ScreenShot
| Created | 2023.11.07 07:49 | Machine | s1_win7_x6401 |
| Filename | xinchao.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 18e92e00cd0e14cee7e4448e8fa476ef | ||
| sha256 | 1f95d7b01c597ea9c6df5a5e773e97ba17e10e800ded54b18499509469ec8e37 | ||
| ssdeep | 6144:+kwI5irepEn8hKGFd6yi3W2OU5zkkEQNZuGq1cpF2l5O3W:+DtnvJpj7NYGq1i2l5z | ||
| imphash | ea9c90aadadb2718b03c6854c9efc5d5 | ||
| impfuzzy | 24:WjKNDo1u9F+olqOovS2cfzdgFQ8Ryv4/J3IjT4+jluJ0lNFhvgPdp9g/9TUlOcV:lQcfzdHeMc+jsJ0lNolp6/9QlOcV | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40b000 WaitForSingleObject
0x40b004 Sleep
0x40b008 CreateThread
0x40b00c lstrlenW
0x40b010 VirtualProtect
0x40b014 GetProcAddress
0x40b018 LoadLibraryA
0x40b01c VirtualAlloc
0x40b020 GetModuleHandleA
0x40b024 SetEnvironmentVariableW
0x40b028 FreeConsole
0x40b02c OpenFileMappingW
0x40b030 GetLocalTime
0x40b034 GetLastError
0x40b038 HeapFree
0x40b03c HeapAlloc
0x40b040 GetCommandLineA
0x40b044 HeapCreate
0x40b048 VirtualFree
0x40b04c DeleteCriticalSection
0x40b050 LeaveCriticalSection
0x40b054 EnterCriticalSection
0x40b058 HeapReAlloc
0x40b05c GetModuleHandleW
0x40b060 ExitProcess
0x40b064 WriteFile
0x40b068 GetStdHandle
0x40b06c GetModuleFileNameA
0x40b070 SetUnhandledExceptionFilter
0x40b074 FreeEnvironmentStringsA
0x40b078 GetEnvironmentStrings
0x40b07c FreeEnvironmentStringsW
0x40b080 WideCharToMultiByte
0x40b084 GetEnvironmentStringsW
0x40b088 SetHandleCount
0x40b08c GetFileType
0x40b090 GetStartupInfoA
0x40b094 TlsGetValue
0x40b098 TlsAlloc
0x40b09c TlsSetValue
0x40b0a0 TlsFree
0x40b0a4 InterlockedIncrement
0x40b0a8 SetLastError
0x40b0ac GetCurrentThreadId
0x40b0b0 InterlockedDecrement
0x40b0b4 QueryPerformanceCounter
0x40b0b8 GetTickCount
0x40b0bc GetCurrentProcessId
0x40b0c0 GetSystemTimeAsFileTime
0x40b0c4 TerminateProcess
0x40b0c8 GetCurrentProcess
0x40b0cc UnhandledExceptionFilter
0x40b0d0 IsDebuggerPresent
0x40b0d4 InitializeCriticalSectionAndSpinCount
0x40b0d8 RtlUnwind
0x40b0dc GetCPInfo
0x40b0e0 GetACP
0x40b0e4 GetOEMCP
0x40b0e8 IsValidCodePage
0x40b0ec HeapSize
0x40b0f0 GetLocaleInfoA
0x40b0f4 LCMapStringA
0x40b0f8 MultiByteToWideChar
0x40b0fc LCMapStringW
0x40b100 GetStringTypeA
0x40b104 GetStringTypeW
kernel32.dll
0x465658 UpgradeEndpoint
0x46565c EvolveStructure
0x465660 CustomizeLayer
0x465664 TransformModule
0x465668 ModernizeEntity
0x46566c AdjustModule
0x465670 ModernizeEntity
0x465674 AdjustEntity
user32.dll
0x46567c ReviseProtocol
0x465680 UpgradeEntity
0x465684 AdaptFeature
0x465688 ImproveComponent
0x46568c AdjustItem
advapi32.dll
0x465694 ImproveLayer
0x465698 ReconfigureSystem
0x46569c DisableSetting
0x4656a0 RedesignResource
EAT(Export Address Table) is none
KERNEL32.dll
0x40b000 WaitForSingleObject
0x40b004 Sleep
0x40b008 CreateThread
0x40b00c lstrlenW
0x40b010 VirtualProtect
0x40b014 GetProcAddress
0x40b018 LoadLibraryA
0x40b01c VirtualAlloc
0x40b020 GetModuleHandleA
0x40b024 SetEnvironmentVariableW
0x40b028 FreeConsole
0x40b02c OpenFileMappingW
0x40b030 GetLocalTime
0x40b034 GetLastError
0x40b038 HeapFree
0x40b03c HeapAlloc
0x40b040 GetCommandLineA
0x40b044 HeapCreate
0x40b048 VirtualFree
0x40b04c DeleteCriticalSection
0x40b050 LeaveCriticalSection
0x40b054 EnterCriticalSection
0x40b058 HeapReAlloc
0x40b05c GetModuleHandleW
0x40b060 ExitProcess
0x40b064 WriteFile
0x40b068 GetStdHandle
0x40b06c GetModuleFileNameA
0x40b070 SetUnhandledExceptionFilter
0x40b074 FreeEnvironmentStringsA
0x40b078 GetEnvironmentStrings
0x40b07c FreeEnvironmentStringsW
0x40b080 WideCharToMultiByte
0x40b084 GetEnvironmentStringsW
0x40b088 SetHandleCount
0x40b08c GetFileType
0x40b090 GetStartupInfoA
0x40b094 TlsGetValue
0x40b098 TlsAlloc
0x40b09c TlsSetValue
0x40b0a0 TlsFree
0x40b0a4 InterlockedIncrement
0x40b0a8 SetLastError
0x40b0ac GetCurrentThreadId
0x40b0b0 InterlockedDecrement
0x40b0b4 QueryPerformanceCounter
0x40b0b8 GetTickCount
0x40b0bc GetCurrentProcessId
0x40b0c0 GetSystemTimeAsFileTime
0x40b0c4 TerminateProcess
0x40b0c8 GetCurrentProcess
0x40b0cc UnhandledExceptionFilter
0x40b0d0 IsDebuggerPresent
0x40b0d4 InitializeCriticalSectionAndSpinCount
0x40b0d8 RtlUnwind
0x40b0dc GetCPInfo
0x40b0e0 GetACP
0x40b0e4 GetOEMCP
0x40b0e8 IsValidCodePage
0x40b0ec HeapSize
0x40b0f0 GetLocaleInfoA
0x40b0f4 LCMapStringA
0x40b0f8 MultiByteToWideChar
0x40b0fc LCMapStringW
0x40b100 GetStringTypeA
0x40b104 GetStringTypeW
kernel32.dll
0x465658 UpgradeEndpoint
0x46565c EvolveStructure
0x465660 CustomizeLayer
0x465664 TransformModule
0x465668 ModernizeEntity
0x46566c AdjustModule
0x465670 ModernizeEntity
0x465674 AdjustEntity
user32.dll
0x46567c ReviseProtocol
0x465680 UpgradeEntity
0x465684 AdaptFeature
0x465688 ImproveComponent
0x46568c AdjustItem
advapi32.dll
0x465694 ImproveLayer
0x465698 ReconfigureSystem
0x46569c DisableSetting
0x4656a0 RedesignResource
EAT(Export Address Table) is none