ScreenShot
| Created | 2023.10.05 17:02 | Machine | s1_win7_x6401 |
| Filename | 222.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (AIDetectMalware, Lazy, malicious, confidence, ZexaF, PXW@aGAyy1oi, Eldorado, Attribute, HighConfidence, high confidence, Kryptik, HUBU, score, Pwsx, Convagent, Redline, Sabsik, Detected, CrypterX, R608932, BScope, TrojanPSW, ai score=88, 9zsxuGTFI3S, ETFD) | ||
| md5 | 2efdda89d5ae8c0512fb0dfab4cff22a | ||
| sha256 | 2bc88b3ac4eda3e8aa3bc28902ce5c19db45ec574c170c623473bb2e4801efd6 | ||
| ssdeep | 24576:/L9DJXz9Dz+Hg0tIUnygszebhW5MuOExqgik9v5B3:/H9Dz+Hh1nM4W5P5XV5B | ||
| imphash | b77966559e48caa7890a2432200a2b65 | ||
| impfuzzy | 48:HBfWJcpH+zD9vrxQSXtXqZrmbt8GzbQo3buFZGzk:HBfWJcpH+X1rxHXtXqxmbt8GPQP9 | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x518000 GetModuleHandleW
0x518004 GetProcAddress
0x518008 RaiseException
0x51800c CloseHandle
0x518010 WaitForSingleObjectEx
0x518014 Sleep
0x518018 SwitchToThread
0x51801c GetCurrentThreadId
0x518020 GetExitCodeThread
0x518024 GetNativeSystemInfo
0x518028 InitializeSRWLock
0x51802c ReleaseSRWLockExclusive
0x518030 AcquireSRWLockExclusive
0x518034 EnterCriticalSection
0x518038 LeaveCriticalSection
0x51803c InitializeCriticalSectionEx
0x518040 TryEnterCriticalSection
0x518044 DeleteCriticalSection
0x518048 InitializeConditionVariable
0x51804c WakeConditionVariable
0x518050 WakeAllConditionVariable
0x518054 SleepConditionVariableCS
0x518058 SleepConditionVariableSRW
0x51805c FormatMessageA
0x518060 WideCharToMultiByte
0x518064 MultiByteToWideChar
0x518068 GetStringTypeW
0x51806c InitOnceBeginInitialize
0x518070 InitOnceComplete
0x518074 GetLastError
0x518078 FreeLibraryWhenCallbackReturns
0x51807c CreateThreadpoolWork
0x518080 SubmitThreadpoolWork
0x518084 CloseThreadpoolWork
0x518088 GetModuleHandleExW
0x51808c RtlCaptureStackBackTrace
0x518090 IsProcessorFeaturePresent
0x518094 QueryPerformanceCounter
0x518098 QueryPerformanceFrequency
0x51809c SetFileInformationByHandle
0x5180a0 FlsAlloc
0x5180a4 FlsGetValue
0x5180a8 FlsSetValue
0x5180ac FlsFree
0x5180b0 InitOnceExecuteOnce
0x5180b4 CreateEventExW
0x5180b8 CreateSemaphoreExW
0x5180bc FlushProcessWriteBuffers
0x5180c0 GetCurrentProcessorNumber
0x5180c4 GetSystemTimeAsFileTime
0x5180c8 GetTickCount64
0x5180cc CreateThreadpoolTimer
0x5180d0 SetThreadpoolTimer
0x5180d4 WaitForThreadpoolTimerCallbacks
0x5180d8 CloseThreadpoolTimer
0x5180dc CreateThreadpoolWait
0x5180e0 SetThreadpoolWait
0x5180e4 CloseThreadpoolWait
0x5180e8 GetFileInformationByHandleEx
0x5180ec CreateSymbolicLinkW
0x5180f0 LocalFree
0x5180f4 EncodePointer
0x5180f8 DecodePointer
0x5180fc LCMapStringEx
0x518100 GetLocaleInfoEx
0x518104 CompareStringEx
0x518108 GetCPInfo
0x51810c InitializeCriticalSectionAndSpinCount
0x518110 SetEvent
0x518114 ResetEvent
0x518118 CreateEventW
0x51811c IsDebuggerPresent
0x518120 UnhandledExceptionFilter
0x518124 SetUnhandledExceptionFilter
0x518128 GetStartupInfoW
0x51812c GetCurrentProcess
0x518130 TerminateProcess
0x518134 GetCurrentProcessId
0x518138 InitializeSListHead
0x51813c CreateFileW
0x518140 RtlUnwind
0x518144 InterlockedPushEntrySList
0x518148 InterlockedFlushSList
0x51814c SetLastError
0x518150 TlsAlloc
0x518154 TlsGetValue
0x518158 TlsSetValue
0x51815c TlsFree
0x518160 FreeLibrary
0x518164 LoadLibraryExW
0x518168 CreateThread
0x51816c ExitThread
0x518170 ResumeThread
0x518174 FreeLibraryAndExitThread
0x518178 ExitProcess
0x51817c GetModuleFileNameW
0x518180 GetStdHandle
0x518184 WriteFile
0x518188 GetCommandLineA
0x51818c GetCommandLineW
0x518190 GetCurrentThread
0x518194 HeapFree
0x518198 SetConsoleCtrlHandler
0x51819c HeapAlloc
0x5181a0 GetDateFormatW
0x5181a4 GetTimeFormatW
0x5181a8 CompareStringW
0x5181ac LCMapStringW
0x5181b0 GetLocaleInfoW
0x5181b4 IsValidLocale
0x5181b8 GetUserDefaultLCID
0x5181bc EnumSystemLocalesW
0x5181c0 GetFileType
0x5181c4 GetFileSizeEx
0x5181c8 SetFilePointerEx
0x5181cc FlushFileBuffers
0x5181d0 GetConsoleOutputCP
0x5181d4 GetConsoleMode
0x5181d8 ReadFile
0x5181dc HeapReAlloc
0x5181e0 GetTimeZoneInformation
0x5181e4 FindClose
0x5181e8 FindFirstFileExW
0x5181ec FindNextFileW
0x5181f0 IsValidCodePage
0x5181f4 GetACP
0x5181f8 GetOEMCP
0x5181fc GetEnvironmentStringsW
0x518200 FreeEnvironmentStringsW
0x518204 SetEnvironmentVariableW
0x518208 GetProcessHeap
0x51820c OutputDebugStringW
0x518210 SetStdHandle
0x518214 ReadConsoleW
0x518218 HeapSize
0x51821c WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x518000 GetModuleHandleW
0x518004 GetProcAddress
0x518008 RaiseException
0x51800c CloseHandle
0x518010 WaitForSingleObjectEx
0x518014 Sleep
0x518018 SwitchToThread
0x51801c GetCurrentThreadId
0x518020 GetExitCodeThread
0x518024 GetNativeSystemInfo
0x518028 InitializeSRWLock
0x51802c ReleaseSRWLockExclusive
0x518030 AcquireSRWLockExclusive
0x518034 EnterCriticalSection
0x518038 LeaveCriticalSection
0x51803c InitializeCriticalSectionEx
0x518040 TryEnterCriticalSection
0x518044 DeleteCriticalSection
0x518048 InitializeConditionVariable
0x51804c WakeConditionVariable
0x518050 WakeAllConditionVariable
0x518054 SleepConditionVariableCS
0x518058 SleepConditionVariableSRW
0x51805c FormatMessageA
0x518060 WideCharToMultiByte
0x518064 MultiByteToWideChar
0x518068 GetStringTypeW
0x51806c InitOnceBeginInitialize
0x518070 InitOnceComplete
0x518074 GetLastError
0x518078 FreeLibraryWhenCallbackReturns
0x51807c CreateThreadpoolWork
0x518080 SubmitThreadpoolWork
0x518084 CloseThreadpoolWork
0x518088 GetModuleHandleExW
0x51808c RtlCaptureStackBackTrace
0x518090 IsProcessorFeaturePresent
0x518094 QueryPerformanceCounter
0x518098 QueryPerformanceFrequency
0x51809c SetFileInformationByHandle
0x5180a0 FlsAlloc
0x5180a4 FlsGetValue
0x5180a8 FlsSetValue
0x5180ac FlsFree
0x5180b0 InitOnceExecuteOnce
0x5180b4 CreateEventExW
0x5180b8 CreateSemaphoreExW
0x5180bc FlushProcessWriteBuffers
0x5180c0 GetCurrentProcessorNumber
0x5180c4 GetSystemTimeAsFileTime
0x5180c8 GetTickCount64
0x5180cc CreateThreadpoolTimer
0x5180d0 SetThreadpoolTimer
0x5180d4 WaitForThreadpoolTimerCallbacks
0x5180d8 CloseThreadpoolTimer
0x5180dc CreateThreadpoolWait
0x5180e0 SetThreadpoolWait
0x5180e4 CloseThreadpoolWait
0x5180e8 GetFileInformationByHandleEx
0x5180ec CreateSymbolicLinkW
0x5180f0 LocalFree
0x5180f4 EncodePointer
0x5180f8 DecodePointer
0x5180fc LCMapStringEx
0x518100 GetLocaleInfoEx
0x518104 CompareStringEx
0x518108 GetCPInfo
0x51810c InitializeCriticalSectionAndSpinCount
0x518110 SetEvent
0x518114 ResetEvent
0x518118 CreateEventW
0x51811c IsDebuggerPresent
0x518120 UnhandledExceptionFilter
0x518124 SetUnhandledExceptionFilter
0x518128 GetStartupInfoW
0x51812c GetCurrentProcess
0x518130 TerminateProcess
0x518134 GetCurrentProcessId
0x518138 InitializeSListHead
0x51813c CreateFileW
0x518140 RtlUnwind
0x518144 InterlockedPushEntrySList
0x518148 InterlockedFlushSList
0x51814c SetLastError
0x518150 TlsAlloc
0x518154 TlsGetValue
0x518158 TlsSetValue
0x51815c TlsFree
0x518160 FreeLibrary
0x518164 LoadLibraryExW
0x518168 CreateThread
0x51816c ExitThread
0x518170 ResumeThread
0x518174 FreeLibraryAndExitThread
0x518178 ExitProcess
0x51817c GetModuleFileNameW
0x518180 GetStdHandle
0x518184 WriteFile
0x518188 GetCommandLineA
0x51818c GetCommandLineW
0x518190 GetCurrentThread
0x518194 HeapFree
0x518198 SetConsoleCtrlHandler
0x51819c HeapAlloc
0x5181a0 GetDateFormatW
0x5181a4 GetTimeFormatW
0x5181a8 CompareStringW
0x5181ac LCMapStringW
0x5181b0 GetLocaleInfoW
0x5181b4 IsValidLocale
0x5181b8 GetUserDefaultLCID
0x5181bc EnumSystemLocalesW
0x5181c0 GetFileType
0x5181c4 GetFileSizeEx
0x5181c8 SetFilePointerEx
0x5181cc FlushFileBuffers
0x5181d0 GetConsoleOutputCP
0x5181d4 GetConsoleMode
0x5181d8 ReadFile
0x5181dc HeapReAlloc
0x5181e0 GetTimeZoneInformation
0x5181e4 FindClose
0x5181e8 FindFirstFileExW
0x5181ec FindNextFileW
0x5181f0 IsValidCodePage
0x5181f4 GetACP
0x5181f8 GetOEMCP
0x5181fc GetEnvironmentStringsW
0x518200 FreeEnvironmentStringsW
0x518204 SetEnvironmentVariableW
0x518208 GetProcessHeap
0x51820c OutputDebugStringW
0x518210 SetStdHandle
0x518214 ReadConsoleW
0x518218 HeapSize
0x51821c WriteConsoleW
EAT(Export Address Table) is none