ScreenShot
| Created | 2024.08.21 13:48 | Machine | s1_win7_x6403 |
| Filename | meta.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 41 detected (AIDetectMalware, ChePro, malicious, high confidence, score, Sality, Kryptik, Vt0p, Attribute, HighConfidence, GenKryptik, HASK, Artemis, CLASSIC, dwivl, DownLoaderNET, AMADEY, YXEHUZ, Outbreak, Detected, Wacatac, fisz, MetaStealer, PV3UOF, Chgt, Gencirc, MAGC, Wacapew, C9nj) | ||
| md5 | 3aace51d76b16a60e94636150bd1137e | ||
| sha256 | b51004463e8cdfe74c593f1d3e883ff20d53ad6081de7bf46bb3837b86975955 | ||
| ssdeep | 49152:ZI/0Xh92X3FAOkoQgcK1UeVBOHpwIf0bOtW1sLjS8gumDJKm:6O2X33Dcp98bObLBCJv | ||
| imphash | 9e02808def02e999c496dcaa4fcfd6ba | ||
| impfuzzy | 96:C6K0zXQsSuzqJcxL/eQUKP5ja9OmHTXrR9X1fa2Rq+PIXeQky0uGdLKayWf:CFQgsSJOST7R9FfaqnIuDapayWf | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x1401a7000 RegCloseKey
0x1401a7008 RegEnumValueW
0x1401a7010 RegOpenKeyExW
0x1401a7018 RegQueryValueExW
0x1401a7020 RegCreateKeyExW
0x1401a7028 RegDeleteKeyExW
0x1401a7030 RegDeleteValueW
0x1401a7038 RegEnumKeyExW
0x1401a7040 RegFlushKey
0x1401a7048 RegQueryInfoKeyW
0x1401a7050 RegSetValueExW
0x1401a7058 OpenProcessToken
0x1401a7060 LookupPrivilegeValueW
0x1401a7068 AdjustTokenPrivileges
0x1401a7070 CreateWellKnownSid
0x1401a7078 GetWindowsAccountDomainSid
0x1401a7080 RevertToSelf
0x1401a7088 OpenThreadToken
0x1401a7090 SetThreadToken
0x1401a7098 DuplicateTokenEx
0x1401a70a0 GetSecurityDescriptorLength
0x1401a70a8 EventWrite
0x1401a70b0 EventRegister
0x1401a70b8 EventEnabled
crypt.dll
0x1401a76c0 BCryptDestroyKey
0x1401a76c8 BCryptGenerateSymmetricKey
0x1401a76d0 BCryptOpenAlgorithmProvider
0x1401a76d8 BCryptGenRandom
0x1401a76e0 BCryptCloseAlgorithmProvider
KERNEL32.dll
0x1401a70c8 TlsFree
0x1401a70d0 TlsSetValue
0x1401a70d8 TlsGetValue
0x1401a70e0 TlsAlloc
0x1401a70e8 InitializeCriticalSectionAndSpinCount
0x1401a70f0 EncodePointer
0x1401a70f8 CloseThreadpoolIo
0x1401a7100 GetCurrentProcessId
0x1401a7108 MultiByteToWideChar
0x1401a7110 GetStdHandle
0x1401a7118 GetCalendarInfoEx
0x1401a7120 CompareStringOrdinal
0x1401a7128 CompareStringEx
0x1401a7130 FindNLSStringEx
0x1401a7138 GetLocaleInfoEx
0x1401a7140 ResolveLocaleName
0x1401a7148 FindStringOrdinal
0x1401a7150 GetTickCount64
0x1401a7158 GetCurrentProcess
0x1401a7160 GetCurrentThread
0x1401a7168 Sleep
0x1401a7170 InitializeCriticalSection
0x1401a7178 InitializeConditionVariable
0x1401a7180 DeleteCriticalSection
0x1401a7188 LocalFree
0x1401a7190 EnterCriticalSection
0x1401a7198 SleepConditionVariableCS
0x1401a71a0 LeaveCriticalSection
0x1401a71a8 WakeConditionVariable
0x1401a71b0 QueryPerformanceCounter
0x1401a71b8 WaitForMultipleObjectsEx
0x1401a71c0 GetLastError
0x1401a71c8 QueryPerformanceFrequency
0x1401a71d0 SetLastError
0x1401a71d8 GetFullPathNameW
0x1401a71e0 GetLongPathNameW
0x1401a71e8 LocalAlloc
0x1401a71f0 GetConsoleOutputCP
0x1401a71f8 WideCharToMultiByte
0x1401a7200 GetProcAddress
0x1401a7208 RaiseFailFastException
0x1401a7210 CreateThreadpoolIo
0x1401a7218 StartThreadpoolIo
0x1401a7220 CancelThreadpoolIo
0x1401a7228 LocaleNameToLCID
0x1401a7230 LCMapStringEx
0x1401a7238 EnumTimeFormatsEx
0x1401a7240 EnumCalendarInfoExEx
0x1401a7248 CreateFileW
0x1401a7250 DeleteFileW
0x1401a7258 DeviceIoControl
0x1401a7260 ExpandEnvironmentStringsW
0x1401a7268 FindClose
0x1401a7270 FindFirstFileExW
0x1401a7278 FlushFileBuffers
0x1401a7280 FreeLibrary
0x1401a7288 GetFileAttributesExW
0x1401a7290 GetFileInformationByHandleEx
0x1401a7298 GetFileType
0x1401a72a0 GetModuleFileNameW
0x1401a72a8 GetOverlappedResult
0x1401a72b0 LoadLibraryExW
0x1401a72b8 ReadFile
0x1401a72c0 SetFileInformationByHandle
0x1401a72c8 SetThreadErrorMode
0x1401a72d0 WriteFile
0x1401a72d8 GetCurrentProcessorNumberEx
0x1401a72e0 CloseHandle
0x1401a72e8 SetEvent
0x1401a72f0 ResetEvent
0x1401a72f8 CreateEventExW
0x1401a7300 GetEnvironmentVariableW
0x1401a7308 FormatMessageW
0x1401a7310 DuplicateHandle
0x1401a7318 GetThreadPriority
0x1401a7320 SetThreadPriority
0x1401a7328 GetConsoleWindow
0x1401a7330 FreeConsole
0x1401a7338 AllocConsole
0x1401a7340 CreateProcessW
0x1401a7348 GetThreadContext
0x1401a7350 ExitProcess
0x1401a7358 K32EnumProcessModulesEx
0x1401a7360 IsWow64Process
0x1401a7368 GetExitCodeProcess
0x1401a7370 OpenProcess
0x1401a7378 K32EnumProcesses
0x1401a7380 K32GetModuleInformation
0x1401a7388 K32GetModuleBaseNameW
0x1401a7390 K32GetModuleFileNameExW
0x1401a7398 GetProcessId
0x1401a73a0 FlushProcessWriteBuffers
0x1401a73a8 GetCurrentThreadId
0x1401a73b0 WaitForSingleObjectEx
0x1401a73b8 VirtualQuery
0x1401a73c0 RtlRestoreContext
0x1401a73c8 AddVectoredExceptionHandler
0x1401a73d0 FlsAlloc
0x1401a73d8 FlsGetValue
0x1401a73e0 FlsSetValue
0x1401a73e8 CreateEventW
0x1401a73f0 TerminateProcess
0x1401a73f8 SwitchToThread
0x1401a7400 CreateThread
0x1401a7408 SuspendThread
0x1401a7410 ResumeThread
0x1401a7418 SetThreadContext
0x1401a7420 FlushInstructionCache
0x1401a7428 VirtualAlloc
0x1401a7430 VirtualProtect
0x1401a7438 VirtualFree
0x1401a7440 QueryInformationJobObject
0x1401a7448 GetModuleHandleW
0x1401a7450 GetModuleHandleExW
0x1401a7458 GetProcessAffinityMask
0x1401a7460 InitializeContext
0x1401a7468 GetEnabledXStateFeatures
0x1401a7470 SetXStateFeaturesMask
0x1401a7478 InitializeCriticalSectionEx
0x1401a7480 GetSystemTimeAsFileTime
0x1401a7488 DebugBreak
0x1401a7490 WaitForSingleObject
0x1401a7498 SleepEx
0x1401a74a0 GlobalMemoryStatusEx
0x1401a74a8 GetSystemInfo
0x1401a74b0 GetLogicalProcessorInformation
0x1401a74b8 GetLogicalProcessorInformationEx
0x1401a74c0 GetLargePageMinimum
0x1401a74c8 VirtualUnlock
0x1401a74d0 VirtualAllocExNuma
0x1401a74d8 IsProcessInJob
0x1401a74e0 GetNumaHighestNodeNumber
0x1401a74e8 GetProcessGroupAffinity
0x1401a74f0 K32GetProcessMemoryInfo
0x1401a74f8 RaiseException
0x1401a7500 RtlPcToFileHeader
0x1401a7508 RtlUnwindEx
0x1401a7510 IsProcessorFeaturePresent
0x1401a7518 SetUnhandledExceptionFilter
0x1401a7520 UnhandledExceptionFilter
0x1401a7528 IsDebuggerPresent
0x1401a7530 RtlVirtualUnwind
0x1401a7538 RtlLookupFunctionEntry
0x1401a7540 RtlCaptureContext
0x1401a7548 InitializeSListHead
ole32.dll
0x1401a76f0 CoGetApartmentType
0x1401a76f8 CoUninitialize
0x1401a7700 CoInitializeEx
0x1401a7708 CoCreateGuid
0x1401a7710 CoWaitForMultipleHandles
api-ms-win-crt-math-l1-1-0.dll
0x1401a7598 ceil
0x1401a75a0 __setusermatherr
api-ms-win-crt-heap-l1-1-0.dll
0x1401a7558 free
0x1401a7560 _callnewh
0x1401a7568 calloc
0x1401a7570 _set_new_mode
0x1401a7578 malloc
api-ms-win-crt-string-l1-1-0.dll
0x1401a7688 _stricmp
0x1401a7690 strcpy_s
0x1401a7698 strcmp
0x1401a76a0 _wcsicmp
0x1401a76a8 wcsncmp
0x1401a76b0 strncpy_s
api-ms-win-crt-runtime-l1-1-0.dll
0x1401a75b0 __p___wargv
0x1401a75b8 _cexit
0x1401a75c0 exit
0x1401a75c8 terminate
0x1401a75d0 _crt_atexit
0x1401a75d8 _register_onexit_function
0x1401a75e0 _initialize_onexit_table
0x1401a75e8 __p___argc
0x1401a75f0 _exit
0x1401a75f8 abort
0x1401a7600 _initterm_e
0x1401a7608 _c_exit
0x1401a7610 _register_thread_local_exe_atexit_callback
0x1401a7618 _seh_filter_exe
0x1401a7620 _set_app_type
0x1401a7628 _initterm
0x1401a7630 _configure_wide_argv
0x1401a7638 _initialize_wide_environment
0x1401a7640 _get_initial_wide_environment
api-ms-win-crt-stdio-l1-1-0.dll
0x1401a7650 __stdio_common_vsprintf_s
0x1401a7658 __stdio_common_vfprintf
0x1401a7660 __p__commode
0x1401a7668 _set_fmode
0x1401a7670 __stdio_common_vsscanf
0x1401a7678 __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll
0x1401a7588 _configthreadlocale
EAT(Export Address Table) Library
ADVAPI32.dll
0x1401a7000 RegCloseKey
0x1401a7008 RegEnumValueW
0x1401a7010 RegOpenKeyExW
0x1401a7018 RegQueryValueExW
0x1401a7020 RegCreateKeyExW
0x1401a7028 RegDeleteKeyExW
0x1401a7030 RegDeleteValueW
0x1401a7038 RegEnumKeyExW
0x1401a7040 RegFlushKey
0x1401a7048 RegQueryInfoKeyW
0x1401a7050 RegSetValueExW
0x1401a7058 OpenProcessToken
0x1401a7060 LookupPrivilegeValueW
0x1401a7068 AdjustTokenPrivileges
0x1401a7070 CreateWellKnownSid
0x1401a7078 GetWindowsAccountDomainSid
0x1401a7080 RevertToSelf
0x1401a7088 OpenThreadToken
0x1401a7090 SetThreadToken
0x1401a7098 DuplicateTokenEx
0x1401a70a0 GetSecurityDescriptorLength
0x1401a70a8 EventWrite
0x1401a70b0 EventRegister
0x1401a70b8 EventEnabled
crypt.dll
0x1401a76c0 BCryptDestroyKey
0x1401a76c8 BCryptGenerateSymmetricKey
0x1401a76d0 BCryptOpenAlgorithmProvider
0x1401a76d8 BCryptGenRandom
0x1401a76e0 BCryptCloseAlgorithmProvider
KERNEL32.dll
0x1401a70c8 TlsFree
0x1401a70d0 TlsSetValue
0x1401a70d8 TlsGetValue
0x1401a70e0 TlsAlloc
0x1401a70e8 InitializeCriticalSectionAndSpinCount
0x1401a70f0 EncodePointer
0x1401a70f8 CloseThreadpoolIo
0x1401a7100 GetCurrentProcessId
0x1401a7108 MultiByteToWideChar
0x1401a7110 GetStdHandle
0x1401a7118 GetCalendarInfoEx
0x1401a7120 CompareStringOrdinal
0x1401a7128 CompareStringEx
0x1401a7130 FindNLSStringEx
0x1401a7138 GetLocaleInfoEx
0x1401a7140 ResolveLocaleName
0x1401a7148 FindStringOrdinal
0x1401a7150 GetTickCount64
0x1401a7158 GetCurrentProcess
0x1401a7160 GetCurrentThread
0x1401a7168 Sleep
0x1401a7170 InitializeCriticalSection
0x1401a7178 InitializeConditionVariable
0x1401a7180 DeleteCriticalSection
0x1401a7188 LocalFree
0x1401a7190 EnterCriticalSection
0x1401a7198 SleepConditionVariableCS
0x1401a71a0 LeaveCriticalSection
0x1401a71a8 WakeConditionVariable
0x1401a71b0 QueryPerformanceCounter
0x1401a71b8 WaitForMultipleObjectsEx
0x1401a71c0 GetLastError
0x1401a71c8 QueryPerformanceFrequency
0x1401a71d0 SetLastError
0x1401a71d8 GetFullPathNameW
0x1401a71e0 GetLongPathNameW
0x1401a71e8 LocalAlloc
0x1401a71f0 GetConsoleOutputCP
0x1401a71f8 WideCharToMultiByte
0x1401a7200 GetProcAddress
0x1401a7208 RaiseFailFastException
0x1401a7210 CreateThreadpoolIo
0x1401a7218 StartThreadpoolIo
0x1401a7220 CancelThreadpoolIo
0x1401a7228 LocaleNameToLCID
0x1401a7230 LCMapStringEx
0x1401a7238 EnumTimeFormatsEx
0x1401a7240 EnumCalendarInfoExEx
0x1401a7248 CreateFileW
0x1401a7250 DeleteFileW
0x1401a7258 DeviceIoControl
0x1401a7260 ExpandEnvironmentStringsW
0x1401a7268 FindClose
0x1401a7270 FindFirstFileExW
0x1401a7278 FlushFileBuffers
0x1401a7280 FreeLibrary
0x1401a7288 GetFileAttributesExW
0x1401a7290 GetFileInformationByHandleEx
0x1401a7298 GetFileType
0x1401a72a0 GetModuleFileNameW
0x1401a72a8 GetOverlappedResult
0x1401a72b0 LoadLibraryExW
0x1401a72b8 ReadFile
0x1401a72c0 SetFileInformationByHandle
0x1401a72c8 SetThreadErrorMode
0x1401a72d0 WriteFile
0x1401a72d8 GetCurrentProcessorNumberEx
0x1401a72e0 CloseHandle
0x1401a72e8 SetEvent
0x1401a72f0 ResetEvent
0x1401a72f8 CreateEventExW
0x1401a7300 GetEnvironmentVariableW
0x1401a7308 FormatMessageW
0x1401a7310 DuplicateHandle
0x1401a7318 GetThreadPriority
0x1401a7320 SetThreadPriority
0x1401a7328 GetConsoleWindow
0x1401a7330 FreeConsole
0x1401a7338 AllocConsole
0x1401a7340 CreateProcessW
0x1401a7348 GetThreadContext
0x1401a7350 ExitProcess
0x1401a7358 K32EnumProcessModulesEx
0x1401a7360 IsWow64Process
0x1401a7368 GetExitCodeProcess
0x1401a7370 OpenProcess
0x1401a7378 K32EnumProcesses
0x1401a7380 K32GetModuleInformation
0x1401a7388 K32GetModuleBaseNameW
0x1401a7390 K32GetModuleFileNameExW
0x1401a7398 GetProcessId
0x1401a73a0 FlushProcessWriteBuffers
0x1401a73a8 GetCurrentThreadId
0x1401a73b0 WaitForSingleObjectEx
0x1401a73b8 VirtualQuery
0x1401a73c0 RtlRestoreContext
0x1401a73c8 AddVectoredExceptionHandler
0x1401a73d0 FlsAlloc
0x1401a73d8 FlsGetValue
0x1401a73e0 FlsSetValue
0x1401a73e8 CreateEventW
0x1401a73f0 TerminateProcess
0x1401a73f8 SwitchToThread
0x1401a7400 CreateThread
0x1401a7408 SuspendThread
0x1401a7410 ResumeThread
0x1401a7418 SetThreadContext
0x1401a7420 FlushInstructionCache
0x1401a7428 VirtualAlloc
0x1401a7430 VirtualProtect
0x1401a7438 VirtualFree
0x1401a7440 QueryInformationJobObject
0x1401a7448 GetModuleHandleW
0x1401a7450 GetModuleHandleExW
0x1401a7458 GetProcessAffinityMask
0x1401a7460 InitializeContext
0x1401a7468 GetEnabledXStateFeatures
0x1401a7470 SetXStateFeaturesMask
0x1401a7478 InitializeCriticalSectionEx
0x1401a7480 GetSystemTimeAsFileTime
0x1401a7488 DebugBreak
0x1401a7490 WaitForSingleObject
0x1401a7498 SleepEx
0x1401a74a0 GlobalMemoryStatusEx
0x1401a74a8 GetSystemInfo
0x1401a74b0 GetLogicalProcessorInformation
0x1401a74b8 GetLogicalProcessorInformationEx
0x1401a74c0 GetLargePageMinimum
0x1401a74c8 VirtualUnlock
0x1401a74d0 VirtualAllocExNuma
0x1401a74d8 IsProcessInJob
0x1401a74e0 GetNumaHighestNodeNumber
0x1401a74e8 GetProcessGroupAffinity
0x1401a74f0 K32GetProcessMemoryInfo
0x1401a74f8 RaiseException
0x1401a7500 RtlPcToFileHeader
0x1401a7508 RtlUnwindEx
0x1401a7510 IsProcessorFeaturePresent
0x1401a7518 SetUnhandledExceptionFilter
0x1401a7520 UnhandledExceptionFilter
0x1401a7528 IsDebuggerPresent
0x1401a7530 RtlVirtualUnwind
0x1401a7538 RtlLookupFunctionEntry
0x1401a7540 RtlCaptureContext
0x1401a7548 InitializeSListHead
ole32.dll
0x1401a76f0 CoGetApartmentType
0x1401a76f8 CoUninitialize
0x1401a7700 CoInitializeEx
0x1401a7708 CoCreateGuid
0x1401a7710 CoWaitForMultipleHandles
api-ms-win-crt-math-l1-1-0.dll
0x1401a7598 ceil
0x1401a75a0 __setusermatherr
api-ms-win-crt-heap-l1-1-0.dll
0x1401a7558 free
0x1401a7560 _callnewh
0x1401a7568 calloc
0x1401a7570 _set_new_mode
0x1401a7578 malloc
api-ms-win-crt-string-l1-1-0.dll
0x1401a7688 _stricmp
0x1401a7690 strcpy_s
0x1401a7698 strcmp
0x1401a76a0 _wcsicmp
0x1401a76a8 wcsncmp
0x1401a76b0 strncpy_s
api-ms-win-crt-runtime-l1-1-0.dll
0x1401a75b0 __p___wargv
0x1401a75b8 _cexit
0x1401a75c0 exit
0x1401a75c8 terminate
0x1401a75d0 _crt_atexit
0x1401a75d8 _register_onexit_function
0x1401a75e0 _initialize_onexit_table
0x1401a75e8 __p___argc
0x1401a75f0 _exit
0x1401a75f8 abort
0x1401a7600 _initterm_e
0x1401a7608 _c_exit
0x1401a7610 _register_thread_local_exe_atexit_callback
0x1401a7618 _seh_filter_exe
0x1401a7620 _set_app_type
0x1401a7628 _initterm
0x1401a7630 _configure_wide_argv
0x1401a7638 _initialize_wide_environment
0x1401a7640 _get_initial_wide_environment
api-ms-win-crt-stdio-l1-1-0.dll
0x1401a7650 __stdio_common_vsprintf_s
0x1401a7658 __stdio_common_vfprintf
0x1401a7660 __p__commode
0x1401a7668 _set_fmode
0x1401a7670 __stdio_common_vsscanf
0x1401a7678 __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll
0x1401a7588 _configthreadlocale
EAT(Export Address Table) Library