ScreenShot
| Created | 2023.09.14 19:10 | Machine | s1_win7_x6401 |
| Filename | o0SoFtIk0o_crypted_FOX.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 37 detected (AIDetectMalware, malicious, high confidence, Zusy, Kryptik, Vrtf, ZexaF, qPW@aGZ4Xvbi, Eldorado, Attribute, HighConfidence, HUBU, score, RedLineNET, Artemis, Redline, Sabsik, Detected, ai score=85, BScope, nn6j6VJdIcB, confidence, 100%) | ||
| md5 | 90b8030fc8d0624d93d77b6a7743ab5c | ||
| sha256 | a25e499f020aff89d8256ad834a86d9764aac6361cca542d76fe2c3eadbedd4a | ||
| ssdeep | 24576:sz/bHTbbK8HgneSxMJHoqbQvFJIHXUXOAaljr5r0izmvZHV:snbK8HgnenB87VOAaljr+TP | ||
| imphash | 8d5160aba42ffb2e8789bc5aa4f2911e | ||
| impfuzzy | 48:gBfWJcpH+zD9vrxQSXtXvZrmcGtZzba63ZuFZGLc:gBfWJcpH+X1rxHXtXvxmcGtZPanl | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x523000 RaiseException
0x523004 CloseHandle
0x523008 WaitForSingleObjectEx
0x52300c Sleep
0x523010 SwitchToThread
0x523014 GetCurrentThreadId
0x523018 GetExitCodeThread
0x52301c GetNativeSystemInfo
0x523020 InitializeSRWLock
0x523024 ReleaseSRWLockExclusive
0x523028 AcquireSRWLockExclusive
0x52302c EnterCriticalSection
0x523030 LeaveCriticalSection
0x523034 InitializeCriticalSectionEx
0x523038 TryEnterCriticalSection
0x52303c DeleteCriticalSection
0x523040 InitializeConditionVariable
0x523044 WakeConditionVariable
0x523048 WakeAllConditionVariable
0x52304c SleepConditionVariableCS
0x523050 SleepConditionVariableSRW
0x523054 FormatMessageA
0x523058 WideCharToMultiByte
0x52305c MultiByteToWideChar
0x523060 GetStringTypeW
0x523064 InitOnceBeginInitialize
0x523068 InitOnceComplete
0x52306c GetLastError
0x523070 FreeLibraryWhenCallbackReturns
0x523074 CreateThreadpoolWork
0x523078 SubmitThreadpoolWork
0x52307c CloseThreadpoolWork
0x523080 GetModuleHandleExW
0x523084 RtlCaptureStackBackTrace
0x523088 IsProcessorFeaturePresent
0x52308c QueryPerformanceCounter
0x523090 QueryPerformanceFrequency
0x523094 SetFileInformationByHandle
0x523098 FlsAlloc
0x52309c FlsGetValue
0x5230a0 FlsSetValue
0x5230a4 FlsFree
0x5230a8 InitOnceExecuteOnce
0x5230ac CreateEventExW
0x5230b0 CreateSemaphoreExW
0x5230b4 FlushProcessWriteBuffers
0x5230b8 GetCurrentProcessorNumber
0x5230bc GetSystemTimeAsFileTime
0x5230c0 GetTickCount64
0x5230c4 CreateThreadpoolTimer
0x5230c8 SetThreadpoolTimer
0x5230cc WaitForThreadpoolTimerCallbacks
0x5230d0 CloseThreadpoolTimer
0x5230d4 CreateThreadpoolWait
0x5230d8 SetThreadpoolWait
0x5230dc CloseThreadpoolWait
0x5230e0 GetModuleHandleW
0x5230e4 GetProcAddress
0x5230e8 GetFileInformationByHandleEx
0x5230ec CreateSymbolicLinkW
0x5230f0 LocalFree
0x5230f4 EncodePointer
0x5230f8 DecodePointer
0x5230fc LCMapStringEx
0x523100 GetLocaleInfoEx
0x523104 CompareStringEx
0x523108 GetCPInfo
0x52310c InitializeCriticalSectionAndSpinCount
0x523110 SetEvent
0x523114 ResetEvent
0x523118 CreateEventW
0x52311c GetCurrentProcessId
0x523120 InitializeSListHead
0x523124 IsDebuggerPresent
0x523128 UnhandledExceptionFilter
0x52312c SetUnhandledExceptionFilter
0x523130 GetStartupInfoW
0x523134 GetCurrentProcess
0x523138 TerminateProcess
0x52313c CreateFileW
0x523140 RtlUnwind
0x523144 InterlockedPushEntrySList
0x523148 InterlockedFlushSList
0x52314c SetLastError
0x523150 TlsAlloc
0x523154 TlsGetValue
0x523158 TlsSetValue
0x52315c TlsFree
0x523160 FreeLibrary
0x523164 LoadLibraryExW
0x523168 CreateThread
0x52316c ExitThread
0x523170 ResumeThread
0x523174 FreeLibraryAndExitThread
0x523178 GetStdHandle
0x52317c WriteFile
0x523180 GetModuleFileNameW
0x523184 ExitProcess
0x523188 GetCommandLineA
0x52318c GetCommandLineW
0x523190 GetCurrentThread
0x523194 HeapAlloc
0x523198 HeapFree
0x52319c SetConsoleCtrlHandler
0x5231a0 GetDateFormatW
0x5231a4 GetTimeFormatW
0x5231a8 CompareStringW
0x5231ac LCMapStringW
0x5231b0 GetLocaleInfoW
0x5231b4 IsValidLocale
0x5231b8 GetUserDefaultLCID
0x5231bc EnumSystemLocalesW
0x5231c0 GetFileType
0x5231c4 GetFileSizeEx
0x5231c8 SetFilePointerEx
0x5231cc FlushFileBuffers
0x5231d0 GetConsoleOutputCP
0x5231d4 GetConsoleMode
0x5231d8 ReadFile
0x5231dc ReadConsoleW
0x5231e0 HeapReAlloc
0x5231e4 GetTimeZoneInformation
0x5231e8 OutputDebugStringW
0x5231ec FindClose
0x5231f0 FindFirstFileExW
0x5231f4 FindNextFileW
0x5231f8 IsValidCodePage
0x5231fc GetACP
0x523200 GetOEMCP
0x523204 GetEnvironmentStringsW
0x523208 FreeEnvironmentStringsW
0x52320c SetEnvironmentVariableW
0x523210 SetStdHandle
0x523214 GetProcessHeap
0x523218 HeapSize
0x52321c WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x523000 RaiseException
0x523004 CloseHandle
0x523008 WaitForSingleObjectEx
0x52300c Sleep
0x523010 SwitchToThread
0x523014 GetCurrentThreadId
0x523018 GetExitCodeThread
0x52301c GetNativeSystemInfo
0x523020 InitializeSRWLock
0x523024 ReleaseSRWLockExclusive
0x523028 AcquireSRWLockExclusive
0x52302c EnterCriticalSection
0x523030 LeaveCriticalSection
0x523034 InitializeCriticalSectionEx
0x523038 TryEnterCriticalSection
0x52303c DeleteCriticalSection
0x523040 InitializeConditionVariable
0x523044 WakeConditionVariable
0x523048 WakeAllConditionVariable
0x52304c SleepConditionVariableCS
0x523050 SleepConditionVariableSRW
0x523054 FormatMessageA
0x523058 WideCharToMultiByte
0x52305c MultiByteToWideChar
0x523060 GetStringTypeW
0x523064 InitOnceBeginInitialize
0x523068 InitOnceComplete
0x52306c GetLastError
0x523070 FreeLibraryWhenCallbackReturns
0x523074 CreateThreadpoolWork
0x523078 SubmitThreadpoolWork
0x52307c CloseThreadpoolWork
0x523080 GetModuleHandleExW
0x523084 RtlCaptureStackBackTrace
0x523088 IsProcessorFeaturePresent
0x52308c QueryPerformanceCounter
0x523090 QueryPerformanceFrequency
0x523094 SetFileInformationByHandle
0x523098 FlsAlloc
0x52309c FlsGetValue
0x5230a0 FlsSetValue
0x5230a4 FlsFree
0x5230a8 InitOnceExecuteOnce
0x5230ac CreateEventExW
0x5230b0 CreateSemaphoreExW
0x5230b4 FlushProcessWriteBuffers
0x5230b8 GetCurrentProcessorNumber
0x5230bc GetSystemTimeAsFileTime
0x5230c0 GetTickCount64
0x5230c4 CreateThreadpoolTimer
0x5230c8 SetThreadpoolTimer
0x5230cc WaitForThreadpoolTimerCallbacks
0x5230d0 CloseThreadpoolTimer
0x5230d4 CreateThreadpoolWait
0x5230d8 SetThreadpoolWait
0x5230dc CloseThreadpoolWait
0x5230e0 GetModuleHandleW
0x5230e4 GetProcAddress
0x5230e8 GetFileInformationByHandleEx
0x5230ec CreateSymbolicLinkW
0x5230f0 LocalFree
0x5230f4 EncodePointer
0x5230f8 DecodePointer
0x5230fc LCMapStringEx
0x523100 GetLocaleInfoEx
0x523104 CompareStringEx
0x523108 GetCPInfo
0x52310c InitializeCriticalSectionAndSpinCount
0x523110 SetEvent
0x523114 ResetEvent
0x523118 CreateEventW
0x52311c GetCurrentProcessId
0x523120 InitializeSListHead
0x523124 IsDebuggerPresent
0x523128 UnhandledExceptionFilter
0x52312c SetUnhandledExceptionFilter
0x523130 GetStartupInfoW
0x523134 GetCurrentProcess
0x523138 TerminateProcess
0x52313c CreateFileW
0x523140 RtlUnwind
0x523144 InterlockedPushEntrySList
0x523148 InterlockedFlushSList
0x52314c SetLastError
0x523150 TlsAlloc
0x523154 TlsGetValue
0x523158 TlsSetValue
0x52315c TlsFree
0x523160 FreeLibrary
0x523164 LoadLibraryExW
0x523168 CreateThread
0x52316c ExitThread
0x523170 ResumeThread
0x523174 FreeLibraryAndExitThread
0x523178 GetStdHandle
0x52317c WriteFile
0x523180 GetModuleFileNameW
0x523184 ExitProcess
0x523188 GetCommandLineA
0x52318c GetCommandLineW
0x523190 GetCurrentThread
0x523194 HeapAlloc
0x523198 HeapFree
0x52319c SetConsoleCtrlHandler
0x5231a0 GetDateFormatW
0x5231a4 GetTimeFormatW
0x5231a8 CompareStringW
0x5231ac LCMapStringW
0x5231b0 GetLocaleInfoW
0x5231b4 IsValidLocale
0x5231b8 GetUserDefaultLCID
0x5231bc EnumSystemLocalesW
0x5231c0 GetFileType
0x5231c4 GetFileSizeEx
0x5231c8 SetFilePointerEx
0x5231cc FlushFileBuffers
0x5231d0 GetConsoleOutputCP
0x5231d4 GetConsoleMode
0x5231d8 ReadFile
0x5231dc ReadConsoleW
0x5231e0 HeapReAlloc
0x5231e4 GetTimeZoneInformation
0x5231e8 OutputDebugStringW
0x5231ec FindClose
0x5231f0 FindFirstFileExW
0x5231f4 FindNextFileW
0x5231f8 IsValidCodePage
0x5231fc GetACP
0x523200 GetOEMCP
0x523204 GetEnvironmentStringsW
0x523208 FreeEnvironmentStringsW
0x52320c SetEnvironmentVariableW
0x523210 SetStdHandle
0x523214 GetProcessHeap
0x523218 HeapSize
0x52321c WriteConsoleW
EAT(Export Address Table) is none