ScreenShot
| Created | 2023.09.23 09:40 | Machine | s1_win7_x6401 |
| Filename | d3xi5rws2ffuli.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (AIDetectMalware, Convagent, malicious, high confidence, Zusy, Pwsx, Artemis, unsafe, V5gz, Redline, ZexaF, HLW@aG90g6p, Kryptik, Eldorado, Attribute, HighConfidence, HUBU, score, RedLineNET, SMOKELOADER, YXDIVZ, eqfi, ASAS, AMFQ4F, Detected, Injection, R606712, ai score=88, GdSda, yFX0XWRx5GT, susgen, ETFD, confidence, 100%) | ||
| md5 | 52c2f13a9fa292d1f32439dde355ff71 | ||
| sha256 | 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316 | ||
| ssdeep | 24576:IxYEuWq4g738fRzNGfnCcDTUnkos0mmCRG9ZW02W43:IQ4g738fREJ0kos0SRG9c | ||
| imphash | 31ca7f44eea51b716619fb542450c07f | ||
| impfuzzy | 48:VBfWJcpH+zD9vrxQSXtXxZrmcGtZzba63buFZGz0:VBfWJcpH+X1rxHXtXxxmcGtZPa9V | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x583000 GetModuleHandleA
0x583004 GetProcAddress
0x583008 RaiseException
0x58300c CloseHandle
0x583010 WaitForSingleObjectEx
0x583014 Sleep
0x583018 SwitchToThread
0x58301c GetCurrentThreadId
0x583020 GetExitCodeThread
0x583024 GetNativeSystemInfo
0x583028 InitializeSRWLock
0x58302c ReleaseSRWLockExclusive
0x583030 AcquireSRWLockExclusive
0x583034 EnterCriticalSection
0x583038 LeaveCriticalSection
0x58303c InitializeCriticalSectionEx
0x583040 TryEnterCriticalSection
0x583044 DeleteCriticalSection
0x583048 InitializeConditionVariable
0x58304c WakeConditionVariable
0x583050 WakeAllConditionVariable
0x583054 SleepConditionVariableCS
0x583058 SleepConditionVariableSRW
0x58305c FormatMessageA
0x583060 WideCharToMultiByte
0x583064 MultiByteToWideChar
0x583068 GetStringTypeW
0x58306c InitOnceBeginInitialize
0x583070 InitOnceComplete
0x583074 GetLastError
0x583078 FreeLibraryWhenCallbackReturns
0x58307c CreateThreadpoolWork
0x583080 SubmitThreadpoolWork
0x583084 CloseThreadpoolWork
0x583088 GetModuleHandleExW
0x58308c RtlCaptureStackBackTrace
0x583090 IsProcessorFeaturePresent
0x583094 QueryPerformanceCounter
0x583098 QueryPerformanceFrequency
0x58309c SetFileInformationByHandle
0x5830a0 FlsAlloc
0x5830a4 FlsGetValue
0x5830a8 FlsSetValue
0x5830ac FlsFree
0x5830b0 InitOnceExecuteOnce
0x5830b4 CreateEventExW
0x5830b8 CreateSemaphoreExW
0x5830bc FlushProcessWriteBuffers
0x5830c0 GetCurrentProcessorNumber
0x5830c4 GetSystemTimeAsFileTime
0x5830c8 GetTickCount64
0x5830cc CreateThreadpoolTimer
0x5830d0 SetThreadpoolTimer
0x5830d4 WaitForThreadpoolTimerCallbacks
0x5830d8 CloseThreadpoolTimer
0x5830dc CreateThreadpoolWait
0x5830e0 SetThreadpoolWait
0x5830e4 CloseThreadpoolWait
0x5830e8 GetModuleHandleW
0x5830ec GetFileInformationByHandleEx
0x5830f0 CreateSymbolicLinkW
0x5830f4 LocalFree
0x5830f8 EncodePointer
0x5830fc DecodePointer
0x583100 LCMapStringEx
0x583104 GetLocaleInfoEx
0x583108 CompareStringEx
0x58310c GetCPInfo
0x583110 InitializeCriticalSectionAndSpinCount
0x583114 SetEvent
0x583118 ResetEvent
0x58311c CreateEventW
0x583120 GetCurrentProcessId
0x583124 InitializeSListHead
0x583128 IsDebuggerPresent
0x58312c UnhandledExceptionFilter
0x583130 SetUnhandledExceptionFilter
0x583134 GetStartupInfoW
0x583138 GetCurrentProcess
0x58313c TerminateProcess
0x583140 CreateFileW
0x583144 RtlUnwind
0x583148 InterlockedPushEntrySList
0x58314c InterlockedFlushSList
0x583150 SetLastError
0x583154 TlsAlloc
0x583158 TlsGetValue
0x58315c TlsSetValue
0x583160 TlsFree
0x583164 FreeLibrary
0x583168 LoadLibraryExW
0x58316c CreateThread
0x583170 ExitThread
0x583174 ResumeThread
0x583178 FreeLibraryAndExitThread
0x58317c GetStdHandle
0x583180 WriteFile
0x583184 GetModuleFileNameW
0x583188 ExitProcess
0x58318c GetCommandLineA
0x583190 GetCommandLineW
0x583194 GetCurrentThread
0x583198 HeapFree
0x58319c SetConsoleCtrlHandler
0x5831a0 HeapAlloc
0x5831a4 GetDateFormatW
0x5831a8 GetTimeFormatW
0x5831ac CompareStringW
0x5831b0 LCMapStringW
0x5831b4 GetLocaleInfoW
0x5831b8 IsValidLocale
0x5831bc GetUserDefaultLCID
0x5831c0 EnumSystemLocalesW
0x5831c4 GetFileType
0x5831c8 GetFileSizeEx
0x5831cc SetFilePointerEx
0x5831d0 FlushFileBuffers
0x5831d4 GetConsoleOutputCP
0x5831d8 GetConsoleMode
0x5831dc ReadFile
0x5831e0 HeapReAlloc
0x5831e4 GetTimeZoneInformation
0x5831e8 OutputDebugStringW
0x5831ec FindClose
0x5831f0 FindFirstFileExW
0x5831f4 FindNextFileW
0x5831f8 IsValidCodePage
0x5831fc GetACP
0x583200 GetOEMCP
0x583204 GetEnvironmentStringsW
0x583208 FreeEnvironmentStringsW
0x58320c SetEnvironmentVariableW
0x583210 SetStdHandle
0x583214 GetProcessHeap
0x583218 ReadConsoleW
0x58321c HeapSize
0x583220 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x583000 GetModuleHandleA
0x583004 GetProcAddress
0x583008 RaiseException
0x58300c CloseHandle
0x583010 WaitForSingleObjectEx
0x583014 Sleep
0x583018 SwitchToThread
0x58301c GetCurrentThreadId
0x583020 GetExitCodeThread
0x583024 GetNativeSystemInfo
0x583028 InitializeSRWLock
0x58302c ReleaseSRWLockExclusive
0x583030 AcquireSRWLockExclusive
0x583034 EnterCriticalSection
0x583038 LeaveCriticalSection
0x58303c InitializeCriticalSectionEx
0x583040 TryEnterCriticalSection
0x583044 DeleteCriticalSection
0x583048 InitializeConditionVariable
0x58304c WakeConditionVariable
0x583050 WakeAllConditionVariable
0x583054 SleepConditionVariableCS
0x583058 SleepConditionVariableSRW
0x58305c FormatMessageA
0x583060 WideCharToMultiByte
0x583064 MultiByteToWideChar
0x583068 GetStringTypeW
0x58306c InitOnceBeginInitialize
0x583070 InitOnceComplete
0x583074 GetLastError
0x583078 FreeLibraryWhenCallbackReturns
0x58307c CreateThreadpoolWork
0x583080 SubmitThreadpoolWork
0x583084 CloseThreadpoolWork
0x583088 GetModuleHandleExW
0x58308c RtlCaptureStackBackTrace
0x583090 IsProcessorFeaturePresent
0x583094 QueryPerformanceCounter
0x583098 QueryPerformanceFrequency
0x58309c SetFileInformationByHandle
0x5830a0 FlsAlloc
0x5830a4 FlsGetValue
0x5830a8 FlsSetValue
0x5830ac FlsFree
0x5830b0 InitOnceExecuteOnce
0x5830b4 CreateEventExW
0x5830b8 CreateSemaphoreExW
0x5830bc FlushProcessWriteBuffers
0x5830c0 GetCurrentProcessorNumber
0x5830c4 GetSystemTimeAsFileTime
0x5830c8 GetTickCount64
0x5830cc CreateThreadpoolTimer
0x5830d0 SetThreadpoolTimer
0x5830d4 WaitForThreadpoolTimerCallbacks
0x5830d8 CloseThreadpoolTimer
0x5830dc CreateThreadpoolWait
0x5830e0 SetThreadpoolWait
0x5830e4 CloseThreadpoolWait
0x5830e8 GetModuleHandleW
0x5830ec GetFileInformationByHandleEx
0x5830f0 CreateSymbolicLinkW
0x5830f4 LocalFree
0x5830f8 EncodePointer
0x5830fc DecodePointer
0x583100 LCMapStringEx
0x583104 GetLocaleInfoEx
0x583108 CompareStringEx
0x58310c GetCPInfo
0x583110 InitializeCriticalSectionAndSpinCount
0x583114 SetEvent
0x583118 ResetEvent
0x58311c CreateEventW
0x583120 GetCurrentProcessId
0x583124 InitializeSListHead
0x583128 IsDebuggerPresent
0x58312c UnhandledExceptionFilter
0x583130 SetUnhandledExceptionFilter
0x583134 GetStartupInfoW
0x583138 GetCurrentProcess
0x58313c TerminateProcess
0x583140 CreateFileW
0x583144 RtlUnwind
0x583148 InterlockedPushEntrySList
0x58314c InterlockedFlushSList
0x583150 SetLastError
0x583154 TlsAlloc
0x583158 TlsGetValue
0x58315c TlsSetValue
0x583160 TlsFree
0x583164 FreeLibrary
0x583168 LoadLibraryExW
0x58316c CreateThread
0x583170 ExitThread
0x583174 ResumeThread
0x583178 FreeLibraryAndExitThread
0x58317c GetStdHandle
0x583180 WriteFile
0x583184 GetModuleFileNameW
0x583188 ExitProcess
0x58318c GetCommandLineA
0x583190 GetCommandLineW
0x583194 GetCurrentThread
0x583198 HeapFree
0x58319c SetConsoleCtrlHandler
0x5831a0 HeapAlloc
0x5831a4 GetDateFormatW
0x5831a8 GetTimeFormatW
0x5831ac CompareStringW
0x5831b0 LCMapStringW
0x5831b4 GetLocaleInfoW
0x5831b8 IsValidLocale
0x5831bc GetUserDefaultLCID
0x5831c0 EnumSystemLocalesW
0x5831c4 GetFileType
0x5831c8 GetFileSizeEx
0x5831cc SetFilePointerEx
0x5831d0 FlushFileBuffers
0x5831d4 GetConsoleOutputCP
0x5831d8 GetConsoleMode
0x5831dc ReadFile
0x5831e0 HeapReAlloc
0x5831e4 GetTimeZoneInformation
0x5831e8 OutputDebugStringW
0x5831ec FindClose
0x5831f0 FindFirstFileExW
0x5831f4 FindNextFileW
0x5831f8 IsValidCodePage
0x5831fc GetACP
0x583200 GetOEMCP
0x583204 GetEnvironmentStringsW
0x583208 FreeEnvironmentStringsW
0x58320c SetEnvironmentVariableW
0x583210 SetStdHandle
0x583214 GetProcessHeap
0x583218 ReadConsoleW
0x58321c HeapSize
0x583220 WriteConsoleW
EAT(Export Address Table) is none