ScreenShot
| Created | 2023.12.13 08:36 | Machine | s1_win7_x6401 |
| Filename | autorun.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | e603e2abda021b58c29868700301275a | ||
| sha256 | 98416948da54776f0e0aa636096b78fca785cbe90f29f1ddbfee62d56b20b950 | ||
| ssdeep | 3072:6An6FriTnuKyjgPXJJiqdgWxzHDmtEvT27meNrQaT2EUnr1Xy1Eeh2C7c:R2iTnOgPZJiqdXAFBNrQaT25n9yaW2/ | ||
| imphash | 59737f231ef329f299654331c80b5130 | ||
| impfuzzy | 24:aA0DZj7Oovn/QFQjERyvDh/J3ISlRT47mfpl/quPA:5E/LDjhc7mfp5qr | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f028 FreeConsole
0x40f02c CreateThread
0x40f030 GetModuleHandleA
0x40f034 VirtualAlloc
0x40f038 LoadLibraryA
0x40f03c GetProcAddress
0x40f040 VirtualProtect
0x40f044 lstrlenW
0x40f048 Sleep
0x40f04c WaitForSingleObject
0x40f050 GetCommandLineA
0x40f054 SetUnhandledExceptionFilter
0x40f058 GetModuleHandleW
0x40f05c ExitProcess
0x40f060 WriteFile
0x40f064 GetStdHandle
0x40f068 GetModuleFileNameA
0x40f06c FreeEnvironmentStringsA
0x40f070 GetEnvironmentStrings
0x40f074 FreeEnvironmentStringsW
0x40f078 WideCharToMultiByte
0x40f07c GetLastError
0x40f080 GetEnvironmentStringsW
0x40f084 SetHandleCount
0x40f088 GetFileType
0x40f08c GetStartupInfoA
0x40f090 DeleteCriticalSection
0x40f094 TlsGetValue
0x40f098 TlsAlloc
0x40f09c TlsSetValue
0x40f0a0 TlsFree
0x40f0a4 InterlockedIncrement
0x40f0a8 SetLastError
0x40f0ac GetCurrentThreadId
0x40f0b0 InterlockedDecrement
0x40f0b4 HeapCreate
0x40f0b8 VirtualFree
0x40f0bc HeapFree
0x40f0c0 QueryPerformanceCounter
0x40f0c4 GetTickCount
0x40f0c8 GetCurrentProcessId
0x40f0cc GetSystemTimeAsFileTime
0x40f0d0 GetCPInfo
0x40f0d4 GetACP
0x40f0d8 GetOEMCP
0x40f0dc IsValidCodePage
0x40f0e0 TerminateProcess
0x40f0e4 GetCurrentProcess
0x40f0e8 UnhandledExceptionFilter
0x40f0ec IsDebuggerPresent
0x40f0f0 LeaveCriticalSection
0x40f0f4 EnterCriticalSection
0x40f0f8 InitializeCriticalSectionAndSpinCount
0x40f0fc HeapAlloc
0x40f100 HeapReAlloc
0x40f104 RtlUnwind
0x40f108 LCMapStringA
0x40f10c MultiByteToWideChar
0x40f110 LCMapStringW
0x40f114 GetStringTypeA
0x40f118 GetStringTypeW
0x40f11c GetLocaleInfoA
0x40f120 HeapSize
GDI32.dll
0x40f008 SelectObject
0x40f00c GetObjectA
0x40f010 GetStockObject
0x40f014 DeleteObject
0x40f018 SetBkMode
0x40f01c SetTextColor
0x40f020 CreateFontIndirectA
ADVAPI32.dll
0x40f000 RegDeleteKeyA
EAT(Export Address Table) is none
KERNEL32.dll
0x40f028 FreeConsole
0x40f02c CreateThread
0x40f030 GetModuleHandleA
0x40f034 VirtualAlloc
0x40f038 LoadLibraryA
0x40f03c GetProcAddress
0x40f040 VirtualProtect
0x40f044 lstrlenW
0x40f048 Sleep
0x40f04c WaitForSingleObject
0x40f050 GetCommandLineA
0x40f054 SetUnhandledExceptionFilter
0x40f058 GetModuleHandleW
0x40f05c ExitProcess
0x40f060 WriteFile
0x40f064 GetStdHandle
0x40f068 GetModuleFileNameA
0x40f06c FreeEnvironmentStringsA
0x40f070 GetEnvironmentStrings
0x40f074 FreeEnvironmentStringsW
0x40f078 WideCharToMultiByte
0x40f07c GetLastError
0x40f080 GetEnvironmentStringsW
0x40f084 SetHandleCount
0x40f088 GetFileType
0x40f08c GetStartupInfoA
0x40f090 DeleteCriticalSection
0x40f094 TlsGetValue
0x40f098 TlsAlloc
0x40f09c TlsSetValue
0x40f0a0 TlsFree
0x40f0a4 InterlockedIncrement
0x40f0a8 SetLastError
0x40f0ac GetCurrentThreadId
0x40f0b0 InterlockedDecrement
0x40f0b4 HeapCreate
0x40f0b8 VirtualFree
0x40f0bc HeapFree
0x40f0c0 QueryPerformanceCounter
0x40f0c4 GetTickCount
0x40f0c8 GetCurrentProcessId
0x40f0cc GetSystemTimeAsFileTime
0x40f0d0 GetCPInfo
0x40f0d4 GetACP
0x40f0d8 GetOEMCP
0x40f0dc IsValidCodePage
0x40f0e0 TerminateProcess
0x40f0e4 GetCurrentProcess
0x40f0e8 UnhandledExceptionFilter
0x40f0ec IsDebuggerPresent
0x40f0f0 LeaveCriticalSection
0x40f0f4 EnterCriticalSection
0x40f0f8 InitializeCriticalSectionAndSpinCount
0x40f0fc HeapAlloc
0x40f100 HeapReAlloc
0x40f104 RtlUnwind
0x40f108 LCMapStringA
0x40f10c MultiByteToWideChar
0x40f110 LCMapStringW
0x40f114 GetStringTypeA
0x40f118 GetStringTypeW
0x40f11c GetLocaleInfoA
0x40f120 HeapSize
GDI32.dll
0x40f008 SelectObject
0x40f00c GetObjectA
0x40f010 GetStockObject
0x40f014 DeleteObject
0x40f018 SetBkMode
0x40f01c SetTextColor
0x40f020 CreateFontIndirectA
ADVAPI32.dll
0x40f000 RegDeleteKeyA
EAT(Export Address Table) is none