popup

Report - is.exe

Malicious Library UPX PWS SMTP AntiDebug AntiVM PE32 PE File OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.14 17:23 Machine s1_win7_x6403
Filename is.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
11.6
ZERO API file : malware
VT API (file)
md5 16ef8b5b3fe9fcca6b37396f264f74f7
sha256 443fecbe6006903b09fa090230b790dd28249f5b17927c4989bc8c8eaad3ea3d
ssdeep 12288:wp5APy+55xLWmASQAIHDeAFyD0W2hsTnYwT:sTk8mA+ICiyD0W2hsTYw
imphash 321e5e3951fac38d82c138eb99f56618
impfuzzy 24:OjEM0cplE5jVZDytSS1pQ9VGhlJh9roUOovbO3UEZHu9kFZTvAGMAY:mE1cpe0tSS1K9VG3Zi3XFZze
  Network IP location

Signature (26cnts)

Level Description
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Manipulates memory of a non-child process indicative of process injection
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Executes one or more WMI queries which can be used to identify virtual machines
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice Terminates another process
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (15cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Network_SMTP_dotNet Communications smtp memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
213.21.220.222
whois
LV VERSIA Ltd 213.21.220.222 clean

Suricata ids

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)

PE API

IAT(Import Address Table) Library

GDI32.dll
 0x420008 GetDCBrushColor
USER32.dll
 0x420154 EnableWindow
 0x420158 ValidateRgn
ADVAPI32.dll
 0x420000 RegSetKeySecurity
KERNEL32.dll
 0x420010 HeapSize
 0x420014 CreateFileW
 0x420018 CloseHandle
 0x42001c EnterCriticalSection
 0x420020 LeaveCriticalSection
 0x420024 InitializeCriticalSectionAndSpinCount
 0x420028 DeleteCriticalSection
 0x42002c SetEvent
 0x420030 ResetEvent
 0x420034 WaitForSingleObjectEx
 0x420038 CreateEventW
 0x42003c GetModuleHandleW
 0x420040 GetProcAddress
 0x420044 IsDebuggerPresent
 0x420048 UnhandledExceptionFilter
 0x42004c SetUnhandledExceptionFilter
 0x420050 GetStartupInfoW
 0x420054 IsProcessorFeaturePresent
 0x420058 QueryPerformanceCounter
 0x42005c GetCurrentProcessId
 0x420060 GetCurrentThreadId
 0x420064 GetSystemTimeAsFileTime
 0x420068 InitializeSListHead
 0x42006c GetCurrentProcess
 0x420070 TerminateProcess
 0x420074 GetExitCodeThread
 0x420078 EncodePointer
 0x42007c DecodePointer
 0x420080 InitializeCriticalSectionEx
 0x420084 MultiByteToWideChar
 0x420088 WideCharToMultiByte
 0x42008c LCMapStringEx
 0x420090 GetStringTypeW
 0x420094 GetCPInfo
 0x420098 HeapReAlloc
 0x42009c RaiseException
 0x4200a0 RtlUnwind
 0x4200a4 GetLastError
 0x4200a8 SetLastError
 0x4200ac TlsAlloc
 0x4200b0 TlsGetValue
 0x4200b4 TlsSetValue
 0x4200b8 TlsFree
 0x4200bc FreeLibrary
 0x4200c0 LoadLibraryExW
 0x4200c4 ExitProcess
 0x4200c8 GetModuleHandleExW
 0x4200cc GetModuleFileNameW
 0x4200d0 GetStdHandle
 0x4200d4 WriteFile
 0x4200d8 GetCommandLineA
 0x4200dc GetCommandLineW
 0x4200e0 HeapAlloc
 0x4200e4 HeapFree
 0x4200e8 FindClose
 0x4200ec FindFirstFileExW
 0x4200f0 FindNextFileW
 0x4200f4 IsValidCodePage
 0x4200f8 GetACP
 0x4200fc GetOEMCP
 0x420100 GetEnvironmentStringsW
 0x420104 FreeEnvironmentStringsW
 0x420108 SetEnvironmentVariableW
 0x42010c CompareStringW
 0x420110 LCMapStringW
 0x420114 GetLocaleInfoW
 0x420118 IsValidLocale
 0x42011c GetUserDefaultLCID
 0x420120 EnumSystemLocalesW
 0x420124 GetProcessHeap
 0x420128 GetFileType
 0x42012c SetStdHandle
 0x420130 FlushFileBuffers
 0x420134 GetConsoleOutputCP
 0x420138 GetConsoleMode
 0x42013c ReadFile
 0x420140 GetFileSizeEx
 0x420144 SetFilePointerEx
 0x420148 ReadConsoleW
 0x42014c WriteConsoleW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure