redline4.exe

First submission 2023-01-23 16:40:09

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File type:	1824.0 KB (1867776 bytes)
Compile time:	2022-05-27 18:00:18
MD5:	01c418020bd02b62e7f8629b0b59b119
SHA1:	0fe4c12083e1c61c396836173b4b4ddd99cf8b14
SHA256:	b62f5066357d2dfc94dec4d902f68f6e9e98a19a9aea6fb70d2811de384fd7a1
Import Hash :	b8388c4af61e6ca4e78048b4b09a8cbe
Sections 3	.text .data .rsrc
Directories 3	debug resource import
Virus Total:	40/70 VT report date: 2023-01-23 04:21:42

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://62.204.41.88/lend/redline4.exe	62.204.41.88	2023-01-23 16:40:13

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x1945c	103936	0d5945cef8d2c79075e87cd9fdfc1609109cd9d7	1facaebb8eac674a604db2991fad1991
.data	0x1b000	0x2913a90	1751040	51ad27401274f93222ae7887f3157f8f2d3d0469	7a380c6d05344fe1e375ef9b3e0cb375
.rsrc	0x292f000	0x2cb0	11776	4b298860c3f077b4290548235168c3caa91e0acf	54ef7bb6e697c86c80c33db38dcc9c18

PE Resources 7

Name	Language	Sublanguage	Offset	Size	Data
RT_CURSOR	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x2931490	304
RT_ICON	LANG_SPANISH	SUBLANG_SPANISH_MEXICAN	0x2930fd8	1128	PE Resource: RT_ICON - Data ( }~\|z{~}}}}}z\|\|~}\|{~\|}\|\|\|{{}~\|\|\|\|}{\|~}}z~}z\|{zy}{\|~}z}~~\|~}{\|\|}{~zz~}}\|\|}{\|z}\|\|~{}~}}\|~~}~\|}\|{~z~{{{}{\|{\|z\|\|~\|\|\|}~~~\|}\|{~\|\|{z}~{\|\|{}}}~z~{\|~{\|{{}~\|~}{}}{~}{}~}{}{\|~zz\|}{z{{~~}~}\|}}~{~~\|{}z~{}~\|}\|}}\|{\|z\|}~}~\|z~zz}{{}\|z{~}}~}{}\|}}{~~}\|}}}}~z{\|}}z{z~\|~\|z{~{{~{{}{\|}}z}}\|}\|\|}~~z\|}z\|{}{~\|\|{~~{\|~{\|z~}\|~\|}z\|~\|\|{}z}\|\|~{}z\|\|~}}}\|~AAAAAAAAAAAAAAAA
RT_STRING	LANG_SPANISH	SUBLANG_SPANISH_MEXICAN	0x2931a10	670	PE Resource: RT_STRING - Data Xoxizijuzihic0Vuv xufasal muse hanakucino sacubimebefum jifetibLuvuwotu nukesitut yexuguselorapaj hisigiturudu wijuxitewej hin dok yeyasilatupa dekij kureyocimothGetaraga hik fovihi vuwezurewodudan xiwaboyesefiv febojumikedigi yixoripuxab tozecujofaraje pidukerayomu8Yicufe zizenacuzuvut wuloboliba kufidopi hepirafumuhusif
RT_GROUP_CURSOR	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x29315c0	20
RT_GROUP_ICON	LANG_SPANISH	SUBLANG_SPANISH_MEXICAN	0x2931440	62
RT_VERSION	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x29315d8	336
None	LANG_SPANISH	SUBLANG_SPANISH_MEXICAN	0x2931480	10

Meta infos 1

Translation:	0x070e 0x0152

Packers detected 2

VC8 -> Microsoft Corporation
Microsoft Visual C++ 8

Anti debug functions 5

GetLastError
IsDebuggerPresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
GDI32.dll
MSIMG32.dll
USER32.dll
SHELL32.dll
mscoree.dll
KERNEL32.dll

Strings analysis - Possible IPs found 1

17.94.97.89

Import functions

KERNEL32.dll 122 USER32.dll 1 SHELL32.dll 1 MSIMG32.dll 1 GDI32.dll 2

Function	Address	Souspicious	Anti Debug
FileTimeToLocalFileTime	0x40100c
FindActCtxSectionStringA	0x401010
GetCommTimeouts	0x401014
GetSystemWindowsDirectoryW	0x401018
GlobalHandle	0x40101c
FindFirstVolumeMountPointA	0x401020
CreateDirectoryExA	0x401024
ReleaseActCtx	0x401028
GetLogicalDriveStringsW	0x40102c
ReadConsoleInputW	0x401030
GetComputerNameExW	0x401034
GetTempPathA	0x401038
GetCurrentDirectoryA	0x40103c
DebugBreak	0x401040
LCMapStringW	0x401044
GetProcAddress	0x401048
GlobalAlloc	0x40104c
EnumSystemLocalesW	0x401050
CreateMutexW	0x401054
FindActCtxSectionStringW	0x401058
GetLastError	0x40105c
LoadLibraryW	0x401060
SetCommMask	0x401064
LocalUnlock	0x401068
GetUserDefaultLangID	0x40106c
GetConsoleAliasA	0x401070
TerminateProcess	0x401074
LocalFlags	0x401078
CreateFileA	0x40107c
GetConsoleAliasesLengthW	0x401080
GetVolumePathNameA	0x401084
FindVolumeMountPointClose	0x401088
lstrcmpA	0x40108c
ChangeTimerQueueTimer	0x401090
SetConsoleScreenBufferSize	0x401094
GetComputerNameW	0x401098
lstrcpynW	0x40109c
SetConsoleCtrlHandler	0x4010a0
CopyFileA	0x4010a4
DosDateTimeToFileTime	0x4010a8
QueryDosDeviceW	0x4010ac
CreateActCtxW	0x4010b0
DeleteVolumeMountPointW	0x4010b4
MoveFileWithProgressW	0x4010b8
PulseEvent	0x4010bc
GetConsoleProcessList	0x4010c0
WriteConsoleInputW	0x4010c4
WritePrivateProfileStructA	0x4010c8
EnumTimeFormatsW	0x4010cc
VerifyVersionInfoW	0x4010d0
FindNextFileW	0x4010d4
InterlockedCompareExchange	0x4010d8
GetConsoleAliasW	0x4010dc
FreeLibraryAndExitThread	0x4010e0
GetNumberOfConsoleInputEvents	0x4010e4
GetModuleHandleA	0x4010e8
LoadLibraryA	0x4010ec
CloseHandle	0x4010f0
HeapSize	0x4010f4
HeapReAlloc	0x4010f8
HeapAlloc	0x4010fc
MoveFileA	0x401100
DeleteFileA	0x401104
GetStartupInfoW	0x401108
GetCurrentProcess	0x40110c
UnhandledExceptionFilter	0x401110
SetUnhandledExceptionFilter	0x401114
IsDebuggerPresent	0x401118
HeapFree	0x40111c
DeleteCriticalSection	0x401120
LeaveCriticalSection	0x401124
EnterCriticalSection	0x401128
HeapCreate	0x40112c
VirtualFree	0x401130
VirtualAlloc	0x401134
SetHandleCount	0x401138
GetStdHandle	0x40113c
GetFileType	0x401140
GetStartupInfoA	0x401144
GetModuleHandleW	0x401148
Sleep	0x40114c
ExitProcess	0x401150
WriteFile	0x401154
GetModuleFileNameA	0x401158
GetModuleFileNameW	0x40115c
FreeEnvironmentStringsW	0x401160
GetEnvironmentStringsW	0x401164
GetCommandLineW	0x401168
TlsGetValue	0x40116c
TlsAlloc	0x401170
TlsSetValue	0x401174
TlsFree	0x401178
InterlockedIncrement	0x40117c
SetLastError	0x401180
GetCurrentThreadId	0x401184
InterlockedDecrement	0x401188
QueryPerformanceCounter	0x40118c
GetTickCount	0x401190
GetCurrentProcessId	0x401194
GetSystemTimeAsFileTime	0x401198
GetCPInfo	0x40119c
GetACP	0x4011a0
GetOEMCP	0x4011a4
IsValidCodePage	0x4011a8
InitializeCriticalSectionAndSpinCount	0x4011ac
RtlUnwind	0x4011b0
SetFilePointer	0x4011b4
WideCharToMultiByte	0x4011b8
GetConsoleCP	0x4011bc
GetConsoleMode	0x4011c0
MultiByteToWideChar	0x4011c4
LCMapStringA	0x4011c8
GetStringTypeA	0x4011cc
GetStringTypeW	0x4011d0
GetLocaleInfoA	0x4011d4
RaiseException	0x4011d8
FlushFileBuffers	0x4011dc
SetStdHandle	0x4011e0
WriteConsoleA	0x4011e4
GetConsoleOutputCP	0x4011e8
WriteConsoleW	0x4011ec
ReadFile	0x4011f0

Function	Address	Souspicious	Anti Debug
GetCaretBlinkTime	0x401208

Function	Address	Souspicious	Anti Debug
FindExecutableA	0x401200

Function	Address	Souspicious	Anti Debug
AlphaBlend	0x4011f8

Function	Address	Souspicious	Anti Debug
GetBrushOrgEx	0x401000
GetBoundsRect	0x401004

Name	Latest seen	MD5
romas.exe	2023-01-22 18:36:13	a3fc8ed520059d6108feeb90dd5bf9bc

redline4.exe

File details

File features detected

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 7

Meta infos 1

Packers detected 2

Anti debug functions 5

Strings analysis - File found

Strings analysis - Possible IPs found 1

Import functions

Related files by ImpHash 1 b8388c4af61e6ca4e78048b4b09a8cbe