ScreenShot
| Created | 2023.10.20 18:11 | Machine | s1_win7_x6401 |
| Filename | fra.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 49 detected (AIDetectMalware, RedLineNET, Zusy, PWSZbot, unsafe, Save, Kryptik, ZexaE, BqW@am4nTyfi, Attribute, HighConfidence, malicious, high confidence, HTUK, score, PWSX, high, Deyma, Eldorado, RedLine, Znyonm, 11AU12L, Detected, R614184, Artemis, ai score=86, Chgt, R014H0CJK23, nRoZEjn0ZjE, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | 22312fe9b0d80938ff7ed706fc584e19 | ||
| sha256 | 5a891161ce4d76b8f7eb0c0ad3ee500c6f2149735e3eaedaabc267d18ce7bc4f | ||
| ssdeep | 6144:a0QgQvWkv5T2FL5vCOR33urxl1eSNxElDTdGwxbZDNWLeqRcvC89q:avgQvU5a07P5wL1cvC89q | ||
| imphash | 74b0d004a012cef41e106f80a1b919df | ||
| impfuzzy | 24:WjKNDoryKlvMjOovS2cfOZ/J3IBtyFQ8RyvuT4FlXKEC:EMCQcfObutNucFZKEC | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x413000 WaitForSingleObject
0x413004 Sleep
0x413008 CreateThread
0x41300c lstrlenW
0x413010 VirtualProtect
0x413014 GetProcAddress
0x413018 LoadLibraryA
0x41301c VirtualAlloc
0x413020 LockResource
0x413024 LoadResource
0x413028 SizeofResource
0x41302c FindResourceW
0x413030 GetModuleHandleW
0x413034 GetModuleHandleA
0x413038 EnumResourceNamesA
0x41303c FreeConsole
0x413040 GetLastError
0x413044 HeapFree
0x413048 HeapAlloc
0x41304c RtlUnwind
0x413050 RaiseException
0x413054 GetCommandLineA
0x413058 HeapCreate
0x41305c VirtualFree
0x413060 DeleteCriticalSection
0x413064 LeaveCriticalSection
0x413068 EnterCriticalSection
0x41306c HeapReAlloc
0x413070 ExitProcess
0x413074 WriteFile
0x413078 GetStdHandle
0x41307c GetModuleFileNameA
0x413080 TlsGetValue
0x413084 TlsAlloc
0x413088 TlsSetValue
0x41308c TlsFree
0x413090 InterlockedIncrement
0x413094 SetLastError
0x413098 GetCurrentThreadId
0x41309c InterlockedDecrement
0x4130a0 TerminateProcess
0x4130a4 GetCurrentProcess
0x4130a8 UnhandledExceptionFilter
0x4130ac SetUnhandledExceptionFilter
0x4130b0 IsDebuggerPresent
0x4130b4 FreeEnvironmentStringsA
0x4130b8 GetEnvironmentStrings
0x4130bc FreeEnvironmentStringsW
0x4130c0 WideCharToMultiByte
0x4130c4 GetEnvironmentStringsW
0x4130c8 SetHandleCount
0x4130cc GetFileType
0x4130d0 GetStartupInfoA
0x4130d4 QueryPerformanceCounter
0x4130d8 GetTickCount
0x4130dc GetCurrentProcessId
0x4130e0 GetSystemTimeAsFileTime
0x4130e4 GetCPInfo
0x4130e8 GetACP
0x4130ec GetOEMCP
0x4130f0 IsValidCodePage
0x4130f4 InitializeCriticalSectionAndSpinCount
0x4130f8 HeapSize
0x4130fc LCMapStringA
0x413100 MultiByteToWideChar
0x413104 LCMapStringW
0x413108 GetStringTypeA
0x41310c GetStringTypeW
0x413110 GetLocaleInfoA
USER32.dll
0x413118 GetWindowTextLengthW
EAT(Export Address Table) is none
KERNEL32.dll
0x413000 WaitForSingleObject
0x413004 Sleep
0x413008 CreateThread
0x41300c lstrlenW
0x413010 VirtualProtect
0x413014 GetProcAddress
0x413018 LoadLibraryA
0x41301c VirtualAlloc
0x413020 LockResource
0x413024 LoadResource
0x413028 SizeofResource
0x41302c FindResourceW
0x413030 GetModuleHandleW
0x413034 GetModuleHandleA
0x413038 EnumResourceNamesA
0x41303c FreeConsole
0x413040 GetLastError
0x413044 HeapFree
0x413048 HeapAlloc
0x41304c RtlUnwind
0x413050 RaiseException
0x413054 GetCommandLineA
0x413058 HeapCreate
0x41305c VirtualFree
0x413060 DeleteCriticalSection
0x413064 LeaveCriticalSection
0x413068 EnterCriticalSection
0x41306c HeapReAlloc
0x413070 ExitProcess
0x413074 WriteFile
0x413078 GetStdHandle
0x41307c GetModuleFileNameA
0x413080 TlsGetValue
0x413084 TlsAlloc
0x413088 TlsSetValue
0x41308c TlsFree
0x413090 InterlockedIncrement
0x413094 SetLastError
0x413098 GetCurrentThreadId
0x41309c InterlockedDecrement
0x4130a0 TerminateProcess
0x4130a4 GetCurrentProcess
0x4130a8 UnhandledExceptionFilter
0x4130ac SetUnhandledExceptionFilter
0x4130b0 IsDebuggerPresent
0x4130b4 FreeEnvironmentStringsA
0x4130b8 GetEnvironmentStrings
0x4130bc FreeEnvironmentStringsW
0x4130c0 WideCharToMultiByte
0x4130c4 GetEnvironmentStringsW
0x4130c8 SetHandleCount
0x4130cc GetFileType
0x4130d0 GetStartupInfoA
0x4130d4 QueryPerformanceCounter
0x4130d8 GetTickCount
0x4130dc GetCurrentProcessId
0x4130e0 GetSystemTimeAsFileTime
0x4130e4 GetCPInfo
0x4130e8 GetACP
0x4130ec GetOEMCP
0x4130f0 IsValidCodePage
0x4130f4 InitializeCriticalSectionAndSpinCount
0x4130f8 HeapSize
0x4130fc LCMapStringA
0x413100 MultiByteToWideChar
0x413104 LCMapStringW
0x413108 GetStringTypeA
0x41310c GetStringTypeW
0x413110 GetLocaleInfoA
USER32.dll
0x413118 GetWindowTextLengthW
EAT(Export Address Table) is none