ScreenShot
| Created | 2023.10.03 12:54 | Machine | s1_win7_x6403 |
| Filename | Ifum2.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 44 detected (AIDetectMalware, Lazy, Artemis, Redline, Vahd, GenusT, DPYT, Attribute, HighConfidence, malicious, high confidence, Kryptik, HUKQ, score, PWSX, Gencirc, Inject4, YXDJCZ, moderate, Stealerc, R600050, BScope, TrojanPSW, ai score=88, unsafe, Chgt, SmokeLoader, CLASSIC, wRMFLXYHnOE, ETFD, confidence) | ||
| md5 | a7e5dd9ea31f866fdd0b425165f90915 | ||
| sha256 | d2608d6f7e2001cf70808e3c89bf702484c13f85ae19037a1de33fe957a3233a | ||
| ssdeep | 24576:DpRaJkjIFluoFg9BA0/ho7svms7IcRvJ3:lnIFluoFgZho7XsDRvJ3 | ||
| imphash | 034f0d020ac1c43c0a84ba23dcd4c85a | ||
| impfuzzy | 24:JA599VcpVW6OCrttlS1IGzplJBl3eDoLoEOovbO3OuFZMvMGMApTm+lEZHu9U:K599VcpVqCrttlS1IGzPpXc3euFZGiZ | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 44 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
GDI32.dll
0x486000 FloodFill
0x486004 EndPage
USER32.dll
0x486170 ReleaseDC
0x486174 GetDC
KERNEL32.dll
0x48600c CreateFileW
0x486010 HeapSize
0x486014 GetProcessHeap
0x486018 Sleep
0x48601c MultiByteToWideChar
0x486020 FormatMessageA
0x486024 GetStringTypeW
0x486028 WideCharToMultiByte
0x48602c EnterCriticalSection
0x486030 LeaveCriticalSection
0x486034 InitializeCriticalSectionEx
0x486038 DeleteCriticalSection
0x48603c EncodePointer
0x486040 DecodePointer
0x486044 LocalFree
0x486048 GetLocaleInfoEx
0x48604c LCMapStringEx
0x486050 CompareStringEx
0x486054 GetCPInfo
0x486058 IsProcessorFeaturePresent
0x48605c UnhandledExceptionFilter
0x486060 SetUnhandledExceptionFilter
0x486064 GetCurrentProcess
0x486068 TerminateProcess
0x48606c QueryPerformanceCounter
0x486070 GetCurrentProcessId
0x486074 GetCurrentThreadId
0x486078 GetSystemTimeAsFileTime
0x48607c InitializeSListHead
0x486080 IsDebuggerPresent
0x486084 GetStartupInfoW
0x486088 GetModuleHandleW
0x48608c SetStdHandle
0x486090 RaiseException
0x486094 RtlUnwind
0x486098 InterlockedPushEntrySList
0x48609c InterlockedFlushSList
0x4860a0 GetLastError
0x4860a4 SetLastError
0x4860a8 InitializeCriticalSectionAndSpinCount
0x4860ac TlsAlloc
0x4860b0 TlsGetValue
0x4860b4 TlsSetValue
0x4860b8 TlsFree
0x4860bc FreeLibrary
0x4860c0 GetProcAddress
0x4860c4 LoadLibraryExW
0x4860c8 GetStdHandle
0x4860cc WriteFile
0x4860d0 GetModuleFileNameW
0x4860d4 ExitProcess
0x4860d8 GetModuleHandleExW
0x4860dc GetCommandLineA
0x4860e0 GetCommandLineW
0x4860e4 HeapAlloc
0x4860e8 HeapFree
0x4860ec GetDateFormatW
0x4860f0 GetTimeFormatW
0x4860f4 CompareStringW
0x4860f8 LCMapStringW
0x4860fc GetLocaleInfoW
0x486100 IsValidLocale
0x486104 GetUserDefaultLCID
0x486108 EnumSystemLocalesW
0x48610c GetFileType
0x486110 GetCurrentThread
0x486114 CloseHandle
0x486118 FlushFileBuffers
0x48611c GetConsoleOutputCP
0x486120 GetConsoleMode
0x486124 ReadFile
0x486128 GetFileSizeEx
0x48612c SetFilePointerEx
0x486130 ReadConsoleW
0x486134 SetConsoleCtrlHandler
0x486138 HeapReAlloc
0x48613c GetTimeZoneInformation
0x486140 OutputDebugStringW
0x486144 FindClose
0x486148 FindFirstFileExW
0x48614c FindNextFileW
0x486150 IsValidCodePage
0x486154 GetACP
0x486158 GetOEMCP
0x48615c GetEnvironmentStringsW
0x486160 FreeEnvironmentStringsW
0x486164 SetEnvironmentVariableW
0x486168 WriteConsoleW
EAT(Export Address Table) is none
GDI32.dll
0x486000 FloodFill
0x486004 EndPage
USER32.dll
0x486170 ReleaseDC
0x486174 GetDC
KERNEL32.dll
0x48600c CreateFileW
0x486010 HeapSize
0x486014 GetProcessHeap
0x486018 Sleep
0x48601c MultiByteToWideChar
0x486020 FormatMessageA
0x486024 GetStringTypeW
0x486028 WideCharToMultiByte
0x48602c EnterCriticalSection
0x486030 LeaveCriticalSection
0x486034 InitializeCriticalSectionEx
0x486038 DeleteCriticalSection
0x48603c EncodePointer
0x486040 DecodePointer
0x486044 LocalFree
0x486048 GetLocaleInfoEx
0x48604c LCMapStringEx
0x486050 CompareStringEx
0x486054 GetCPInfo
0x486058 IsProcessorFeaturePresent
0x48605c UnhandledExceptionFilter
0x486060 SetUnhandledExceptionFilter
0x486064 GetCurrentProcess
0x486068 TerminateProcess
0x48606c QueryPerformanceCounter
0x486070 GetCurrentProcessId
0x486074 GetCurrentThreadId
0x486078 GetSystemTimeAsFileTime
0x48607c InitializeSListHead
0x486080 IsDebuggerPresent
0x486084 GetStartupInfoW
0x486088 GetModuleHandleW
0x48608c SetStdHandle
0x486090 RaiseException
0x486094 RtlUnwind
0x486098 InterlockedPushEntrySList
0x48609c InterlockedFlushSList
0x4860a0 GetLastError
0x4860a4 SetLastError
0x4860a8 InitializeCriticalSectionAndSpinCount
0x4860ac TlsAlloc
0x4860b0 TlsGetValue
0x4860b4 TlsSetValue
0x4860b8 TlsFree
0x4860bc FreeLibrary
0x4860c0 GetProcAddress
0x4860c4 LoadLibraryExW
0x4860c8 GetStdHandle
0x4860cc WriteFile
0x4860d0 GetModuleFileNameW
0x4860d4 ExitProcess
0x4860d8 GetModuleHandleExW
0x4860dc GetCommandLineA
0x4860e0 GetCommandLineW
0x4860e4 HeapAlloc
0x4860e8 HeapFree
0x4860ec GetDateFormatW
0x4860f0 GetTimeFormatW
0x4860f4 CompareStringW
0x4860f8 LCMapStringW
0x4860fc GetLocaleInfoW
0x486100 IsValidLocale
0x486104 GetUserDefaultLCID
0x486108 EnumSystemLocalesW
0x48610c GetFileType
0x486110 GetCurrentThread
0x486114 CloseHandle
0x486118 FlushFileBuffers
0x48611c GetConsoleOutputCP
0x486120 GetConsoleMode
0x486124 ReadFile
0x486128 GetFileSizeEx
0x48612c SetFilePointerEx
0x486130 ReadConsoleW
0x486134 SetConsoleCtrlHandler
0x486138 HeapReAlloc
0x48613c GetTimeZoneInformation
0x486140 OutputDebugStringW
0x486144 FindClose
0x486148 FindFirstFileExW
0x48614c FindNextFileW
0x486150 IsValidCodePage
0x486154 GetACP
0x486158 GetOEMCP
0x48615c GetEnvironmentStringsW
0x486160 FreeEnvironmentStringsW
0x486164 SetEnvironmentVariableW
0x486168 WriteConsoleW
EAT(Export Address Table) is none