ScreenShot
| Created | 2023.09.13 17:24 | Machine | s1_win7_x6403 |
| Filename | z9lupld56bdv.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 37 detected (AIDetectMalware, unsafe, Kryptik, Vtpt, Eldorado, Attribute, HighConfidence, malicious, high confidence, HUBU, score, CrypterX, RedLineSteal, btich, RedLineNET, REDLINE, YXDIMZ, Artemis, Outbreak, Phoenix, euco, Detected, BScope, Generic@AI, RDML, 9zBFCwP47jbMRuMkinhVsA, Static AI, Suspicious PE, ZexaF, qPW@auC6Gxoi, confidence, 100%) | ||
| md5 | 2c7463cfe3d7089951dde9eccdf037bf | ||
| sha256 | df13374be948b1cd0a80f334f42d467846475b5c3427227df4c37b67fa648608 | ||
| ssdeep | 24576:TUTmHorinrJRkaaiEyKA6aCBZAoQ11eS:8enrJRkOljAI11eS | ||
| imphash | eb2d8f93a964b608a4e4334d9403f15d | ||
| impfuzzy | 48:3BfWJcpH+zD9vrxQSXtXvZrmcGtZzba63ZuFZGLc:3BfWJcpH+X1rxHXtXvxmcGtZPanl | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x523000 FreeConsole
0x523004 RaiseException
0x523008 CloseHandle
0x52300c WaitForSingleObjectEx
0x523010 Sleep
0x523014 SwitchToThread
0x523018 GetCurrentThreadId
0x52301c GetExitCodeThread
0x523020 GetNativeSystemInfo
0x523024 InitializeSRWLock
0x523028 ReleaseSRWLockExclusive
0x52302c AcquireSRWLockExclusive
0x523030 EnterCriticalSection
0x523034 LeaveCriticalSection
0x523038 InitializeCriticalSectionEx
0x52303c TryEnterCriticalSection
0x523040 DeleteCriticalSection
0x523044 InitializeConditionVariable
0x523048 WakeConditionVariable
0x52304c WakeAllConditionVariable
0x523050 SleepConditionVariableCS
0x523054 SleepConditionVariableSRW
0x523058 FormatMessageA
0x52305c WideCharToMultiByte
0x523060 MultiByteToWideChar
0x523064 GetStringTypeW
0x523068 InitOnceBeginInitialize
0x52306c InitOnceComplete
0x523070 GetLastError
0x523074 FreeLibraryWhenCallbackReturns
0x523078 CreateThreadpoolWork
0x52307c SubmitThreadpoolWork
0x523080 CloseThreadpoolWork
0x523084 GetModuleHandleExW
0x523088 RtlCaptureStackBackTrace
0x52308c IsProcessorFeaturePresent
0x523090 QueryPerformanceCounter
0x523094 QueryPerformanceFrequency
0x523098 SetFileInformationByHandle
0x52309c FlsAlloc
0x5230a0 FlsGetValue
0x5230a4 FlsSetValue
0x5230a8 FlsFree
0x5230ac InitOnceExecuteOnce
0x5230b0 CreateEventExW
0x5230b4 CreateSemaphoreExW
0x5230b8 FlushProcessWriteBuffers
0x5230bc GetCurrentProcessorNumber
0x5230c0 GetSystemTimeAsFileTime
0x5230c4 GetTickCount64
0x5230c8 CreateThreadpoolTimer
0x5230cc SetThreadpoolTimer
0x5230d0 WaitForThreadpoolTimerCallbacks
0x5230d4 CloseThreadpoolTimer
0x5230d8 CreateThreadpoolWait
0x5230dc SetThreadpoolWait
0x5230e0 CloseThreadpoolWait
0x5230e4 GetModuleHandleW
0x5230e8 GetProcAddress
0x5230ec GetFileInformationByHandleEx
0x5230f0 CreateSymbolicLinkW
0x5230f4 LocalFree
0x5230f8 EncodePointer
0x5230fc DecodePointer
0x523100 LCMapStringEx
0x523104 GetLocaleInfoEx
0x523108 CompareStringEx
0x52310c GetCPInfo
0x523110 InitializeCriticalSectionAndSpinCount
0x523114 SetEvent
0x523118 ResetEvent
0x52311c CreateEventW
0x523120 GetCurrentProcessId
0x523124 InitializeSListHead
0x523128 IsDebuggerPresent
0x52312c UnhandledExceptionFilter
0x523130 SetUnhandledExceptionFilter
0x523134 GetStartupInfoW
0x523138 GetCurrentProcess
0x52313c TerminateProcess
0x523140 CreateFileW
0x523144 RtlUnwind
0x523148 InterlockedPushEntrySList
0x52314c InterlockedFlushSList
0x523150 SetLastError
0x523154 TlsAlloc
0x523158 TlsGetValue
0x52315c TlsSetValue
0x523160 TlsFree
0x523164 FreeLibrary
0x523168 LoadLibraryExW
0x52316c CreateThread
0x523170 ExitThread
0x523174 ResumeThread
0x523178 FreeLibraryAndExitThread
0x52317c GetStdHandle
0x523180 WriteFile
0x523184 GetModuleFileNameW
0x523188 ExitProcess
0x52318c GetCommandLineA
0x523190 GetCommandLineW
0x523194 GetCurrentThread
0x523198 HeapAlloc
0x52319c HeapFree
0x5231a0 SetConsoleCtrlHandler
0x5231a4 GetDateFormatW
0x5231a8 GetTimeFormatW
0x5231ac CompareStringW
0x5231b0 LCMapStringW
0x5231b4 GetLocaleInfoW
0x5231b8 IsValidLocale
0x5231bc GetUserDefaultLCID
0x5231c0 EnumSystemLocalesW
0x5231c4 GetFileType
0x5231c8 GetFileSizeEx
0x5231cc SetFilePointerEx
0x5231d0 FlushFileBuffers
0x5231d4 GetConsoleOutputCP
0x5231d8 GetConsoleMode
0x5231dc ReadFile
0x5231e0 ReadConsoleW
0x5231e4 HeapReAlloc
0x5231e8 GetTimeZoneInformation
0x5231ec OutputDebugStringW
0x5231f0 FindClose
0x5231f4 FindFirstFileExW
0x5231f8 FindNextFileW
0x5231fc IsValidCodePage
0x523200 GetACP
0x523204 GetOEMCP
0x523208 GetEnvironmentStringsW
0x52320c FreeEnvironmentStringsW
0x523210 SetEnvironmentVariableW
0x523214 SetStdHandle
0x523218 GetProcessHeap
0x52321c HeapSize
0x523220 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x523000 FreeConsole
0x523004 RaiseException
0x523008 CloseHandle
0x52300c WaitForSingleObjectEx
0x523010 Sleep
0x523014 SwitchToThread
0x523018 GetCurrentThreadId
0x52301c GetExitCodeThread
0x523020 GetNativeSystemInfo
0x523024 InitializeSRWLock
0x523028 ReleaseSRWLockExclusive
0x52302c AcquireSRWLockExclusive
0x523030 EnterCriticalSection
0x523034 LeaveCriticalSection
0x523038 InitializeCriticalSectionEx
0x52303c TryEnterCriticalSection
0x523040 DeleteCriticalSection
0x523044 InitializeConditionVariable
0x523048 WakeConditionVariable
0x52304c WakeAllConditionVariable
0x523050 SleepConditionVariableCS
0x523054 SleepConditionVariableSRW
0x523058 FormatMessageA
0x52305c WideCharToMultiByte
0x523060 MultiByteToWideChar
0x523064 GetStringTypeW
0x523068 InitOnceBeginInitialize
0x52306c InitOnceComplete
0x523070 GetLastError
0x523074 FreeLibraryWhenCallbackReturns
0x523078 CreateThreadpoolWork
0x52307c SubmitThreadpoolWork
0x523080 CloseThreadpoolWork
0x523084 GetModuleHandleExW
0x523088 RtlCaptureStackBackTrace
0x52308c IsProcessorFeaturePresent
0x523090 QueryPerformanceCounter
0x523094 QueryPerformanceFrequency
0x523098 SetFileInformationByHandle
0x52309c FlsAlloc
0x5230a0 FlsGetValue
0x5230a4 FlsSetValue
0x5230a8 FlsFree
0x5230ac InitOnceExecuteOnce
0x5230b0 CreateEventExW
0x5230b4 CreateSemaphoreExW
0x5230b8 FlushProcessWriteBuffers
0x5230bc GetCurrentProcessorNumber
0x5230c0 GetSystemTimeAsFileTime
0x5230c4 GetTickCount64
0x5230c8 CreateThreadpoolTimer
0x5230cc SetThreadpoolTimer
0x5230d0 WaitForThreadpoolTimerCallbacks
0x5230d4 CloseThreadpoolTimer
0x5230d8 CreateThreadpoolWait
0x5230dc SetThreadpoolWait
0x5230e0 CloseThreadpoolWait
0x5230e4 GetModuleHandleW
0x5230e8 GetProcAddress
0x5230ec GetFileInformationByHandleEx
0x5230f0 CreateSymbolicLinkW
0x5230f4 LocalFree
0x5230f8 EncodePointer
0x5230fc DecodePointer
0x523100 LCMapStringEx
0x523104 GetLocaleInfoEx
0x523108 CompareStringEx
0x52310c GetCPInfo
0x523110 InitializeCriticalSectionAndSpinCount
0x523114 SetEvent
0x523118 ResetEvent
0x52311c CreateEventW
0x523120 GetCurrentProcessId
0x523124 InitializeSListHead
0x523128 IsDebuggerPresent
0x52312c UnhandledExceptionFilter
0x523130 SetUnhandledExceptionFilter
0x523134 GetStartupInfoW
0x523138 GetCurrentProcess
0x52313c TerminateProcess
0x523140 CreateFileW
0x523144 RtlUnwind
0x523148 InterlockedPushEntrySList
0x52314c InterlockedFlushSList
0x523150 SetLastError
0x523154 TlsAlloc
0x523158 TlsGetValue
0x52315c TlsSetValue
0x523160 TlsFree
0x523164 FreeLibrary
0x523168 LoadLibraryExW
0x52316c CreateThread
0x523170 ExitThread
0x523174 ResumeThread
0x523178 FreeLibraryAndExitThread
0x52317c GetStdHandle
0x523180 WriteFile
0x523184 GetModuleFileNameW
0x523188 ExitProcess
0x52318c GetCommandLineA
0x523190 GetCommandLineW
0x523194 GetCurrentThread
0x523198 HeapAlloc
0x52319c HeapFree
0x5231a0 SetConsoleCtrlHandler
0x5231a4 GetDateFormatW
0x5231a8 GetTimeFormatW
0x5231ac CompareStringW
0x5231b0 LCMapStringW
0x5231b4 GetLocaleInfoW
0x5231b8 IsValidLocale
0x5231bc GetUserDefaultLCID
0x5231c0 EnumSystemLocalesW
0x5231c4 GetFileType
0x5231c8 GetFileSizeEx
0x5231cc SetFilePointerEx
0x5231d0 FlushFileBuffers
0x5231d4 GetConsoleOutputCP
0x5231d8 GetConsoleMode
0x5231dc ReadFile
0x5231e0 ReadConsoleW
0x5231e4 HeapReAlloc
0x5231e8 GetTimeZoneInformation
0x5231ec OutputDebugStringW
0x5231f0 FindClose
0x5231f4 FindFirstFileExW
0x5231f8 FindNextFileW
0x5231fc IsValidCodePage
0x523200 GetACP
0x523204 GetOEMCP
0x523208 GetEnvironmentStringsW
0x52320c FreeEnvironmentStringsW
0x523210 SetEnvironmentVariableW
0x523214 SetStdHandle
0x523218 GetProcessHeap
0x52321c HeapSize
0x523220 WriteConsoleW
EAT(Export Address Table) is none