ScreenShot
| Created | 2023.09.30 13:09 | Machine | s1_win7_x6401 |
| Filename | installs.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 54 detected (AIDetectMalware, malicious, high confidence, GenericKD, RedLineStealer, Save, Genus, Kryptik, Eldorado, Attribute, HighConfidence, VMProtect, AU suspicious, score, evmc, PWSX, FalseSign, Swhl, sxywh, Packed2, REDLINE, USPAXIS23, Artemis, high, Static AI, Malicious PE, ApplicUnwnt@#wt3dnbz8muwf, Detected, ai score=89, BScope, TrojanPSW, unsafe, Chgt, Generic@AI, RDML, JBGBBVhRb5OnPWTAYF8bsQ, susgen, ZexaF, @RY@aS1@pxci) | ||
| md5 | 0508858aafafa001652f27d51ed4872b | ||
| sha256 | 2b159c6931ed9c1687fbbf393f91514bdb88303f1ebda6b811892faa443f3cd3 | ||
| ssdeep | 98304:fzqKcOaPwmZKAO0Cin1VvuJi0Q4vu7ZxI3Jyuq+L/Y:fSH1ESZxEUuq+L/Y | ||
| imphash | d05c4856bcec3de7a93f93043e1eeb39 | ||
| impfuzzy | 24:CNDorjjYgfPOovnKQFQ8RyvDh/J3ISlRT47mfpl/qT+dNDW:t+EK3Djhc7mfp5qKa | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x627000 Sleep
0x627004 CreateThread
0x627008 lstrlenW
0x62700c VirtualProtect
0x627010 GetProcAddress
0x627014 LoadLibraryA
0x627018 VirtualAlloc
0x62701c LockResource
0x627020 WaitForSingleObject
0x627024 SizeofResource
0x627028 FindResourceW
0x62702c GetModuleHandleW
0x627030 GetLastError
0x627034 CreateMutexA
0x627038 GetModuleHandleA
0x62703c EnumTimeFormatsW
0x627040 FreeConsole
0x627044 LoadResource
0x627048 MoveFileA
0x62704c GetCommandLineA
0x627050 SetUnhandledExceptionFilter
0x627054 ExitProcess
0x627058 WriteFile
0x62705c GetStdHandle
0x627060 GetModuleFileNameA
0x627064 FreeEnvironmentStringsA
0x627068 GetEnvironmentStrings
0x62706c FreeEnvironmentStringsW
0x627070 WideCharToMultiByte
0x627074 GetEnvironmentStringsW
0x627078 SetHandleCount
0x62707c GetFileType
0x627080 GetStartupInfoA
0x627084 DeleteCriticalSection
0x627088 TlsGetValue
0x62708c TlsAlloc
0x627090 TlsSetValue
0x627094 TlsFree
0x627098 InterlockedIncrement
0x62709c SetLastError
0x6270a0 GetCurrentThreadId
0x6270a4 InterlockedDecrement
0x6270a8 HeapCreate
0x6270ac VirtualFree
0x6270b0 HeapFree
0x6270b4 QueryPerformanceCounter
0x6270b8 GetTickCount
0x6270bc GetCurrentProcessId
0x6270c0 GetSystemTimeAsFileTime
0x6270c4 GetCPInfo
0x6270c8 GetACP
0x6270cc GetOEMCP
0x6270d0 IsValidCodePage
0x6270d4 TerminateProcess
0x6270d8 GetCurrentProcess
0x6270dc UnhandledExceptionFilter
0x6270e0 IsDebuggerPresent
0x6270e4 LeaveCriticalSection
0x6270e8 EnterCriticalSection
0x6270ec InitializeCriticalSectionAndSpinCount
0x6270f0 HeapAlloc
0x6270f4 HeapReAlloc
0x6270f8 RtlUnwind
0x6270fc LCMapStringA
0x627100 MultiByteToWideChar
0x627104 LCMapStringW
0x627108 GetStringTypeA
0x62710c GetStringTypeW
0x627110 GetLocaleInfoA
0x627114 HeapSize
ADVAPI32.dll
0x62711c RegDeleteKeyA
KERNEL32.dll
0x627124 LocalAlloc
0x627128 LocalFree
0x62712c GetModuleFileNameW
0x627130 ExitProcess
0x627134 LoadLibraryA
0x627138 GetModuleHandleA
0x62713c GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x627000 Sleep
0x627004 CreateThread
0x627008 lstrlenW
0x62700c VirtualProtect
0x627010 GetProcAddress
0x627014 LoadLibraryA
0x627018 VirtualAlloc
0x62701c LockResource
0x627020 WaitForSingleObject
0x627024 SizeofResource
0x627028 FindResourceW
0x62702c GetModuleHandleW
0x627030 GetLastError
0x627034 CreateMutexA
0x627038 GetModuleHandleA
0x62703c EnumTimeFormatsW
0x627040 FreeConsole
0x627044 LoadResource
0x627048 MoveFileA
0x62704c GetCommandLineA
0x627050 SetUnhandledExceptionFilter
0x627054 ExitProcess
0x627058 WriteFile
0x62705c GetStdHandle
0x627060 GetModuleFileNameA
0x627064 FreeEnvironmentStringsA
0x627068 GetEnvironmentStrings
0x62706c FreeEnvironmentStringsW
0x627070 WideCharToMultiByte
0x627074 GetEnvironmentStringsW
0x627078 SetHandleCount
0x62707c GetFileType
0x627080 GetStartupInfoA
0x627084 DeleteCriticalSection
0x627088 TlsGetValue
0x62708c TlsAlloc
0x627090 TlsSetValue
0x627094 TlsFree
0x627098 InterlockedIncrement
0x62709c SetLastError
0x6270a0 GetCurrentThreadId
0x6270a4 InterlockedDecrement
0x6270a8 HeapCreate
0x6270ac VirtualFree
0x6270b0 HeapFree
0x6270b4 QueryPerformanceCounter
0x6270b8 GetTickCount
0x6270bc GetCurrentProcessId
0x6270c0 GetSystemTimeAsFileTime
0x6270c4 GetCPInfo
0x6270c8 GetACP
0x6270cc GetOEMCP
0x6270d0 IsValidCodePage
0x6270d4 TerminateProcess
0x6270d8 GetCurrentProcess
0x6270dc UnhandledExceptionFilter
0x6270e0 IsDebuggerPresent
0x6270e4 LeaveCriticalSection
0x6270e8 EnterCriticalSection
0x6270ec InitializeCriticalSectionAndSpinCount
0x6270f0 HeapAlloc
0x6270f4 HeapReAlloc
0x6270f8 RtlUnwind
0x6270fc LCMapStringA
0x627100 MultiByteToWideChar
0x627104 LCMapStringW
0x627108 GetStringTypeA
0x62710c GetStringTypeW
0x627110 GetLocaleInfoA
0x627114 HeapSize
ADVAPI32.dll
0x62711c RegDeleteKeyA
KERNEL32.dll
0x627124 LocalAlloc
0x627128 LocalFree
0x62712c GetModuleFileNameW
0x627130 ExitProcess
0x627134 LoadLibraryA
0x627138 GetModuleHandleA
0x62713c GetProcAddress
EAT(Export Address Table) is none