ScreenShot
| Created | 2023.11.16 13:23 | Machine | s1_win7_x6403 |
| Filename | traffico.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 49 detected (AIDetectMalware, malicious, high confidence, Zusy, Save, confidence, 100%, ZexaF, ymW@aae@SLb, Attribute, HighConfidence, Kryptik, HVGM, PWSX, Cdhl, bvwyk, REDLINE, YXDKPZ, high, score, ai score=88, Detected, Zbot, Eldorado, AGEN, R621967, Artemis, TrojanPSW, Stealerc, unsafe, Convagent, vJ2N0BbYTbG, Static AI, Malicious PE, HSYN) | ||
| md5 | 461b8083838b2d837b19466b5acce0e4 | ||
| sha256 | 34c1b8d7e8431854989230c9a65c6b2fd80e74958e893c7eeafd41dcd7796cfd | ||
| ssdeep | 6144:6i3foYiGdwemgItByRT0/dolaDA0ShlsZUIb37ScD4Akr7rwaM:6woU4DSEZU+3tcA+ | ||
| imphash | c9841028b9dc21821bee70c3fbfd867e | ||
| impfuzzy | 24:ijKNDovlvHOovS2cfzZ/J3IngFQ8RyvuT4+jlYsQ:4uQcfzbQHuc+jGsQ | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40c000 GetLocalTime
0x40c004 WaitForSingleObject
0x40c008 Sleep
0x40c00c CreateThread
0x40c010 lstrlenW
0x40c014 VirtualProtect
0x40c018 GetProcAddress
0x40c01c LoadLibraryA
0x40c020 VirtualAlloc
0x40c024 GetModuleHandleA
0x40c028 FreeConsole
0x40c02c GetLastError
0x40c030 HeapFree
0x40c034 HeapAlloc
0x40c038 RtlUnwind
0x40c03c GetCommandLineA
0x40c040 HeapCreate
0x40c044 VirtualFree
0x40c048 DeleteCriticalSection
0x40c04c LeaveCriticalSection
0x40c050 EnterCriticalSection
0x40c054 HeapReAlloc
0x40c058 GetModuleHandleW
0x40c05c ExitProcess
0x40c060 WriteFile
0x40c064 GetStdHandle
0x40c068 GetModuleFileNameA
0x40c06c TlsGetValue
0x40c070 TlsAlloc
0x40c074 TlsSetValue
0x40c078 TlsFree
0x40c07c InterlockedIncrement
0x40c080 SetLastError
0x40c084 GetCurrentThreadId
0x40c088 InterlockedDecrement
0x40c08c SetUnhandledExceptionFilter
0x40c090 FreeEnvironmentStringsA
0x40c094 GetEnvironmentStrings
0x40c098 FreeEnvironmentStringsW
0x40c09c WideCharToMultiByte
0x40c0a0 GetEnvironmentStringsW
0x40c0a4 SetHandleCount
0x40c0a8 GetFileType
0x40c0ac GetStartupInfoA
0x40c0b0 QueryPerformanceCounter
0x40c0b4 GetTickCount
0x40c0b8 GetCurrentProcessId
0x40c0bc GetSystemTimeAsFileTime
0x40c0c0 TerminateProcess
0x40c0c4 GetCurrentProcess
0x40c0c8 UnhandledExceptionFilter
0x40c0cc IsDebuggerPresent
0x40c0d0 InitializeCriticalSectionAndSpinCount
0x40c0d4 RaiseException
0x40c0d8 GetCPInfo
0x40c0dc GetACP
0x40c0e0 GetOEMCP
0x40c0e4 IsValidCodePage
0x40c0e8 HeapSize
0x40c0ec GetLocaleInfoA
0x40c0f0 GetStringTypeA
0x40c0f4 MultiByteToWideChar
0x40c0f8 GetStringTypeW
0x40c0fc LCMapStringA
0x40c100 LCMapStringW
EAT(Export Address Table) is none
KERNEL32.dll
0x40c000 GetLocalTime
0x40c004 WaitForSingleObject
0x40c008 Sleep
0x40c00c CreateThread
0x40c010 lstrlenW
0x40c014 VirtualProtect
0x40c018 GetProcAddress
0x40c01c LoadLibraryA
0x40c020 VirtualAlloc
0x40c024 GetModuleHandleA
0x40c028 FreeConsole
0x40c02c GetLastError
0x40c030 HeapFree
0x40c034 HeapAlloc
0x40c038 RtlUnwind
0x40c03c GetCommandLineA
0x40c040 HeapCreate
0x40c044 VirtualFree
0x40c048 DeleteCriticalSection
0x40c04c LeaveCriticalSection
0x40c050 EnterCriticalSection
0x40c054 HeapReAlloc
0x40c058 GetModuleHandleW
0x40c05c ExitProcess
0x40c060 WriteFile
0x40c064 GetStdHandle
0x40c068 GetModuleFileNameA
0x40c06c TlsGetValue
0x40c070 TlsAlloc
0x40c074 TlsSetValue
0x40c078 TlsFree
0x40c07c InterlockedIncrement
0x40c080 SetLastError
0x40c084 GetCurrentThreadId
0x40c088 InterlockedDecrement
0x40c08c SetUnhandledExceptionFilter
0x40c090 FreeEnvironmentStringsA
0x40c094 GetEnvironmentStrings
0x40c098 FreeEnvironmentStringsW
0x40c09c WideCharToMultiByte
0x40c0a0 GetEnvironmentStringsW
0x40c0a4 SetHandleCount
0x40c0a8 GetFileType
0x40c0ac GetStartupInfoA
0x40c0b0 QueryPerformanceCounter
0x40c0b4 GetTickCount
0x40c0b8 GetCurrentProcessId
0x40c0bc GetSystemTimeAsFileTime
0x40c0c0 TerminateProcess
0x40c0c4 GetCurrentProcess
0x40c0c8 UnhandledExceptionFilter
0x40c0cc IsDebuggerPresent
0x40c0d0 InitializeCriticalSectionAndSpinCount
0x40c0d4 RaiseException
0x40c0d8 GetCPInfo
0x40c0dc GetACP
0x40c0e0 GetOEMCP
0x40c0e4 IsValidCodePage
0x40c0e8 HeapSize
0x40c0ec GetLocaleInfoA
0x40c0f0 GetStringTypeA
0x40c0f4 MultiByteToWideChar
0x40c0f8 GetStringTypeW
0x40c0fc LCMapStringA
0x40c100 LCMapStringW
EAT(Export Address Table) is none