ScreenShot
| Created | 2023.09.30 13:26 | Machine | s1_win7_x6403 |
| Filename | ja8drj17aq2.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (AIDetectMalware, Injuke, RedLineNET, GenericKD, Lazy, RedLineStealer, Kryptik, V22z, Genus, Eldorado, Whispergate, malicious, high confidence, HUBU, Pwsx, evmr, CrypterX, Ddhl, RedLineSteal, nwhwd, REDLINE, YXDI3Z, Detected, ai score=86, Malware@#2n617ukw6te8e, Malgent, score, R608260, BScope, TrojanPSW, unsafe, Chgt, ftXpmA7sSPG, confidence, 100%) | ||
| md5 | 31c3b0ab9b83cafb8eb3a7890e2d05ca | ||
| sha256 | 35f7e6ac149538b9ec2b1286dd43d4fb9e78aa78a4b74c64cd4194d7bc5cb215 | ||
| ssdeep | 24576:fMZThJqJAzoy99wI6DAnAia8gzRGK/6H1V:fMZThJqy99wIyAJWcK/6H1 | ||
| imphash | 500aa68029ae375a898af1edb3f40b87 | ||
| impfuzzy | 48:VBfWJcpH+zD9vrxQSXtXxZrmbt8GzbQo3buFZGzk:VBfWJcpH+X1rxHXtXxxmbt8GPQP9 | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x51d000 GetModuleHandleA
0x51d004 GetProcAddress
0x51d008 RaiseException
0x51d00c CloseHandle
0x51d010 WaitForSingleObjectEx
0x51d014 Sleep
0x51d018 SwitchToThread
0x51d01c GetCurrentThreadId
0x51d020 GetExitCodeThread
0x51d024 GetNativeSystemInfo
0x51d028 InitializeSRWLock
0x51d02c ReleaseSRWLockExclusive
0x51d030 AcquireSRWLockExclusive
0x51d034 EnterCriticalSection
0x51d038 LeaveCriticalSection
0x51d03c InitializeCriticalSectionEx
0x51d040 TryEnterCriticalSection
0x51d044 DeleteCriticalSection
0x51d048 InitializeConditionVariable
0x51d04c WakeConditionVariable
0x51d050 WakeAllConditionVariable
0x51d054 SleepConditionVariableCS
0x51d058 SleepConditionVariableSRW
0x51d05c FormatMessageA
0x51d060 WideCharToMultiByte
0x51d064 MultiByteToWideChar
0x51d068 GetStringTypeW
0x51d06c InitOnceBeginInitialize
0x51d070 InitOnceComplete
0x51d074 GetLastError
0x51d078 FreeLibraryWhenCallbackReturns
0x51d07c CreateThreadpoolWork
0x51d080 SubmitThreadpoolWork
0x51d084 CloseThreadpoolWork
0x51d088 GetModuleHandleExW
0x51d08c RtlCaptureStackBackTrace
0x51d090 IsProcessorFeaturePresent
0x51d094 QueryPerformanceCounter
0x51d098 QueryPerformanceFrequency
0x51d09c SetFileInformationByHandle
0x51d0a0 FlsAlloc
0x51d0a4 FlsGetValue
0x51d0a8 FlsSetValue
0x51d0ac FlsFree
0x51d0b0 InitOnceExecuteOnce
0x51d0b4 CreateEventExW
0x51d0b8 CreateSemaphoreExW
0x51d0bc FlushProcessWriteBuffers
0x51d0c0 GetCurrentProcessorNumber
0x51d0c4 GetSystemTimeAsFileTime
0x51d0c8 GetTickCount64
0x51d0cc CreateThreadpoolTimer
0x51d0d0 SetThreadpoolTimer
0x51d0d4 WaitForThreadpoolTimerCallbacks
0x51d0d8 CloseThreadpoolTimer
0x51d0dc CreateThreadpoolWait
0x51d0e0 SetThreadpoolWait
0x51d0e4 CloseThreadpoolWait
0x51d0e8 GetModuleHandleW
0x51d0ec GetFileInformationByHandleEx
0x51d0f0 CreateSymbolicLinkW
0x51d0f4 LocalFree
0x51d0f8 EncodePointer
0x51d0fc DecodePointer
0x51d100 LCMapStringEx
0x51d104 GetLocaleInfoEx
0x51d108 CompareStringEx
0x51d10c GetCPInfo
0x51d110 InitializeCriticalSectionAndSpinCount
0x51d114 SetEvent
0x51d118 ResetEvent
0x51d11c CreateEventW
0x51d120 IsDebuggerPresent
0x51d124 UnhandledExceptionFilter
0x51d128 SetUnhandledExceptionFilter
0x51d12c GetStartupInfoW
0x51d130 GetCurrentProcess
0x51d134 TerminateProcess
0x51d138 GetCurrentProcessId
0x51d13c InitializeSListHead
0x51d140 CreateFileW
0x51d144 RtlUnwind
0x51d148 InterlockedPushEntrySList
0x51d14c InterlockedFlushSList
0x51d150 SetLastError
0x51d154 TlsAlloc
0x51d158 TlsGetValue
0x51d15c TlsSetValue
0x51d160 TlsFree
0x51d164 FreeLibrary
0x51d168 LoadLibraryExW
0x51d16c CreateThread
0x51d170 ExitThread
0x51d174 ResumeThread
0x51d178 FreeLibraryAndExitThread
0x51d17c ExitProcess
0x51d180 GetModuleFileNameW
0x51d184 GetStdHandle
0x51d188 WriteFile
0x51d18c GetCommandLineA
0x51d190 GetCommandLineW
0x51d194 GetCurrentThread
0x51d198 HeapFree
0x51d19c SetConsoleCtrlHandler
0x51d1a0 HeapAlloc
0x51d1a4 GetDateFormatW
0x51d1a8 GetTimeFormatW
0x51d1ac CompareStringW
0x51d1b0 LCMapStringW
0x51d1b4 GetLocaleInfoW
0x51d1b8 IsValidLocale
0x51d1bc GetUserDefaultLCID
0x51d1c0 EnumSystemLocalesW
0x51d1c4 GetFileType
0x51d1c8 GetFileSizeEx
0x51d1cc SetFilePointerEx
0x51d1d0 FlushFileBuffers
0x51d1d4 GetConsoleOutputCP
0x51d1d8 GetConsoleMode
0x51d1dc ReadFile
0x51d1e0 HeapReAlloc
0x51d1e4 GetTimeZoneInformation
0x51d1e8 FindClose
0x51d1ec FindFirstFileExW
0x51d1f0 FindNextFileW
0x51d1f4 IsValidCodePage
0x51d1f8 GetACP
0x51d1fc GetOEMCP
0x51d200 GetEnvironmentStringsW
0x51d204 FreeEnvironmentStringsW
0x51d208 SetEnvironmentVariableW
0x51d20c GetProcessHeap
0x51d210 OutputDebugStringW
0x51d214 SetStdHandle
0x51d218 ReadConsoleW
0x51d21c HeapSize
0x51d220 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x51d000 GetModuleHandleA
0x51d004 GetProcAddress
0x51d008 RaiseException
0x51d00c CloseHandle
0x51d010 WaitForSingleObjectEx
0x51d014 Sleep
0x51d018 SwitchToThread
0x51d01c GetCurrentThreadId
0x51d020 GetExitCodeThread
0x51d024 GetNativeSystemInfo
0x51d028 InitializeSRWLock
0x51d02c ReleaseSRWLockExclusive
0x51d030 AcquireSRWLockExclusive
0x51d034 EnterCriticalSection
0x51d038 LeaveCriticalSection
0x51d03c InitializeCriticalSectionEx
0x51d040 TryEnterCriticalSection
0x51d044 DeleteCriticalSection
0x51d048 InitializeConditionVariable
0x51d04c WakeConditionVariable
0x51d050 WakeAllConditionVariable
0x51d054 SleepConditionVariableCS
0x51d058 SleepConditionVariableSRW
0x51d05c FormatMessageA
0x51d060 WideCharToMultiByte
0x51d064 MultiByteToWideChar
0x51d068 GetStringTypeW
0x51d06c InitOnceBeginInitialize
0x51d070 InitOnceComplete
0x51d074 GetLastError
0x51d078 FreeLibraryWhenCallbackReturns
0x51d07c CreateThreadpoolWork
0x51d080 SubmitThreadpoolWork
0x51d084 CloseThreadpoolWork
0x51d088 GetModuleHandleExW
0x51d08c RtlCaptureStackBackTrace
0x51d090 IsProcessorFeaturePresent
0x51d094 QueryPerformanceCounter
0x51d098 QueryPerformanceFrequency
0x51d09c SetFileInformationByHandle
0x51d0a0 FlsAlloc
0x51d0a4 FlsGetValue
0x51d0a8 FlsSetValue
0x51d0ac FlsFree
0x51d0b0 InitOnceExecuteOnce
0x51d0b4 CreateEventExW
0x51d0b8 CreateSemaphoreExW
0x51d0bc FlushProcessWriteBuffers
0x51d0c0 GetCurrentProcessorNumber
0x51d0c4 GetSystemTimeAsFileTime
0x51d0c8 GetTickCount64
0x51d0cc CreateThreadpoolTimer
0x51d0d0 SetThreadpoolTimer
0x51d0d4 WaitForThreadpoolTimerCallbacks
0x51d0d8 CloseThreadpoolTimer
0x51d0dc CreateThreadpoolWait
0x51d0e0 SetThreadpoolWait
0x51d0e4 CloseThreadpoolWait
0x51d0e8 GetModuleHandleW
0x51d0ec GetFileInformationByHandleEx
0x51d0f0 CreateSymbolicLinkW
0x51d0f4 LocalFree
0x51d0f8 EncodePointer
0x51d0fc DecodePointer
0x51d100 LCMapStringEx
0x51d104 GetLocaleInfoEx
0x51d108 CompareStringEx
0x51d10c GetCPInfo
0x51d110 InitializeCriticalSectionAndSpinCount
0x51d114 SetEvent
0x51d118 ResetEvent
0x51d11c CreateEventW
0x51d120 IsDebuggerPresent
0x51d124 UnhandledExceptionFilter
0x51d128 SetUnhandledExceptionFilter
0x51d12c GetStartupInfoW
0x51d130 GetCurrentProcess
0x51d134 TerminateProcess
0x51d138 GetCurrentProcessId
0x51d13c InitializeSListHead
0x51d140 CreateFileW
0x51d144 RtlUnwind
0x51d148 InterlockedPushEntrySList
0x51d14c InterlockedFlushSList
0x51d150 SetLastError
0x51d154 TlsAlloc
0x51d158 TlsGetValue
0x51d15c TlsSetValue
0x51d160 TlsFree
0x51d164 FreeLibrary
0x51d168 LoadLibraryExW
0x51d16c CreateThread
0x51d170 ExitThread
0x51d174 ResumeThread
0x51d178 FreeLibraryAndExitThread
0x51d17c ExitProcess
0x51d180 GetModuleFileNameW
0x51d184 GetStdHandle
0x51d188 WriteFile
0x51d18c GetCommandLineA
0x51d190 GetCommandLineW
0x51d194 GetCurrentThread
0x51d198 HeapFree
0x51d19c SetConsoleCtrlHandler
0x51d1a0 HeapAlloc
0x51d1a4 GetDateFormatW
0x51d1a8 GetTimeFormatW
0x51d1ac CompareStringW
0x51d1b0 LCMapStringW
0x51d1b4 GetLocaleInfoW
0x51d1b8 IsValidLocale
0x51d1bc GetUserDefaultLCID
0x51d1c0 EnumSystemLocalesW
0x51d1c4 GetFileType
0x51d1c8 GetFileSizeEx
0x51d1cc SetFilePointerEx
0x51d1d0 FlushFileBuffers
0x51d1d4 GetConsoleOutputCP
0x51d1d8 GetConsoleMode
0x51d1dc ReadFile
0x51d1e0 HeapReAlloc
0x51d1e4 GetTimeZoneInformation
0x51d1e8 FindClose
0x51d1ec FindFirstFileExW
0x51d1f0 FindNextFileW
0x51d1f4 IsValidCodePage
0x51d1f8 GetACP
0x51d1fc GetOEMCP
0x51d200 GetEnvironmentStringsW
0x51d204 FreeEnvironmentStringsW
0x51d208 SetEnvironmentVariableW
0x51d20c GetProcessHeap
0x51d210 OutputDebugStringW
0x51d214 SetStdHandle
0x51d218 ReadConsoleW
0x51d21c HeapSize
0x51d220 WriteConsoleW
EAT(Export Address Table) is none