ScreenShot
| Created | 2023.12.18 07:56 | Machine | s1_win7_x6403 |
| Filename | 3535.exe | ||
| Type | PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | 138b15b9fcd21533b3ca0193893053cf | ||
| sha256 | 4d58e1391edd093ad245f18ad52631bcd66649abc79cabc37aaf73dd37d9236e | ||
| ssdeep | 3072:DOdyXTkHLacFNMataIbtJjRntvgzjOs+cIdRjiApjIJUzhDzG:DOdETkzNMUaIbDRnRcIRsJy5G | ||
| imphash | efe29a6c50b79427ae937c4473543cdc | ||
| impfuzzy | 24:dojKNDogHOovg/J3InKQFQ8RyvDklRT4nZmfWlzf:DuHQK3D+cnZmfW1f | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer Family Activity (Response)
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer Family Activity (Response)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x410000 GetLastError
0x410004 WaitForSingleObject
0x410008 Sleep
0x41000c CreateThread
0x410010 lstrlenW
0x410014 VirtualProtect
0x410018 GetProcAddress
0x41001c LoadLibraryA
0x410020 VirtualAlloc
0x410024 GetModuleHandleA
0x410028 FreeConsole
0x41002c RtlUnwind
0x410030 GetCommandLineA
0x410034 GetModuleHandleW
0x410038 TlsGetValue
0x41003c TlsAlloc
0x410040 TlsSetValue
0x410044 TlsFree
0x410048 InterlockedIncrement
0x41004c SetLastError
0x410050 GetCurrentThreadId
0x410054 InterlockedDecrement
0x410058 SetUnhandledExceptionFilter
0x41005c ExitProcess
0x410060 WriteFile
0x410064 GetStdHandle
0x410068 GetModuleFileNameA
0x41006c FreeEnvironmentStringsA
0x410070 GetEnvironmentStrings
0x410074 FreeEnvironmentStringsW
0x410078 WideCharToMultiByte
0x41007c GetEnvironmentStringsW
0x410080 SetHandleCount
0x410084 GetFileType
0x410088 GetStartupInfoA
0x41008c DeleteCriticalSection
0x410090 HeapCreate
0x410094 VirtualFree
0x410098 HeapFree
0x41009c QueryPerformanceCounter
0x4100a0 GetTickCount
0x4100a4 GetCurrentProcessId
0x4100a8 GetSystemTimeAsFileTime
0x4100ac RaiseException
0x4100b0 TerminateProcess
0x4100b4 GetCurrentProcess
0x4100b8 UnhandledExceptionFilter
0x4100bc IsDebuggerPresent
0x4100c0 LeaveCriticalSection
0x4100c4 EnterCriticalSection
0x4100c8 GetCPInfo
0x4100cc GetACP
0x4100d0 GetOEMCP
0x4100d4 IsValidCodePage
0x4100d8 InitializeCriticalSectionAndSpinCount
0x4100dc HeapAlloc
0x4100e0 HeapReAlloc
0x4100e4 GetLocaleInfoA
0x4100e8 GetStringTypeA
0x4100ec MultiByteToWideChar
0x4100f0 GetStringTypeW
0x4100f4 LCMapStringA
0x4100f8 LCMapStringW
0x4100fc HeapSize
EAT(Export Address Table) Library
KERNEL32.dll
0x410000 GetLastError
0x410004 WaitForSingleObject
0x410008 Sleep
0x41000c CreateThread
0x410010 lstrlenW
0x410014 VirtualProtect
0x410018 GetProcAddress
0x41001c LoadLibraryA
0x410020 VirtualAlloc
0x410024 GetModuleHandleA
0x410028 FreeConsole
0x41002c RtlUnwind
0x410030 GetCommandLineA
0x410034 GetModuleHandleW
0x410038 TlsGetValue
0x41003c TlsAlloc
0x410040 TlsSetValue
0x410044 TlsFree
0x410048 InterlockedIncrement
0x41004c SetLastError
0x410050 GetCurrentThreadId
0x410054 InterlockedDecrement
0x410058 SetUnhandledExceptionFilter
0x41005c ExitProcess
0x410060 WriteFile
0x410064 GetStdHandle
0x410068 GetModuleFileNameA
0x41006c FreeEnvironmentStringsA
0x410070 GetEnvironmentStrings
0x410074 FreeEnvironmentStringsW
0x410078 WideCharToMultiByte
0x41007c GetEnvironmentStringsW
0x410080 SetHandleCount
0x410084 GetFileType
0x410088 GetStartupInfoA
0x41008c DeleteCriticalSection
0x410090 HeapCreate
0x410094 VirtualFree
0x410098 HeapFree
0x41009c QueryPerformanceCounter
0x4100a0 GetTickCount
0x4100a4 GetCurrentProcessId
0x4100a8 GetSystemTimeAsFileTime
0x4100ac RaiseException
0x4100b0 TerminateProcess
0x4100b4 GetCurrentProcess
0x4100b8 UnhandledExceptionFilter
0x4100bc IsDebuggerPresent
0x4100c0 LeaveCriticalSection
0x4100c4 EnterCriticalSection
0x4100c8 GetCPInfo
0x4100cc GetACP
0x4100d0 GetOEMCP
0x4100d4 IsValidCodePage
0x4100d8 InitializeCriticalSectionAndSpinCount
0x4100dc HeapAlloc
0x4100e0 HeapReAlloc
0x4100e4 GetLocaleInfoA
0x4100e8 GetStringTypeA
0x4100ec MultiByteToWideChar
0x4100f0 GetStringTypeW
0x4100f4 LCMapStringA
0x4100f8 LCMapStringW
0x4100fc HeapSize
EAT(Export Address Table) Library