ScreenShot
| Created | 2024.10.15 15:12 | Machine | s1_win7_x6401 |
| Filename | crypted.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (AIDetectMalware, Malicious, score, Artemis, Jaik, Unsafe, Kryptik, Vtds, confidence, 100%, Attribute, HighConfidence, high confidence, GenKryptik, HCRV, MalwareX, Kryptik@AI, RDML, W8txAN9Smq2viVPwB8oiLQ, RedLine, jnkyu, Steam, high, Static AI, Malicious PE, Detected, Stelpak, Lumma, MBXV, Eldorado, Stealc, GdSda, susgen, MKFT3DGW) | ||
| md5 | 09d0e438a6a8666361559becb0359e5f | ||
| sha256 | cf5fa96f42120ec1a33fac86ac171e1fe669b05b2e35b51e2e24249650f9a2b8 | ||
| ssdeep | 6144:RaB7QKCdaGjwphcO7KKgKPQczi3O7qOLntCUesY5e74dEO:o7QKCAGB7Js42Y5e74dEO | ||
| imphash | b7ebfc2ac31d5223dc33b9386c1e726b | ||
| impfuzzy | 24:1sajTcpVWZlKAWjeD2teDGhlJBl39WuPiDZMv5GMA+pOovbOPZa:y6cpVezWjrteDGnpnEZGw3M | ||
Network IP location
Signature (41cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Collects information on the system (ipconfig |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (30cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | detect_Redline_Stealer_V2 | (no description) | binaries (download) |
| danger | MALWARE_Win_VT_RedLine | Detects RedLine infostealer | binaries (download) |
| danger | RedLine_Stealer_b_Zero | RedLine stealer | binaries (download) |
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Virtual_currency_Zero | Virtual currency | memory |
| info | WMI_VM_Detect | Detection of Virtual Appliances through the use of WMI for use of evasion. | memory |
Network (11cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA HTTP unable to match response to request
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA HTTP unable to match response to request
PE API
IAT(Import Address Table) Library
USER32.dll
0x421150 ShowWindow
KERNEL32.dll
0x421000 GetStartupInfoW
0x421004 CreateFileW
0x421008 CloseHandle
0x42100c GetConsoleWindow
0x421010 MultiByteToWideChar
0x421014 GetStringTypeW
0x421018 WideCharToMultiByte
0x42101c GetCurrentThreadId
0x421020 WaitForSingleObjectEx
0x421024 GetExitCodeThread
0x421028 EnterCriticalSection
0x42102c LeaveCriticalSection
0x421030 InitializeCriticalSectionEx
0x421034 DeleteCriticalSection
0x421038 EncodePointer
0x42103c DecodePointer
0x421040 LCMapStringEx
0x421044 ReleaseSRWLockExclusive
0x421048 AcquireSRWLockExclusive
0x42104c TryAcquireSRWLockExclusive
0x421050 WakeAllConditionVariable
0x421054 QueryPerformanceCounter
0x421058 GetSystemTimeAsFileTime
0x42105c GetModuleHandleW
0x421060 GetProcAddress
0x421064 GetCPInfo
0x421068 IsProcessorFeaturePresent
0x42106c UnhandledExceptionFilter
0x421070 SetUnhandledExceptionFilter
0x421074 GetCurrentProcess
0x421078 TerminateProcess
0x42107c GetCurrentProcessId
0x421080 InitializeSListHead
0x421084 IsDebuggerPresent
0x421088 WriteConsoleW
0x42108c HeapSize
0x421090 RaiseException
0x421094 RtlUnwind
0x421098 GetLastError
0x42109c SetLastError
0x4210a0 InitializeCriticalSectionAndSpinCount
0x4210a4 TlsAlloc
0x4210a8 TlsGetValue
0x4210ac TlsSetValue
0x4210b0 TlsFree
0x4210b4 FreeLibrary
0x4210b8 LoadLibraryExW
0x4210bc CreateThread
0x4210c0 ExitThread
0x4210c4 FreeLibraryAndExitThread
0x4210c8 GetModuleHandleExW
0x4210cc GetStdHandle
0x4210d0 WriteFile
0x4210d4 GetModuleFileNameW
0x4210d8 ExitProcess
0x4210dc HeapAlloc
0x4210e0 HeapFree
0x4210e4 LCMapStringW
0x4210e8 GetLocaleInfoW
0x4210ec IsValidLocale
0x4210f0 GetUserDefaultLCID
0x4210f4 EnumSystemLocalesW
0x4210f8 GetFileType
0x4210fc GetFileSizeEx
0x421100 SetFilePointerEx
0x421104 FlushFileBuffers
0x421108 GetConsoleOutputCP
0x42110c GetConsoleMode
0x421110 ReadFile
0x421114 HeapReAlloc
0x421118 FindClose
0x42111c FindFirstFileExW
0x421120 FindNextFileW
0x421124 IsValidCodePage
0x421128 GetACP
0x42112c GetOEMCP
0x421130 GetCommandLineA
0x421134 GetCommandLineW
0x421138 GetEnvironmentStringsW
0x42113c FreeEnvironmentStringsW
0x421140 SetStdHandle
0x421144 GetProcessHeap
0x421148 ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x421150 ShowWindow
KERNEL32.dll
0x421000 GetStartupInfoW
0x421004 CreateFileW
0x421008 CloseHandle
0x42100c GetConsoleWindow
0x421010 MultiByteToWideChar
0x421014 GetStringTypeW
0x421018 WideCharToMultiByte
0x42101c GetCurrentThreadId
0x421020 WaitForSingleObjectEx
0x421024 GetExitCodeThread
0x421028 EnterCriticalSection
0x42102c LeaveCriticalSection
0x421030 InitializeCriticalSectionEx
0x421034 DeleteCriticalSection
0x421038 EncodePointer
0x42103c DecodePointer
0x421040 LCMapStringEx
0x421044 ReleaseSRWLockExclusive
0x421048 AcquireSRWLockExclusive
0x42104c TryAcquireSRWLockExclusive
0x421050 WakeAllConditionVariable
0x421054 QueryPerformanceCounter
0x421058 GetSystemTimeAsFileTime
0x42105c GetModuleHandleW
0x421060 GetProcAddress
0x421064 GetCPInfo
0x421068 IsProcessorFeaturePresent
0x42106c UnhandledExceptionFilter
0x421070 SetUnhandledExceptionFilter
0x421074 GetCurrentProcess
0x421078 TerminateProcess
0x42107c GetCurrentProcessId
0x421080 InitializeSListHead
0x421084 IsDebuggerPresent
0x421088 WriteConsoleW
0x42108c HeapSize
0x421090 RaiseException
0x421094 RtlUnwind
0x421098 GetLastError
0x42109c SetLastError
0x4210a0 InitializeCriticalSectionAndSpinCount
0x4210a4 TlsAlloc
0x4210a8 TlsGetValue
0x4210ac TlsSetValue
0x4210b0 TlsFree
0x4210b4 FreeLibrary
0x4210b8 LoadLibraryExW
0x4210bc CreateThread
0x4210c0 ExitThread
0x4210c4 FreeLibraryAndExitThread
0x4210c8 GetModuleHandleExW
0x4210cc GetStdHandle
0x4210d0 WriteFile
0x4210d4 GetModuleFileNameW
0x4210d8 ExitProcess
0x4210dc HeapAlloc
0x4210e0 HeapFree
0x4210e4 LCMapStringW
0x4210e8 GetLocaleInfoW
0x4210ec IsValidLocale
0x4210f0 GetUserDefaultLCID
0x4210f4 EnumSystemLocalesW
0x4210f8 GetFileType
0x4210fc GetFileSizeEx
0x421100 SetFilePointerEx
0x421104 FlushFileBuffers
0x421108 GetConsoleOutputCP
0x42110c GetConsoleMode
0x421110 ReadFile
0x421114 HeapReAlloc
0x421118 FindClose
0x42111c FindFirstFileExW
0x421120 FindNextFileW
0x421124 IsValidCodePage
0x421128 GetACP
0x42112c GetOEMCP
0x421130 GetCommandLineA
0x421134 GetCommandLineW
0x421138 GetEnvironmentStringsW
0x42113c FreeEnvironmentStringsW
0x421140 SetStdHandle
0x421144 GetProcessHeap
0x421148 ReadConsoleW
EAT(Export Address Table) is none