ScreenShot
| Created | 2023.10.05 07:43 | Machine | s1_win7_x6401 |
| Filename | 3.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 41 detected (AIDetectMalware, Lazy, Vlq6, Kryptik, Eldorado, Attribute, HighConfidence, malicious, high confidence, HUBU, Pwsx, FileRepMalware, RedLineNET, Static AI, Suspicious PE, Detected, ai score=86, Sabsik, score, Artemis, BScope, TrojanPSW, RedLine, unsafe, Generic@AI, RDML, CRKnnhYvOU9UqAu2sZVdYg, susgen, ETFD, ZexaF, PXW@aK@SGLdi, confidence) | ||
| md5 | 845b889989bad720eb796775536f36a1 | ||
| sha256 | b9f6facb2338679b053005175f3bcf760ee7824c98294a3f1a939589c1a580f1 | ||
| ssdeep | 24576:d2U/Y/LG8fsksvYS0NU3e0FUTdW98lo0Oo:d2UAtsksvY1+mBWPB | ||
| imphash | bcb1724c5759c241360ff43b3a5eb6aa | ||
| impfuzzy | 48:UBUBfWJcpH+zD9vrxQSXtXvZrBt8+zbQo3lbuFZqI:UBUBfWJcpH+X1rxHXtXvxBt8+PQH5 | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
USER32.dll
0x5182bc GetTopWindow
KERNEL32.dll
0x518000 InitializeCriticalSectionAndSpinCount
0x518004 CreateFileW
0x518008 FreeConsole
0x51800c RaiseException
0x518010 CloseHandle
0x518014 WaitForSingleObjectEx
0x518018 Sleep
0x51801c SwitchToThread
0x518020 GetCurrentThreadId
0x518024 GetExitCodeThread
0x518028 GetNativeSystemInfo
0x51802c InitializeSRWLock
0x518030 ReleaseSRWLockExclusive
0x518034 AcquireSRWLockExclusive
0x518038 EnterCriticalSection
0x51803c LeaveCriticalSection
0x518040 InitializeCriticalSectionEx
0x518044 TryEnterCriticalSection
0x518048 DeleteCriticalSection
0x51804c InitializeConditionVariable
0x518050 WakeConditionVariable
0x518054 WakeAllConditionVariable
0x518058 SleepConditionVariableCS
0x51805c SleepConditionVariableSRW
0x518060 FormatMessageA
0x518064 WideCharToMultiByte
0x518068 MultiByteToWideChar
0x51806c GetStringTypeW
0x518070 InitOnceBeginInitialize
0x518074 InitOnceComplete
0x518078 GetLastError
0x51807c FreeLibraryWhenCallbackReturns
0x518080 CreateThreadpoolWork
0x518084 SubmitThreadpoolWork
0x518088 CloseThreadpoolWork
0x51808c GetModuleHandleExW
0x518090 RtlCaptureStackBackTrace
0x518094 IsProcessorFeaturePresent
0x518098 QueryPerformanceCounter
0x51809c QueryPerformanceFrequency
0x5180a0 SetFileInformationByHandle
0x5180a4 FlsAlloc
0x5180a8 FlsGetValue
0x5180ac FlsSetValue
0x5180b0 FlsFree
0x5180b4 InitOnceExecuteOnce
0x5180b8 CreateEventExW
0x5180bc CreateSemaphoreExW
0x5180c0 FlushProcessWriteBuffers
0x5180c4 GetCurrentProcessorNumber
0x5180c8 GetSystemTimeAsFileTime
0x5180cc GetTickCount64
0x5180d0 CreateThreadpoolTimer
0x5180d4 SetThreadpoolTimer
0x5180d8 WaitForThreadpoolTimerCallbacks
0x5180dc CloseThreadpoolTimer
0x5180e0 CreateThreadpoolWait
0x5180e4 SetThreadpoolWait
0x5180e8 CloseThreadpoolWait
0x5180ec GetModuleHandleW
0x5180f0 GetProcAddress
0x5180f4 GetFileInformationByHandleEx
0x5180f8 CreateSymbolicLinkW
0x5180fc LocalFree
0x518100 EncodePointer
0x518104 DecodePointer
0x518108 LCMapStringEx
0x51810c GetLocaleInfoEx
0x518110 CompareStringEx
0x518114 GetCPInfo
0x518118 WriteConsoleW
0x51811c SetEvent
0x518120 ResetEvent
0x518124 CreateEventW
0x518128 IsDebuggerPresent
0x51812c UnhandledExceptionFilter
0x518130 SetUnhandledExceptionFilter
0x518134 GetStartupInfoW
0x518138 GetCurrentProcess
0x51813c TerminateProcess
0x518140 GetCurrentProcessId
0x518144 InitializeSListHead
0x518148 HeapSize
0x51814c RtlUnwind
0x518150 InterlockedPushEntrySList
0x518154 InterlockedFlushSList
0x518158 SetLastError
0x51815c TlsAlloc
0x518160 TlsGetValue
0x518164 TlsSetValue
0x518168 TlsFree
0x51816c FreeLibrary
0x518170 LoadLibraryExW
0x518174 CreateThread
0x518178 ExitThread
0x51817c ResumeThread
0x518180 FreeLibraryAndExitThread
0x518184 ExitProcess
0x518188 GetModuleFileNameW
0x51818c GetStdHandle
0x518190 WriteFile
0x518194 GetCommandLineA
0x518198 GetCommandLineW
0x51819c GetCurrentThread
0x5181a0 HeapAlloc
0x5181a4 HeapFree
0x5181a8 SetConsoleCtrlHandler
0x5181ac GetFileType
0x5181b0 GetDateFormatW
0x5181b4 GetTimeFormatW
0x5181b8 CompareStringW
0x5181bc LCMapStringW
0x5181c0 GetLocaleInfoW
0x5181c4 IsValidLocale
0x5181c8 GetUserDefaultLCID
0x5181cc EnumSystemLocalesW
0x5181d0 GetFileSizeEx
0x5181d4 SetFilePointerEx
0x5181d8 FlushFileBuffers
0x5181dc GetConsoleOutputCP
0x5181e0 GetConsoleMode
0x5181e4 ReadFile
0x5181e8 HeapReAlloc
0x5181ec GetTimeZoneInformation
0x5181f0 FindClose
0x5181f4 FindFirstFileExW
0x5181f8 FindNextFileW
0x5181fc IsValidCodePage
0x518200 GetACP
0x518204 GetOEMCP
0x518208 GetEnvironmentStringsW
0x51820c FreeEnvironmentStringsW
0x518210 SetEnvironmentVariableW
0x518214 GetProcessHeap
0x518218 OutputDebugStringW
0x51821c SetStdHandle
0x518220 ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x5182bc GetTopWindow
KERNEL32.dll
0x518000 InitializeCriticalSectionAndSpinCount
0x518004 CreateFileW
0x518008 FreeConsole
0x51800c RaiseException
0x518010 CloseHandle
0x518014 WaitForSingleObjectEx
0x518018 Sleep
0x51801c SwitchToThread
0x518020 GetCurrentThreadId
0x518024 GetExitCodeThread
0x518028 GetNativeSystemInfo
0x51802c InitializeSRWLock
0x518030 ReleaseSRWLockExclusive
0x518034 AcquireSRWLockExclusive
0x518038 EnterCriticalSection
0x51803c LeaveCriticalSection
0x518040 InitializeCriticalSectionEx
0x518044 TryEnterCriticalSection
0x518048 DeleteCriticalSection
0x51804c InitializeConditionVariable
0x518050 WakeConditionVariable
0x518054 WakeAllConditionVariable
0x518058 SleepConditionVariableCS
0x51805c SleepConditionVariableSRW
0x518060 FormatMessageA
0x518064 WideCharToMultiByte
0x518068 MultiByteToWideChar
0x51806c GetStringTypeW
0x518070 InitOnceBeginInitialize
0x518074 InitOnceComplete
0x518078 GetLastError
0x51807c FreeLibraryWhenCallbackReturns
0x518080 CreateThreadpoolWork
0x518084 SubmitThreadpoolWork
0x518088 CloseThreadpoolWork
0x51808c GetModuleHandleExW
0x518090 RtlCaptureStackBackTrace
0x518094 IsProcessorFeaturePresent
0x518098 QueryPerformanceCounter
0x51809c QueryPerformanceFrequency
0x5180a0 SetFileInformationByHandle
0x5180a4 FlsAlloc
0x5180a8 FlsGetValue
0x5180ac FlsSetValue
0x5180b0 FlsFree
0x5180b4 InitOnceExecuteOnce
0x5180b8 CreateEventExW
0x5180bc CreateSemaphoreExW
0x5180c0 FlushProcessWriteBuffers
0x5180c4 GetCurrentProcessorNumber
0x5180c8 GetSystemTimeAsFileTime
0x5180cc GetTickCount64
0x5180d0 CreateThreadpoolTimer
0x5180d4 SetThreadpoolTimer
0x5180d8 WaitForThreadpoolTimerCallbacks
0x5180dc CloseThreadpoolTimer
0x5180e0 CreateThreadpoolWait
0x5180e4 SetThreadpoolWait
0x5180e8 CloseThreadpoolWait
0x5180ec GetModuleHandleW
0x5180f0 GetProcAddress
0x5180f4 GetFileInformationByHandleEx
0x5180f8 CreateSymbolicLinkW
0x5180fc LocalFree
0x518100 EncodePointer
0x518104 DecodePointer
0x518108 LCMapStringEx
0x51810c GetLocaleInfoEx
0x518110 CompareStringEx
0x518114 GetCPInfo
0x518118 WriteConsoleW
0x51811c SetEvent
0x518120 ResetEvent
0x518124 CreateEventW
0x518128 IsDebuggerPresent
0x51812c UnhandledExceptionFilter
0x518130 SetUnhandledExceptionFilter
0x518134 GetStartupInfoW
0x518138 GetCurrentProcess
0x51813c TerminateProcess
0x518140 GetCurrentProcessId
0x518144 InitializeSListHead
0x518148 HeapSize
0x51814c RtlUnwind
0x518150 InterlockedPushEntrySList
0x518154 InterlockedFlushSList
0x518158 SetLastError
0x51815c TlsAlloc
0x518160 TlsGetValue
0x518164 TlsSetValue
0x518168 TlsFree
0x51816c FreeLibrary
0x518170 LoadLibraryExW
0x518174 CreateThread
0x518178 ExitThread
0x51817c ResumeThread
0x518180 FreeLibraryAndExitThread
0x518184 ExitProcess
0x518188 GetModuleFileNameW
0x51818c GetStdHandle
0x518190 WriteFile
0x518194 GetCommandLineA
0x518198 GetCommandLineW
0x51819c GetCurrentThread
0x5181a0 HeapAlloc
0x5181a4 HeapFree
0x5181a8 SetConsoleCtrlHandler
0x5181ac GetFileType
0x5181b0 GetDateFormatW
0x5181b4 GetTimeFormatW
0x5181b8 CompareStringW
0x5181bc LCMapStringW
0x5181c0 GetLocaleInfoW
0x5181c4 IsValidLocale
0x5181c8 GetUserDefaultLCID
0x5181cc EnumSystemLocalesW
0x5181d0 GetFileSizeEx
0x5181d4 SetFilePointerEx
0x5181d8 FlushFileBuffers
0x5181dc GetConsoleOutputCP
0x5181e0 GetConsoleMode
0x5181e4 ReadFile
0x5181e8 HeapReAlloc
0x5181ec GetTimeZoneInformation
0x5181f0 FindClose
0x5181f4 FindFirstFileExW
0x5181f8 FindNextFileW
0x5181fc IsValidCodePage
0x518200 GetACP
0x518204 GetOEMCP
0x518208 GetEnvironmentStringsW
0x51820c FreeEnvironmentStringsW
0x518210 SetEnvironmentVariableW
0x518214 GetProcessHeap
0x518218 OutputDebugStringW
0x51821c SetStdHandle
0x518220 ReadConsoleW
EAT(Export Address Table) is none