ScreenShot
| Created | 2023.12.22 08:24 | Machine | s1_win7_x6403 |
| Filename | crypted.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 42464d83d6f8b2ce1a88cf6c7c721c09 | ||
| sha256 | 7bf0a62c650e7f8407ea480d27f3a1629064c6c03db6b578e442dba7ea35490b | ||
| ssdeep | 12288:HdKgCUUXiSLZQ88Xd6CWyc5obe6WzCSi3PR2CKNI8+aAcI/OMF:HdKg3ciT7Xd6CWyc5otSi352C2I8+aA5 | ||
| imphash | 12062d8b6887d7a0da34142af6a26a3d | ||
| impfuzzy | 24:18RXj/TxmjlacpVGDBZtte4GhlJBl39WuPX4ZMv1GMAkpOovbOPZG:6ZxkacpVGtte4GnpnIZGA3w | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
GDI32.dll
0x42500c UnrealizeObject
ADVAPI32.dll
0x425000 AddAce
0x425004 RegCloseKey
KERNEL32.dll
0x425014 CloseHandle
0x425018 WaitForSingleObject
0x42501c CreateRemoteThread
0x425020 QueryPerformanceCounter
0x425024 QueryPerformanceFrequency
0x425028 WaitForSingleObjectEx
0x42502c Sleep
0x425030 GetCurrentThreadId
0x425034 GetExitCodeThread
0x425038 WideCharToMultiByte
0x42503c MultiByteToWideChar
0x425040 GetStringTypeW
0x425044 EnterCriticalSection
0x425048 LeaveCriticalSection
0x42504c InitializeCriticalSectionEx
0x425050 DeleteCriticalSection
0x425054 GetSystemTimeAsFileTime
0x425058 GetModuleHandleW
0x42505c GetProcAddress
0x425060 EncodePointer
0x425064 DecodePointer
0x425068 LCMapStringEx
0x42506c GetCPInfo
0x425070 IsProcessorFeaturePresent
0x425074 UnhandledExceptionFilter
0x425078 SetUnhandledExceptionFilter
0x42507c GetCurrentProcess
0x425080 TerminateProcess
0x425084 GetCurrentProcessId
0x425088 InitializeSListHead
0x42508c IsDebuggerPresent
0x425090 GetStartupInfoW
0x425094 CreateFileW
0x425098 RaiseException
0x42509c RtlUnwind
0x4250a0 GetLastError
0x4250a4 SetLastError
0x4250a8 InitializeCriticalSectionAndSpinCount
0x4250ac TlsAlloc
0x4250b0 TlsGetValue
0x4250b4 TlsSetValue
0x4250b8 TlsFree
0x4250bc FreeLibrary
0x4250c0 LoadLibraryExW
0x4250c4 CreateThread
0x4250c8 ExitThread
0x4250cc FreeLibraryAndExitThread
0x4250d0 GetModuleHandleExW
0x4250d4 GetStdHandle
0x4250d8 WriteFile
0x4250dc GetModuleFileNameW
0x4250e0 ExitProcess
0x4250e4 HeapFree
0x4250e8 HeapAlloc
0x4250ec LCMapStringW
0x4250f0 GetLocaleInfoW
0x4250f4 IsValidLocale
0x4250f8 GetUserDefaultLCID
0x4250fc EnumSystemLocalesW
0x425100 GetFileType
0x425104 FlushFileBuffers
0x425108 GetConsoleOutputCP
0x42510c GetConsoleMode
0x425110 ReadFile
0x425114 GetFileSizeEx
0x425118 SetFilePointerEx
0x42511c ReadConsoleW
0x425120 HeapReAlloc
0x425124 FindClose
0x425128 FindFirstFileExW
0x42512c FindNextFileW
0x425130 IsValidCodePage
0x425134 GetACP
0x425138 GetOEMCP
0x42513c GetCommandLineA
0x425140 GetCommandLineW
0x425144 GetEnvironmentStringsW
0x425148 FreeEnvironmentStringsW
0x42514c SetStdHandle
0x425150 GetProcessHeap
0x425154 HeapSize
0x425158 WriteConsoleW
EAT(Export Address Table) is none
GDI32.dll
0x42500c UnrealizeObject
ADVAPI32.dll
0x425000 AddAce
0x425004 RegCloseKey
KERNEL32.dll
0x425014 CloseHandle
0x425018 WaitForSingleObject
0x42501c CreateRemoteThread
0x425020 QueryPerformanceCounter
0x425024 QueryPerformanceFrequency
0x425028 WaitForSingleObjectEx
0x42502c Sleep
0x425030 GetCurrentThreadId
0x425034 GetExitCodeThread
0x425038 WideCharToMultiByte
0x42503c MultiByteToWideChar
0x425040 GetStringTypeW
0x425044 EnterCriticalSection
0x425048 LeaveCriticalSection
0x42504c InitializeCriticalSectionEx
0x425050 DeleteCriticalSection
0x425054 GetSystemTimeAsFileTime
0x425058 GetModuleHandleW
0x42505c GetProcAddress
0x425060 EncodePointer
0x425064 DecodePointer
0x425068 LCMapStringEx
0x42506c GetCPInfo
0x425070 IsProcessorFeaturePresent
0x425074 UnhandledExceptionFilter
0x425078 SetUnhandledExceptionFilter
0x42507c GetCurrentProcess
0x425080 TerminateProcess
0x425084 GetCurrentProcessId
0x425088 InitializeSListHead
0x42508c IsDebuggerPresent
0x425090 GetStartupInfoW
0x425094 CreateFileW
0x425098 RaiseException
0x42509c RtlUnwind
0x4250a0 GetLastError
0x4250a4 SetLastError
0x4250a8 InitializeCriticalSectionAndSpinCount
0x4250ac TlsAlloc
0x4250b0 TlsGetValue
0x4250b4 TlsSetValue
0x4250b8 TlsFree
0x4250bc FreeLibrary
0x4250c0 LoadLibraryExW
0x4250c4 CreateThread
0x4250c8 ExitThread
0x4250cc FreeLibraryAndExitThread
0x4250d0 GetModuleHandleExW
0x4250d4 GetStdHandle
0x4250d8 WriteFile
0x4250dc GetModuleFileNameW
0x4250e0 ExitProcess
0x4250e4 HeapFree
0x4250e8 HeapAlloc
0x4250ec LCMapStringW
0x4250f0 GetLocaleInfoW
0x4250f4 IsValidLocale
0x4250f8 GetUserDefaultLCID
0x4250fc EnumSystemLocalesW
0x425100 GetFileType
0x425104 FlushFileBuffers
0x425108 GetConsoleOutputCP
0x42510c GetConsoleMode
0x425110 ReadFile
0x425114 GetFileSizeEx
0x425118 SetFilePointerEx
0x42511c ReadConsoleW
0x425120 HeapReAlloc
0x425124 FindClose
0x425128 FindFirstFileExW
0x42512c FindNextFileW
0x425130 IsValidCodePage
0x425134 GetACP
0x425138 GetOEMCP
0x42513c GetCommandLineA
0x425140 GetCommandLineW
0x425144 GetEnvironmentStringsW
0x425148 FreeEnvironmentStringsW
0x42514c SetStdHandle
0x425150 GetProcessHeap
0x425154 HeapSize
0x425158 WriteConsoleW
EAT(Export Address Table) is none