138 UnhandledExceptionFilter
0x52013c SetUnhandledExceptionFilter
0x520140 GetStartupInfoW
0x520144 GetCurrentProcess
0x520148 TerminateProcess
0x52014c HeapSize
0x520150 RtlUnwind
0x520154 InterlockedPushEntrySList
0x520158 InterlockedFlushSList
0x52015c SetLastError
0x520160 TlsAlloc
0x520164 TlsGetValue
0x520168 TlsSetValue
0x52016c TlsFree
0x520170 FreeLibrary
0x520174 LoadLibraryExW
0x520178 CreateThread
0x52017c ExitThread
0x520180 ResumeThread
0x520184 FreeLibraryAndExitThread
0x520188 GetStdHandle
0x52018c WriteFile
0x520190 GetModuleFileNameW
0x520194 ExitProcess
0x520198 GetCommandLineA
0x52019c GetCommandLineW
0x5201a0 GetCurrentThread
0x5201a4 HeapFree
0x5201a8 SetConsoleCtrlHandler
0x5201ac HeapAlloc
0x5201b0 GetDateFormatW
0x5201b4 GetTimeFormatW
0x5201b8 CompareStringW
0x5201bc LCMapStringW
0x5201c0 GetLocaleInfoW
0x5201c4 IsValidLocale
0x5201c8 GetUserDefaultLCID
0x5201cc EnumSystemLocalesW
0x5201d0 GetFileType
0x5201d4 GetFileSizeEx
0x5201d8 SetFilePointerEx
0x5201dc FlushFileBuffers
0x5201e0 GetConsoleOutputCP
0x5201e4 GetConsoleMode
0x5201e8 ReadFile
0x5201ec ReadConsoleW
0x5201f0 HeapReAlloc
0x5201f4 GetTimeZoneInformation
0x5201f8 OutputDebugStringW
0x5201fc FindClose
0x520200 FindFirstFileExW
0x520204 FindNextFileW
0x520208 IsValidCodePage
0x52020c GetACP
0x520210 GetOEMCP
0x520214 GetEnvironmentStringsW
0x520218 FreeEnvironmentStringsW
0x52021c SetEnvironmentVariableW
0x520220 SetStdHandle
0x520224 GetProcessHeap
EAT(Export Address Table) is none
USER32.dll
0x5202c0 CreateWindowExW
KERNEL32.dll
0x520000 GetCPInfo
0x520004 CreateFileW
0x520008 GetModuleHandleA
0x52000c FreeConsole
0x520010 RaiseException
0x520014 CloseHandle
0x520018 WaitForSingleObjectEx
0x52001c Sleep
0x520020 SwitchToThread
0x520024 GetCurrentThreadId
0x520028 GetExitCodeThread
0x52002c GetNativeSystemInfo
0x520030 InitializeSRWLock
0x520034 ReleaseSRWLockExclusive
0x520038 AcquireSRWLockExclusive
0x52003c EnterCriticalSection
0x520040 LeaveCriticalSection
0x520044 InitializeCriticalSectionEx
0x520048 TryEnterCriticalSection
0x52004c DeleteCriticalSection
0x520050 InitializeConditionVariable
0x520054 WakeConditionVariable
0x520058 WakeAllConditionVariable
0x52005c SleepConditionVariableCS
0x520060 SleepConditionVariableSRW
0x520064 FormatMessageA
0x520068 WideCharToMultiByte
0x52006c MultiByteToWideChar
0x520070 GetStringTypeW
0x520074 InitOnceBeginInitialize
0x520078 InitOnceComplete
0x52007c GetLastError
0x520080 FreeLibraryWhenCallbackReturns
0x520084 CreateThreadpoolWork
0x520088 SubmitThreadpoolWork
0x52008c CloseThreadpoolWork
0x520090 GetModuleHandleExW
0x520094 RtlCaptureStackBackTrace
0x520098 IsProcessorFeaturePresent
0x52009c QueryPerformanceCounter
0x5200a0 QueryPerformanceFrequency
0x5200a4 SetFileInformationByHandle
0x5200a8 FlsAlloc
0x5200ac FlsGetValue
0x5200b0 FlsSetValue
0x5200b4 FlsFree
0x5200b8 InitOnceExecuteOnce
0x5200bc CreateEventExW
0x5200c0 CreateSemaphoreExW
0x5200c4 FlushProcessWriteBuffers
0x5200c8 GetCurrentProcessorNumber
0x5200cc GetSystemTimeAsFileTime
0x5200d0 GetTickCount64
0x5200d4 CreateThreadpoolTimer
0x5200d8 SetThreadpoolTimer
0x5200dc WaitForThreadpoolTimerCallbacks
0x5200e0 CloseThreadpoolTimer
0x5200e4 CreateThreadpoolWait
0x5200e8 SetThreadpoolWait
0x5200ec CloseThreadpoolWait
0x5200f0 GetModuleHandleW
0x5200f4 GetProcAddress
0x5200f8 GetFileInformationByHandleEx
0x5200fc CreateSymbolicLinkW
0x520100 LocalFree
0x520104 EncodePointer
0x520108 DecodePointer
0x52010c LCMapStringEx
0x520110 GetLocaleInfoEx
0x520114 CompareStringEx
0x520118 WriteConsoleW
0x52011c InitializeCriticalSectionAndSpinCount
0x520120 SetEvent
0x520124 ResetEvent
0x520128 CreateEventW
0x52012c GetCurrentProcessId
0x520130 InitializeSListHead
0x520134 IsDebuggerPresent
0x520138 UnhandledExceptionFilter
0x52013c SetUnhandledExceptionFilter
0x520140 GetStartupInfoW
0x520144 GetCurrentProcess
0x520148 TerminateProcess
0x52014c HeapSize
0x520150 RtlUnwind
0x520154 InterlockedPushEntrySList
0x520158 InterlockedFlushSList
0x52015c SetLastError
0x520160 TlsAlloc
0x520164 TlsGetValue
0x520168 TlsSetValue
0x52016c TlsFree
0x520170 FreeLibrary
0x520174 LoadLibraryExW
0x520178 CreateThread
0x52017c ExitThread
0x520180 ResumeThread
0x520184 FreeLibraryAndExitThread
0x520188 GetStdHandle
0x52018c WriteFile
0x520190 GetModuleFileNameW
0x520194 ExitProcess
0x520198 GetCommandLineA
0x52019c GetCommandLineW
0x5201a0 GetCurrentThread
0x5201a4 HeapFree
0x5201a8 SetConsoleCtrlHandler
0x5201ac HeapAlloc
0x5201b0 GetDateFormatW
0x5201b4 GetTimeFormatW
0x5201b8 CompareStringW
0x5201bc LCMapStringW
0x5201c0 GetLocaleInfoW
0x5201c4 IsValidLocale
0x5201c8 GetUserDefaultLCID
0x5201cc EnumSystemLocalesW
0x5201d0 GetFileType
0x5201d4 GetFileSizeEx
0x5201d8 SetFilePointerEx
0x5201dc FlushFileBuffers
0x5201e0 GetConsoleOutputCP
0x5201e4 GetConsoleMode
0x5201e8 ReadFile
0x5201ec ReadConsoleW
0x5201f0 HeapReAlloc
0x5201f4 GetTimeZoneInformation
0x5201f8 OutputDebugStringW
0x5201fc FindClose
0x520200 FindFirstFileExW
0x520204 FindNextFileW
0x520208 IsValidCodePage
0x52020c GetACP
0x520210 GetOEMCP
0x520214 GetEnvironmentStringsW
0x520218 FreeEnvironmentStringsW
0x52021c SetEnvironmentVariableW
0x520220 SetStdHandle
0x520224 GetProcessHeap
EAT(Export Address Table) is none