ScreenShot
| Created | 2023.09.15 17:32 | Machine | s1_win7_x6403 |
| Filename | deluxe_crypted.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 27 detected (AIDetectMalware, Artemis, Attribute, HighConfidence, malicious, high confidence, GenKryptik, GNWJ, score, DropperX, AMADEY, YXDIOZ, Static AI, Suspicious PE, Sabsik, RedLine, Detected, ZexaF, zuY@ambPkIfi, BScope, Matanbuchus, unsafe, susgen, confidence, 100%) | ||
| md5 | 5200fbe07521eb001f145afb95d40283 | ||
| sha256 | 00c3f29f9a8aec0774256501c562275e2d866f0130a2b8a58d74003c6c77e812 | ||
| ssdeep | 6144:UetmIGPB69DOH/e6fwQEPszYvzY0drRedAO74PkEIe44/5FuibaK8R72fwNqIEEA:UefJYfe6fwQrVBpxeBFDbOogJi5 | ||
| imphash | efed4091e3b9498715ec3123c7762889 | ||
| impfuzzy | 24:Nc8jTcpVWZjeD2t7EGhlJBl39WuPLOovbO3kFZMv1GMAkEZHu9c:m0cpVejrt7EGnpn630FZGa | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
ole32.dll
0x429148 OleGetIconOfClass
0x42914c CreateBindCtx
KERNEL32.dll
0x429000 GetCurrentProcess
0x429004 CreateFileW
0x429008 HeapSize
0x42900c FreeConsole
0x429010 MultiByteToWideChar
0x429014 GetStringTypeW
0x429018 WideCharToMultiByte
0x42901c GetCurrentThreadId
0x429020 CloseHandle
0x429024 WaitForSingleObjectEx
0x429028 GetExitCodeThread
0x42902c EnterCriticalSection
0x429030 LeaveCriticalSection
0x429034 InitializeCriticalSectionEx
0x429038 DeleteCriticalSection
0x42903c EncodePointer
0x429040 DecodePointer
0x429044 LCMapStringEx
0x429048 QueryPerformanceCounter
0x42904c GetSystemTimeAsFileTime
0x429050 GetModuleHandleW
0x429054 GetProcAddress
0x429058 GetCPInfo
0x42905c IsProcessorFeaturePresent
0x429060 UnhandledExceptionFilter
0x429064 SetUnhandledExceptionFilter
0x429068 WriteConsoleW
0x42906c TerminateProcess
0x429070 GetCurrentProcessId
0x429074 InitializeSListHead
0x429078 IsDebuggerPresent
0x42907c GetStartupInfoW
0x429080 GetProcessHeap
0x429084 RaiseException
0x429088 RtlUnwind
0x42908c GetLastError
0x429090 SetLastError
0x429094 InitializeCriticalSectionAndSpinCount
0x429098 TlsAlloc
0x42909c TlsGetValue
0x4290a0 TlsSetValue
0x4290a4 TlsFree
0x4290a8 FreeLibrary
0x4290ac LoadLibraryExW
0x4290b0 CreateThread
0x4290b4 ExitThread
0x4290b8 FreeLibraryAndExitThread
0x4290bc GetModuleHandleExW
0x4290c0 GetStdHandle
0x4290c4 WriteFile
0x4290c8 GetModuleFileNameW
0x4290cc ExitProcess
0x4290d0 GetCommandLineA
0x4290d4 GetCommandLineW
0x4290d8 HeapAlloc
0x4290dc HeapFree
0x4290e0 CompareStringW
0x4290e4 LCMapStringW
0x4290e8 GetLocaleInfoW
0x4290ec IsValidLocale
0x4290f0 GetUserDefaultLCID
0x4290f4 EnumSystemLocalesW
0x4290f8 GetFileType
0x4290fc FlushFileBuffers
0x429100 GetConsoleOutputCP
0x429104 GetConsoleMode
0x429108 ReadFile
0x42910c GetFileSizeEx
0x429110 SetFilePointerEx
0x429114 ReadConsoleW
0x429118 HeapReAlloc
0x42911c FindClose
0x429120 FindFirstFileExW
0x429124 FindNextFileW
0x429128 IsValidCodePage
0x42912c GetACP
0x429130 GetOEMCP
0x429134 GetEnvironmentStringsW
0x429138 FreeEnvironmentStringsW
0x42913c SetEnvironmentVariableW
0x429140 SetStdHandle
EAT(Export Address Table) Library
0x407030 _Killoujua@4
0x407050 _uivbuyz@4
0x407040 _uygZUIYguyAUI@4
ole32.dll
0x429148 OleGetIconOfClass
0x42914c CreateBindCtx
KERNEL32.dll
0x429000 GetCurrentProcess
0x429004 CreateFileW
0x429008 HeapSize
0x42900c FreeConsole
0x429010 MultiByteToWideChar
0x429014 GetStringTypeW
0x429018 WideCharToMultiByte
0x42901c GetCurrentThreadId
0x429020 CloseHandle
0x429024 WaitForSingleObjectEx
0x429028 GetExitCodeThread
0x42902c EnterCriticalSection
0x429030 LeaveCriticalSection
0x429034 InitializeCriticalSectionEx
0x429038 DeleteCriticalSection
0x42903c EncodePointer
0x429040 DecodePointer
0x429044 LCMapStringEx
0x429048 QueryPerformanceCounter
0x42904c GetSystemTimeAsFileTime
0x429050 GetModuleHandleW
0x429054 GetProcAddress
0x429058 GetCPInfo
0x42905c IsProcessorFeaturePresent
0x429060 UnhandledExceptionFilter
0x429064 SetUnhandledExceptionFilter
0x429068 WriteConsoleW
0x42906c TerminateProcess
0x429070 GetCurrentProcessId
0x429074 InitializeSListHead
0x429078 IsDebuggerPresent
0x42907c GetStartupInfoW
0x429080 GetProcessHeap
0x429084 RaiseException
0x429088 RtlUnwind
0x42908c GetLastError
0x429090 SetLastError
0x429094 InitializeCriticalSectionAndSpinCount
0x429098 TlsAlloc
0x42909c TlsGetValue
0x4290a0 TlsSetValue
0x4290a4 TlsFree
0x4290a8 FreeLibrary
0x4290ac LoadLibraryExW
0x4290b0 CreateThread
0x4290b4 ExitThread
0x4290b8 FreeLibraryAndExitThread
0x4290bc GetModuleHandleExW
0x4290c0 GetStdHandle
0x4290c4 WriteFile
0x4290c8 GetModuleFileNameW
0x4290cc ExitProcess
0x4290d0 GetCommandLineA
0x4290d4 GetCommandLineW
0x4290d8 HeapAlloc
0x4290dc HeapFree
0x4290e0 CompareStringW
0x4290e4 LCMapStringW
0x4290e8 GetLocaleInfoW
0x4290ec IsValidLocale
0x4290f0 GetUserDefaultLCID
0x4290f4 EnumSystemLocalesW
0x4290f8 GetFileType
0x4290fc FlushFileBuffers
0x429100 GetConsoleOutputCP
0x429104 GetConsoleMode
0x429108 ReadFile
0x42910c GetFileSizeEx
0x429110 SetFilePointerEx
0x429114 ReadConsoleW
0x429118 HeapReAlloc
0x42911c FindClose
0x429120 FindFirstFileExW
0x429124 FindNextFileW
0x429128 IsValidCodePage
0x42912c GetACP
0x429130 GetOEMCP
0x429134 GetEnvironmentStringsW
0x429138 FreeEnvironmentStringsW
0x42913c SetEnvironmentVariableW
0x429140 SetStdHandle
EAT(Export Address Table) Library
0x407030 _Killoujua@4
0x407050 _uivbuyz@4
0x407040 _uygZUIYguyAUI@4