ScreenShot
| Created | 2023.09.18 07:39 | Machine | s1_win7_x6403 |
| Filename | 1.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | ee629be336cb1394d8902ad966703722 | ||
| sha256 | f6ca072660301d01562b087fcdf04b8697a15ea706264d079726f09067c253a5 | ||
| ssdeep | 12288:SpHKaeR8yuI9K/bsrbzcCXy15hC3wnFvt/HjDcBtldlqPEXE2:FaeR8yuI9K/ArbzcCXy15hC3wnFvt/HS | ||
| imphash | a051afa6afb2fed9c604c2121e6529dd | ||
| impfuzzy | 24:CyDWJ4LjjCRS1jtpbJeDc+pl39TyoEOovbO3URZHu93vB3GM4L6:/CS1jtp6c+pp9yc3vBv | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41100c Sleep
0x411010 CreateThread
0x411014 VirtualAlloc
0x411018 VirtualProtect
0x41101c GetModuleHandleA
0x411020 GetModuleHandleW
0x411024 GetProcAddress
0x411028 LoadResource
0x41102c CreateMutexA
0x411030 SizeofResource
0x411034 FindResourceW
0x411038 LoadLibraryA
0x41103c LocalAlloc
0x411040 lstrlenW
0x411044 EnumTimeFormatsW
0x411048 FreeConsole
0x41104c WriteConsoleW
0x411050 WaitForSingleObject
0x411054 LockResource
0x411058 GetLastError
0x41105c QueryPerformanceCounter
0x411060 GetCurrentProcessId
0x411064 GetCurrentThreadId
0x411068 GetSystemTimeAsFileTime
0x41106c InitializeSListHead
0x411070 IsDebuggerPresent
0x411074 UnhandledExceptionFilter
0x411078 SetUnhandledExceptionFilter
0x41107c GetStartupInfoW
0x411080 IsProcessorFeaturePresent
0x411084 GetCurrentProcess
0x411088 TerminateProcess
0x41108c RtlUnwind
0x411090 SetLastError
0x411094 EncodePointer
0x411098 EnterCriticalSection
0x41109c LeaveCriticalSection
0x4110a0 DeleteCriticalSection
0x4110a4 InitializeCriticalSectionAndSpinCount
0x4110a8 TlsAlloc
0x4110ac TlsGetValue
0x4110b0 TlsSetValue
0x4110b4 TlsFree
0x4110b8 FreeLibrary
0x4110bc LoadLibraryExW
0x4110c0 RaiseException
0x4110c4 GetStdHandle
0x4110c8 WriteFile
0x4110cc GetModuleFileNameW
0x4110d0 ExitProcess
0x4110d4 GetModuleHandleExW
0x4110d8 GetCommandLineA
0x4110dc GetCommandLineW
0x4110e0 HeapAlloc
0x4110e4 HeapFree
0x4110e8 FindClose
0x4110ec FindFirstFileExW
0x4110f0 FindNextFileW
0x4110f4 IsValidCodePage
0x4110f8 GetACP
0x4110fc GetOEMCP
0x411100 GetCPInfo
0x411104 MultiByteToWideChar
0x411108 WideCharToMultiByte
0x41110c GetEnvironmentStringsW
0x411110 FreeEnvironmentStringsW
0x411114 SetEnvironmentVariableW
0x411118 SetStdHandle
0x41111c GetFileType
0x411120 GetStringTypeW
0x411124 CompareStringW
0x411128 LCMapStringW
0x41112c GetProcessHeap
0x411130 HeapSize
0x411134 HeapReAlloc
0x411138 FlushFileBuffers
0x41113c GetConsoleOutputCP
0x411140 GetConsoleMode
0x411144 SetFilePointerEx
0x411148 CreateFileW
0x41114c CloseHandle
0x411150 DecodePointer
COMDLG32.dll
0x411000 GetOpenFileNameA
0x411004 GetSaveFileNameA
EAT(Export Address Table) is none
KERNEL32.dll
0x41100c Sleep
0x411010 CreateThread
0x411014 VirtualAlloc
0x411018 VirtualProtect
0x41101c GetModuleHandleA
0x411020 GetModuleHandleW
0x411024 GetProcAddress
0x411028 LoadResource
0x41102c CreateMutexA
0x411030 SizeofResource
0x411034 FindResourceW
0x411038 LoadLibraryA
0x41103c LocalAlloc
0x411040 lstrlenW
0x411044 EnumTimeFormatsW
0x411048 FreeConsole
0x41104c WriteConsoleW
0x411050 WaitForSingleObject
0x411054 LockResource
0x411058 GetLastError
0x41105c QueryPerformanceCounter
0x411060 GetCurrentProcessId
0x411064 GetCurrentThreadId
0x411068 GetSystemTimeAsFileTime
0x41106c InitializeSListHead
0x411070 IsDebuggerPresent
0x411074 UnhandledExceptionFilter
0x411078 SetUnhandledExceptionFilter
0x41107c GetStartupInfoW
0x411080 IsProcessorFeaturePresent
0x411084 GetCurrentProcess
0x411088 TerminateProcess
0x41108c RtlUnwind
0x411090 SetLastError
0x411094 EncodePointer
0x411098 EnterCriticalSection
0x41109c LeaveCriticalSection
0x4110a0 DeleteCriticalSection
0x4110a4 InitializeCriticalSectionAndSpinCount
0x4110a8 TlsAlloc
0x4110ac TlsGetValue
0x4110b0 TlsSetValue
0x4110b4 TlsFree
0x4110b8 FreeLibrary
0x4110bc LoadLibraryExW
0x4110c0 RaiseException
0x4110c4 GetStdHandle
0x4110c8 WriteFile
0x4110cc GetModuleFileNameW
0x4110d0 ExitProcess
0x4110d4 GetModuleHandleExW
0x4110d8 GetCommandLineA
0x4110dc GetCommandLineW
0x4110e0 HeapAlloc
0x4110e4 HeapFree
0x4110e8 FindClose
0x4110ec FindFirstFileExW
0x4110f0 FindNextFileW
0x4110f4 IsValidCodePage
0x4110f8 GetACP
0x4110fc GetOEMCP
0x411100 GetCPInfo
0x411104 MultiByteToWideChar
0x411108 WideCharToMultiByte
0x41110c GetEnvironmentStringsW
0x411110 FreeEnvironmentStringsW
0x411114 SetEnvironmentVariableW
0x411118 SetStdHandle
0x41111c GetFileType
0x411120 GetStringTypeW
0x411124 CompareStringW
0x411128 LCMapStringW
0x41112c GetProcessHeap
0x411130 HeapSize
0x411134 HeapReAlloc
0x411138 FlushFileBuffers
0x41113c GetConsoleOutputCP
0x411140 GetConsoleMode
0x411144 SetFilePointerEx
0x411148 CreateFileW
0x41114c CloseHandle
0x411150 DecodePointer
COMDLG32.dll
0x411000 GetOpenFileNameA
0x411004 GetSaveFileNameA
EAT(Export Address Table) is none