ScreenShot
| Created | 2023.10.05 17:16 | Machine | s1_win7_x6401 |
| Filename | file.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (AIDetectMalware, Babar, ZexaF, WDW@a0A, Eldorado, malicious, high confidence, GenKryptik, GOND, score, PWSX, Generic@AI, RDML, QcNTopQO0B4j52KIsjtguw, Krypt, ai score=81, Sabsik, Mokes, AARM, Detected, R609369, Genetic, ETFD) | ||
| md5 | db271fe34507c6229439100abf5458f1 | ||
| sha256 | fc43e409ca887fe8f98079100e54a442b7ab01a2743d7e195ba2c8358a1152df | ||
| ssdeep | 24576:f8vuU6B2xlhtLiLdP2sN6a9Dhvhhn+edqjz:mxlhtLM2w6a3v/n | ||
| imphash | 2d720d38a8fbabead5b576804bc154eb | ||
| impfuzzy | 48:sghlBfWDz9vxcpVJxwYyXtXGrmcGtEzba63buFZGLo:ZlBfWn1xcpVJxwjXtXMmcGtEPa95 | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
USER32.dll
0x5bc2f0 GetClipCursor
ole32.dll
0x5bc320 CoGetApartmentType
0x5bc324 CoGetObjectContext
ADVAPI32.dll
0x5bc000 RegDisablePredefinedCacheEx
KERNEL32.dll
0x5bc030 GetProcessHeap
0x5bc034 SetStdHandle
0x5bc038 HeapSize
0x5bc03c CreateFileW
0x5bc040 CreateSymbolicLinkW
0x5bc044 FreeConsole
0x5bc048 RaiseException
0x5bc04c CloseHandle
0x5bc050 WaitForSingleObjectEx
0x5bc054 Sleep
0x5bc058 SwitchToThread
0x5bc05c GetCurrentThreadId
0x5bc060 GetExitCodeThread
0x5bc064 GetNativeSystemInfo
0x5bc068 InitializeSRWLock
0x5bc06c ReleaseSRWLockExclusive
0x5bc070 AcquireSRWLockExclusive
0x5bc074 TryAcquireSRWLockExclusive
0x5bc078 InitializeConditionVariable
0x5bc07c WakeConditionVariable
0x5bc080 WakeAllConditionVariable
0x5bc084 SleepConditionVariableSRW
0x5bc088 FormatMessageA
0x5bc08c WideCharToMultiByte
0x5bc090 MultiByteToWideChar
0x5bc094 GetStringTypeW
0x5bc098 InitOnceBeginInitialize
0x5bc09c InitOnceComplete
0x5bc0a0 GetLastError
0x5bc0a4 FreeLibraryWhenCallbackReturns
0x5bc0a8 CreateThreadpoolWork
0x5bc0ac SubmitThreadpoolWork
0x5bc0b0 CloseThreadpoolWork
0x5bc0b4 GetModuleHandleExW
0x5bc0b8 RtlCaptureStackBackTrace
0x5bc0bc IsProcessorFeaturePresent
0x5bc0c0 EnterCriticalSection
0x5bc0c4 LeaveCriticalSection
0x5bc0c8 InitializeCriticalSectionEx
0x5bc0cc DeleteCriticalSection
0x5bc0d0 QueryPerformanceCounter
0x5bc0d4 QueryPerformanceFrequency
0x5bc0d8 LocalFree
0x5bc0dc GetLocaleInfoEx
0x5bc0e0 EncodePointer
0x5bc0e4 DecodePointer
0x5bc0e8 LCMapStringEx
0x5bc0ec SetFileInformationByHandle
0x5bc0f0 GetTempPathW
0x5bc0f4 FlsAlloc
0x5bc0f8 FlsGetValue
0x5bc0fc FlsSetValue
0x5bc100 FlsFree
0x5bc104 InitOnceExecuteOnce
0x5bc108 SleepConditionVariableCS
0x5bc10c CreateEventExW
0x5bc110 CreateSemaphoreExW
0x5bc114 FlushProcessWriteBuffers
0x5bc118 GetCurrentProcessorNumber
0x5bc11c GetSystemTimeAsFileTime
0x5bc120 GetTickCount64
0x5bc124 CreateThreadpoolTimer
0x5bc128 SetThreadpoolTimer
0x5bc12c WaitForThreadpoolTimerCallbacks
0x5bc130 CloseThreadpoolTimer
0x5bc134 CreateThreadpoolWait
0x5bc138 SetThreadpoolWait
0x5bc13c CloseThreadpoolWait
0x5bc140 GetModuleHandleW
0x5bc144 GetProcAddress
0x5bc148 GetFileInformationByHandleEx
0x5bc14c WriteConsoleW
0x5bc150 CompareStringEx
0x5bc154 GetCPInfo
0x5bc158 InitializeCriticalSectionAndSpinCount
0x5bc15c SetEvent
0x5bc160 ResetEvent
0x5bc164 CreateEventW
0x5bc168 GetCurrentProcessId
0x5bc16c InitializeSListHead
0x5bc170 IsDebuggerPresent
0x5bc174 UnhandledExceptionFilter
0x5bc178 SetUnhandledExceptionFilter
0x5bc17c GetStartupInfoW
0x5bc180 GetCurrentProcess
0x5bc184 TerminateProcess
0x5bc188 SetEnvironmentVariableW
0x5bc18c RtlUnwind
0x5bc190 InterlockedPushEntrySList
0x5bc194 InterlockedFlushSList
0x5bc198 SetLastError
0x5bc19c TlsAlloc
0x5bc1a0 TlsGetValue
0x5bc1a4 TlsSetValue
0x5bc1a8 TlsFree
0x5bc1ac FreeLibrary
0x5bc1b0 LoadLibraryExW
0x5bc1b4 CreateThread
0x5bc1b8 ExitThread
0x5bc1bc ResumeThread
0x5bc1c0 FreeLibraryAndExitThread
0x5bc1c4 GetStdHandle
0x5bc1c8 WriteFile
0x5bc1cc GetModuleFileNameW
0x5bc1d0 ExitProcess
0x5bc1d4 GetCommandLineA
0x5bc1d8 GetCommandLineW
0x5bc1dc GetCurrentThread
0x5bc1e0 HeapFree
0x5bc1e4 SetConsoleCtrlHandler
0x5bc1e8 HeapAlloc
0x5bc1ec GetDateFormatW
0x5bc1f0 GetTimeFormatW
0x5bc1f4 CompareStringW
0x5bc1f8 LCMapStringW
0x5bc1fc GetLocaleInfoW
0x5bc200 IsValidLocale
0x5bc204 GetUserDefaultLCID
0x5bc208 EnumSystemLocalesW
0x5bc20c GetFileType
0x5bc210 GetFileSizeEx
0x5bc214 SetFilePointerEx
0x5bc218 FlushFileBuffers
0x5bc21c GetConsoleOutputCP
0x5bc220 GetConsoleMode
0x5bc224 ReadFile
0x5bc228 ReadConsoleW
0x5bc22c HeapReAlloc
0x5bc230 GetTimeZoneInformation
0x5bc234 OutputDebugStringW
0x5bc238 FindClose
0x5bc23c FindFirstFileExW
0x5bc240 FindNextFileW
0x5bc244 IsValidCodePage
0x5bc248 GetACP
0x5bc24c GetOEMCP
0x5bc250 GetEnvironmentStringsW
0x5bc254 FreeEnvironmentStringsW
EAT(Export Address Table) Library
0x402676 _LoadEnvironment@0
USER32.dll
0x5bc2f0 GetClipCursor
ole32.dll
0x5bc320 CoGetApartmentType
0x5bc324 CoGetObjectContext
ADVAPI32.dll
0x5bc000 RegDisablePredefinedCacheEx
KERNEL32.dll
0x5bc030 GetProcessHeap
0x5bc034 SetStdHandle
0x5bc038 HeapSize
0x5bc03c CreateFileW
0x5bc040 CreateSymbolicLinkW
0x5bc044 FreeConsole
0x5bc048 RaiseException
0x5bc04c CloseHandle
0x5bc050 WaitForSingleObjectEx
0x5bc054 Sleep
0x5bc058 SwitchToThread
0x5bc05c GetCurrentThreadId
0x5bc060 GetExitCodeThread
0x5bc064 GetNativeSystemInfo
0x5bc068 InitializeSRWLock
0x5bc06c ReleaseSRWLockExclusive
0x5bc070 AcquireSRWLockExclusive
0x5bc074 TryAcquireSRWLockExclusive
0x5bc078 InitializeConditionVariable
0x5bc07c WakeConditionVariable
0x5bc080 WakeAllConditionVariable
0x5bc084 SleepConditionVariableSRW
0x5bc088 FormatMessageA
0x5bc08c WideCharToMultiByte
0x5bc090 MultiByteToWideChar
0x5bc094 GetStringTypeW
0x5bc098 InitOnceBeginInitialize
0x5bc09c InitOnceComplete
0x5bc0a0 GetLastError
0x5bc0a4 FreeLibraryWhenCallbackReturns
0x5bc0a8 CreateThreadpoolWork
0x5bc0ac SubmitThreadpoolWork
0x5bc0b0 CloseThreadpoolWork
0x5bc0b4 GetModuleHandleExW
0x5bc0b8 RtlCaptureStackBackTrace
0x5bc0bc IsProcessorFeaturePresent
0x5bc0c0 EnterCriticalSection
0x5bc0c4 LeaveCriticalSection
0x5bc0c8 InitializeCriticalSectionEx
0x5bc0cc DeleteCriticalSection
0x5bc0d0 QueryPerformanceCounter
0x5bc0d4 QueryPerformanceFrequency
0x5bc0d8 LocalFree
0x5bc0dc GetLocaleInfoEx
0x5bc0e0 EncodePointer
0x5bc0e4 DecodePointer
0x5bc0e8 LCMapStringEx
0x5bc0ec SetFileInformationByHandle
0x5bc0f0 GetTempPathW
0x5bc0f4 FlsAlloc
0x5bc0f8 FlsGetValue
0x5bc0fc FlsSetValue
0x5bc100 FlsFree
0x5bc104 InitOnceExecuteOnce
0x5bc108 SleepConditionVariableCS
0x5bc10c CreateEventExW
0x5bc110 CreateSemaphoreExW
0x5bc114 FlushProcessWriteBuffers
0x5bc118 GetCurrentProcessorNumber
0x5bc11c GetSystemTimeAsFileTime
0x5bc120 GetTickCount64
0x5bc124 CreateThreadpoolTimer
0x5bc128 SetThreadpoolTimer
0x5bc12c WaitForThreadpoolTimerCallbacks
0x5bc130 CloseThreadpoolTimer
0x5bc134 CreateThreadpoolWait
0x5bc138 SetThreadpoolWait
0x5bc13c CloseThreadpoolWait
0x5bc140 GetModuleHandleW
0x5bc144 GetProcAddress
0x5bc148 GetFileInformationByHandleEx
0x5bc14c WriteConsoleW
0x5bc150 CompareStringEx
0x5bc154 GetCPInfo
0x5bc158 InitializeCriticalSectionAndSpinCount
0x5bc15c SetEvent
0x5bc160 ResetEvent
0x5bc164 CreateEventW
0x5bc168 GetCurrentProcessId
0x5bc16c InitializeSListHead
0x5bc170 IsDebuggerPresent
0x5bc174 UnhandledExceptionFilter
0x5bc178 SetUnhandledExceptionFilter
0x5bc17c GetStartupInfoW
0x5bc180 GetCurrentProcess
0x5bc184 TerminateProcess
0x5bc188 SetEnvironmentVariableW
0x5bc18c RtlUnwind
0x5bc190 InterlockedPushEntrySList
0x5bc194 InterlockedFlushSList
0x5bc198 SetLastError
0x5bc19c TlsAlloc
0x5bc1a0 TlsGetValue
0x5bc1a4 TlsSetValue
0x5bc1a8 TlsFree
0x5bc1ac FreeLibrary
0x5bc1b0 LoadLibraryExW
0x5bc1b4 CreateThread
0x5bc1b8 ExitThread
0x5bc1bc ResumeThread
0x5bc1c0 FreeLibraryAndExitThread
0x5bc1c4 GetStdHandle
0x5bc1c8 WriteFile
0x5bc1cc GetModuleFileNameW
0x5bc1d0 ExitProcess
0x5bc1d4 GetCommandLineA
0x5bc1d8 GetCommandLineW
0x5bc1dc GetCurrentThread
0x5bc1e0 HeapFree
0x5bc1e4 SetConsoleCtrlHandler
0x5bc1e8 HeapAlloc
0x5bc1ec GetDateFormatW
0x5bc1f0 GetTimeFormatW
0x5bc1f4 CompareStringW
0x5bc1f8 LCMapStringW
0x5bc1fc GetLocaleInfoW
0x5bc200 IsValidLocale
0x5bc204 GetUserDefaultLCID
0x5bc208 EnumSystemLocalesW
0x5bc20c GetFileType
0x5bc210 GetFileSizeEx
0x5bc214 SetFilePointerEx
0x5bc218 FlushFileBuffers
0x5bc21c GetConsoleOutputCP
0x5bc220 GetConsoleMode
0x5bc224 ReadFile
0x5bc228 ReadConsoleW
0x5bc22c HeapReAlloc
0x5bc230 GetTimeZoneInformation
0x5bc234 OutputDebugStringW
0x5bc238 FindClose
0x5bc23c FindFirstFileExW
0x5bc240 FindNextFileW
0x5bc244 IsValidCodePage
0x5bc248 GetACP
0x5bc24c GetOEMCP
0x5bc250 GetEnvironmentStringsW
0x5bc254 FreeEnvironmentStringsW
EAT(Export Address Table) Library
0x402676 _LoadEnvironment@0