ScreenShot
| Created | 2023.11.09 10:20 | Machine | s1_win7_x6403_us |
| Filename | lnstаllееer.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 32 detected (AIDetectMalware, Botx, Babar, malicious, confidence, Attribute, HighConfidence, high confidence, GenKryptik, GPWB, score, RedLine, op57AWiCqLF, TRICKBOT, Static AI, Suspicious PE, Wacatac, Detected, ai score=80, Krypt, susgen, GOEE, ZexaF, BuY@aWiiPi, FileRepMalware) | ||
| md5 | e85a65b6ab5c25aec1cd5694586627c1 | ||
| sha256 | ed18280c7037a3505148717767688dd86a5e4b67a0c40cd076af289b6ea5b0b6 | ||
| ssdeep | 6144:rmWQZca1DD/BZbRRyOtJkm3+AODDtyFu7HzLSb2+B+nkjy6ugI5O3YU+/CrE:LQKa1pt1l+dxj7TLAkkjZ+/CQ | ||
| imphash | 7f65a0e07caaf4544afc07e32f4fd5bc | ||
| impfuzzy | 24:3cZRW8jTcpVWZjeDEt4GhlJBl39WuPLOovbO3kFZMv5GMA+EZHu9n:MZRW0cpVejXt4Gnpn630FZG9 | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
USER32.dll
0x424158 GetMessageExtraInfo
0x42415c WindowFromDC
ADVAPI32.dll
0x424000 InitializeAcl
0x424004 IsValidAcl
KERNEL32.dll
0x42400c HeapSize
0x424010 CreateFileW
0x424014 GetCurrentProcessId
0x424018 VirtualAlloc
0x42401c FreeConsole
0x424020 MultiByteToWideChar
0x424024 GetStringTypeW
0x424028 WideCharToMultiByte
0x42402c GetCurrentThreadId
0x424030 CloseHandle
0x424034 WaitForSingleObjectEx
0x424038 GetExitCodeThread
0x42403c EnterCriticalSection
0x424040 LeaveCriticalSection
0x424044 InitializeCriticalSectionEx
0x424048 DeleteCriticalSection
0x42404c EncodePointer
0x424050 DecodePointer
0x424054 LCMapStringEx
0x424058 QueryPerformanceCounter
0x42405c GetSystemTimeAsFileTime
0x424060 GetModuleHandleW
0x424064 GetProcAddress
0x424068 GetCPInfo
0x42406c IsProcessorFeaturePresent
0x424070 WriteConsoleW
0x424074 InitializeSListHead
0x424078 IsDebuggerPresent
0x42407c UnhandledExceptionFilter
0x424080 SetUnhandledExceptionFilter
0x424084 GetStartupInfoW
0x424088 GetCurrentProcess
0x42408c TerminateProcess
0x424090 ReadConsoleW
0x424094 RaiseException
0x424098 RtlUnwind
0x42409c GetLastError
0x4240a0 SetLastError
0x4240a4 InitializeCriticalSectionAndSpinCount
0x4240a8 TlsAlloc
0x4240ac TlsGetValue
0x4240b0 TlsSetValue
0x4240b4 TlsFree
0x4240b8 FreeLibrary
0x4240bc LoadLibraryExW
0x4240c0 CreateThread
0x4240c4 ExitThread
0x4240c8 FreeLibraryAndExitThread
0x4240cc GetModuleHandleExW
0x4240d0 GetStdHandle
0x4240d4 WriteFile
0x4240d8 GetModuleFileNameW
0x4240dc ExitProcess
0x4240e0 GetCommandLineA
0x4240e4 GetCommandLineW
0x4240e8 HeapAlloc
0x4240ec HeapFree
0x4240f0 CompareStringW
0x4240f4 LCMapStringW
0x4240f8 GetLocaleInfoW
0x4240fc IsValidLocale
0x424100 GetUserDefaultLCID
0x424104 EnumSystemLocalesW
0x424108 GetFileType
0x42410c GetFileSizeEx
0x424110 SetFilePointerEx
0x424114 FlushFileBuffers
0x424118 GetConsoleOutputCP
0x42411c GetConsoleMode
0x424120 ReadFile
0x424124 HeapReAlloc
0x424128 FindClose
0x42412c FindFirstFileExW
0x424130 FindNextFileW
0x424134 IsValidCodePage
0x424138 GetACP
0x42413c GetOEMCP
0x424140 GetEnvironmentStringsW
0x424144 FreeEnvironmentStringsW
0x424148 SetEnvironmentVariableW
0x42414c SetStdHandle
0x424150 GetProcessHeap
EAT(Export Address Table) Library
0x40210d _GetSpecialResolution@0
USER32.dll
0x424158 GetMessageExtraInfo
0x42415c WindowFromDC
ADVAPI32.dll
0x424000 InitializeAcl
0x424004 IsValidAcl
KERNEL32.dll
0x42400c HeapSize
0x424010 CreateFileW
0x424014 GetCurrentProcessId
0x424018 VirtualAlloc
0x42401c FreeConsole
0x424020 MultiByteToWideChar
0x424024 GetStringTypeW
0x424028 WideCharToMultiByte
0x42402c GetCurrentThreadId
0x424030 CloseHandle
0x424034 WaitForSingleObjectEx
0x424038 GetExitCodeThread
0x42403c EnterCriticalSection
0x424040 LeaveCriticalSection
0x424044 InitializeCriticalSectionEx
0x424048 DeleteCriticalSection
0x42404c EncodePointer
0x424050 DecodePointer
0x424054 LCMapStringEx
0x424058 QueryPerformanceCounter
0x42405c GetSystemTimeAsFileTime
0x424060 GetModuleHandleW
0x424064 GetProcAddress
0x424068 GetCPInfo
0x42406c IsProcessorFeaturePresent
0x424070 WriteConsoleW
0x424074 InitializeSListHead
0x424078 IsDebuggerPresent
0x42407c UnhandledExceptionFilter
0x424080 SetUnhandledExceptionFilter
0x424084 GetStartupInfoW
0x424088 GetCurrentProcess
0x42408c TerminateProcess
0x424090 ReadConsoleW
0x424094 RaiseException
0x424098 RtlUnwind
0x42409c GetLastError
0x4240a0 SetLastError
0x4240a4 InitializeCriticalSectionAndSpinCount
0x4240a8 TlsAlloc
0x4240ac TlsGetValue
0x4240b0 TlsSetValue
0x4240b4 TlsFree
0x4240b8 FreeLibrary
0x4240bc LoadLibraryExW
0x4240c0 CreateThread
0x4240c4 ExitThread
0x4240c8 FreeLibraryAndExitThread
0x4240cc GetModuleHandleExW
0x4240d0 GetStdHandle
0x4240d4 WriteFile
0x4240d8 GetModuleFileNameW
0x4240dc ExitProcess
0x4240e0 GetCommandLineA
0x4240e4 GetCommandLineW
0x4240e8 HeapAlloc
0x4240ec HeapFree
0x4240f0 CompareStringW
0x4240f4 LCMapStringW
0x4240f8 GetLocaleInfoW
0x4240fc IsValidLocale
0x424100 GetUserDefaultLCID
0x424104 EnumSystemLocalesW
0x424108 GetFileType
0x42410c GetFileSizeEx
0x424110 SetFilePointerEx
0x424114 FlushFileBuffers
0x424118 GetConsoleOutputCP
0x42411c GetConsoleMode
0x424120 ReadFile
0x424124 HeapReAlloc
0x424128 FindClose
0x42412c FindFirstFileExW
0x424130 FindNextFileW
0x424134 IsValidCodePage
0x424138 GetACP
0x42413c GetOEMCP
0x424140 GetEnvironmentStringsW
0x424144 FreeEnvironmentStringsW
0x424148 SetEnvironmentVariableW
0x42414c SetStdHandle
0x424150 GetProcessHeap
EAT(Export Address Table) Library
0x40210d _GetSpecialResolution@0