ScreenShot
| Created | 2023.10.08 10:45 | Machine | s1_win7_x6403 |
| Filename | trafico.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 27 detected (Save, malicious, Attribute, HighConfidence, high confidence, Kryptik, HUOL, score, PWSX, XPACK, Gen5, high, Sabsik, ZexaF, yuW@aKlZTMai, unsafe, Generic@AI, RDML, 3M7O9P8oLlrGB23iiPSQqw, Static AI, Malicious PE, susgen, confidence, 100%) | ||
| md5 | e9c5b36d7d606477f23c1d7219469d71 | ||
| sha256 | 90e574804204b26a7a56a54d56f44660131015bd4f4dbd58e42717634cc442ae | ||
| ssdeep | 12288:NjUoRUzA/vZoMecqF2ksaSwRobhNnfwBlZRvB7Kpve2Jg0YBmgMyl361+5XFWQFB:NKSJQmy36yHU9q9l | ||
| imphash | 1bc01dfa698246ac804f970d5000ac59 | ||
| impfuzzy | 24:tjKNDoryelqOovS2cfOdgFQ8Ryv4/J3IjT4+jlucsgEC:fQcfOdHeMc+jscdEC | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40b000 GetCPInfo
0x40b004 WaitForSingleObject
0x40b008 Sleep
0x40b00c CreateThread
0x40b010 lstrlenW
0x40b014 VirtualProtect
0x40b018 GetProcAddress
0x40b01c LoadLibraryA
0x40b020 VirtualAlloc
0x40b024 LockResource
0x40b028 LoadResource
0x40b02c SizeofResource
0x40b030 FindResourceW
0x40b034 GetModuleHandleW
0x40b038 GetModuleHandleA
0x40b03c FreeConsole
0x40b040 GetLastError
0x40b044 HeapFree
0x40b048 HeapAlloc
0x40b04c GetCommandLineA
0x40b050 HeapCreate
0x40b054 VirtualFree
0x40b058 DeleteCriticalSection
0x40b05c LeaveCriticalSection
0x40b060 EnterCriticalSection
0x40b064 HeapReAlloc
0x40b068 ExitProcess
0x40b06c WriteFile
0x40b070 GetStdHandle
0x40b074 GetModuleFileNameA
0x40b078 SetUnhandledExceptionFilter
0x40b07c FreeEnvironmentStringsA
0x40b080 GetEnvironmentStrings
0x40b084 FreeEnvironmentStringsW
0x40b088 WideCharToMultiByte
0x40b08c GetEnvironmentStringsW
0x40b090 SetHandleCount
0x40b094 GetFileType
0x40b098 GetStartupInfoA
0x40b09c TlsGetValue
0x40b0a0 TlsAlloc
0x40b0a4 TlsSetValue
0x40b0a8 TlsFree
0x40b0ac InterlockedIncrement
0x40b0b0 SetLastError
0x40b0b4 GetCurrentThreadId
0x40b0b8 InterlockedDecrement
0x40b0bc QueryPerformanceCounter
0x40b0c0 GetTickCount
0x40b0c4 GetCurrentProcessId
0x40b0c8 GetSystemTimeAsFileTime
0x40b0cc TerminateProcess
0x40b0d0 GetCurrentProcess
0x40b0d4 UnhandledExceptionFilter
0x40b0d8 IsDebuggerPresent
0x40b0dc InitializeCriticalSectionAndSpinCount
0x40b0e0 RtlUnwind
0x40b0e4 GetACP
0x40b0e8 GetOEMCP
0x40b0ec IsValidCodePage
0x40b0f0 HeapSize
0x40b0f4 GetLocaleInfoA
0x40b0f8 LCMapStringA
0x40b0fc MultiByteToWideChar
0x40b100 LCMapStringW
0x40b104 GetStringTypeA
0x40b108 GetStringTypeW
USER32.dll
0x40b110 GetWindowTextLengthW
EAT(Export Address Table) is none
KERNEL32.dll
0x40b000 GetCPInfo
0x40b004 WaitForSingleObject
0x40b008 Sleep
0x40b00c CreateThread
0x40b010 lstrlenW
0x40b014 VirtualProtect
0x40b018 GetProcAddress
0x40b01c LoadLibraryA
0x40b020 VirtualAlloc
0x40b024 LockResource
0x40b028 LoadResource
0x40b02c SizeofResource
0x40b030 FindResourceW
0x40b034 GetModuleHandleW
0x40b038 GetModuleHandleA
0x40b03c FreeConsole
0x40b040 GetLastError
0x40b044 HeapFree
0x40b048 HeapAlloc
0x40b04c GetCommandLineA
0x40b050 HeapCreate
0x40b054 VirtualFree
0x40b058 DeleteCriticalSection
0x40b05c LeaveCriticalSection
0x40b060 EnterCriticalSection
0x40b064 HeapReAlloc
0x40b068 ExitProcess
0x40b06c WriteFile
0x40b070 GetStdHandle
0x40b074 GetModuleFileNameA
0x40b078 SetUnhandledExceptionFilter
0x40b07c FreeEnvironmentStringsA
0x40b080 GetEnvironmentStrings
0x40b084 FreeEnvironmentStringsW
0x40b088 WideCharToMultiByte
0x40b08c GetEnvironmentStringsW
0x40b090 SetHandleCount
0x40b094 GetFileType
0x40b098 GetStartupInfoA
0x40b09c TlsGetValue
0x40b0a0 TlsAlloc
0x40b0a4 TlsSetValue
0x40b0a8 TlsFree
0x40b0ac InterlockedIncrement
0x40b0b0 SetLastError
0x40b0b4 GetCurrentThreadId
0x40b0b8 InterlockedDecrement
0x40b0bc QueryPerformanceCounter
0x40b0c0 GetTickCount
0x40b0c4 GetCurrentProcessId
0x40b0c8 GetSystemTimeAsFileTime
0x40b0cc TerminateProcess
0x40b0d0 GetCurrentProcess
0x40b0d4 UnhandledExceptionFilter
0x40b0d8 IsDebuggerPresent
0x40b0dc InitializeCriticalSectionAndSpinCount
0x40b0e0 RtlUnwind
0x40b0e4 GetACP
0x40b0e8 GetOEMCP
0x40b0ec IsValidCodePage
0x40b0f0 HeapSize
0x40b0f4 GetLocaleInfoA
0x40b0f8 LCMapStringA
0x40b0fc MultiByteToWideChar
0x40b100 LCMapStringW
0x40b104 GetStringTypeA
0x40b108 GetStringTypeW
USER32.dll
0x40b110 GetWindowTextLengthW
EAT(Export Address Table) is none