RedEngine.exe?ex=670ee657&is=670d94d7&hm=1fb3be7c5dbd639fd3fe9c400d7f1b7ee0c687c2bd04b1a006af92203233d76b&

First submission 2024-10-15 20:07:03

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	18290.25 KB (18729216 bytes)
Compile time:	2024-10-14 22:18:17
MD5:	7dd15869ebc69745e11649e9074c9a1c
SHA1:	3cb1ed112606813c7aaf39aa0a7e484f26affc11
SHA256:	93418f7b1a071c43967e53b5a0328dd8c1d132dc54ff3317d17c3553216c610d
Import Hash :	1e92fd54d65284238a0e3b74b2715062
Sections 7	.text .rdata .data .pdata _RDATA .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	33/77 VT report date: 2024-10-15 00:04:37
Malware Type 1	trojan
Threat Type 2	stealer python

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1212182560814145646/1295506921398337638/RedEngine.exe?ex=670ee657&is=670d94d7&hm=1fb3be7c5dbd639fd3fe9c400d7f1b7ee0c687c2bd04b1a006af92203233d76b&	cdn.discordapp.com	2024-10-15 20:07:03

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x28710	165888	e15872f0de54a6d043e4393fbd549ea1610b0883	e4f89af1ba6511882cb4cd14d9f6eca0
.rdata	0x2a000	0x1282e	76288	078cdb30972054cfcdaf15512e9bc44e80c6527a	897fecaaa3d64feb8c7a3d7b0d447573
.data	0x3d000	0x103e8	3584	d4c953f89fd70f37e55ba6c4ce6eebd2bc17e4db	8197d15b5af8fff7ec6022f8809b64c8
.pdata	0x4e000	0x20a0	8704	e2a1cf46fa7fcdbc7939358c02a9de9d85500ef8	77e2f2d72516a8aa1832e8298e54381f
_RDATA	0x51000	0x15c	512	354e5acb26cebcef4e637aaf6bae5f3a05ee3243	0ed86077474ad8a4a0621ecbc29cb84c
.rsrc	0x52000	0xf498	62976	de01d1fdfeee73131e7f47a08c86957cd254bd13	ac8c7cbe6626a5ff9e2bb1338d967035
.reloc	0x62000	0x754	2048	7d1edc41fd0cf54f92d860819a4ea04e5f5c470b	7fed9a3addc55d51107d5af5a380ab8e

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x60a3c	1128	PE Resource: RT_ICON - Data ( X8 a@ZJ6fffXXXCCC///\|bA$ Se i'j{Zp;n9Z&?Zi'l-wZNNq;^ l-o3}NNNo8b&o3s8MNLl4ze+K{FvH}XfsNLKf-ae2o?pGJrvfUI["Hh5E5OULsd\|I/zJ5-D\]WUVf3X#N.HS]ZV~<f3a,h/HR]\U71w1g3/HR]\Z8?3s+k7/HTPQJDq&n:/G]Xqm T ,"@WQih~\'635e2 yM!#j<UndT-AAAAAAAAAAAAAAAA
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x60ea4	104
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x60f0c	1417	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="main" processorArchitecture="amd64" version="1.0.0.0"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" language="" processorArchitecture="" version="6.0.0.0" publicKeyToken="6595b64144ccf1df"/> </dependentAssembly> </dependency> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x60a3c

1128

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x60ea4

104

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x60f0c

1417

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Virtual Box

Strings analysis - File found

Backup
h.oLd
Compressed
base_library.zip
xbase_library.zip
Text
xpyinstaller-5.1.dist-info\COPYING.txt
xpyinstaller-5.1.dist-info\top_level.txt
xaltgraph-0.17.4.dist-info\top_level.txt
xpyinstaller-5.1.dist-info\entry_points.txt
Library
mscoree.dll
bsqlite3.dll
bpython3.dll
bpywintypes310.dll
blibssl-1_1.dll
bmfc140u.dll
GDI32.dll
ADVAPI32.dll
KERNEL32.dll
COMCTL32.dll
ucrtbase.dll
blibffi-7.dll
bpythoncom310.dll
bVCRUNTIME140.dll
bpython310.dll
USER32.dll
bVCRUNTIME140_1.dll
blibcrypto-1_1.dll
6python310.dll

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2016/WindowsSettings

Import functions

ADVAPI32.dll 4 KERNEL32.dll 101 GDI32.dll 3 USER32.dll 17 COMCTL32.dll 1

Function	Address	Souspicious	Anti Debug
OpenProcessToken	0x14002a000
GetTokenInformation	0x14002a008
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002a010
ConvertSidToStringSidW	0x14002a018

Function	Address	Souspicious	Anti Debug
IsValidCodePage	0x14002a058
GetStringTypeW	0x14002a060
GetFileAttributesExW	0x14002a068
HeapReAlloc	0x14002a070
FlushFileBuffers	0x14002a078
GetCurrentDirectoryW	0x14002a080
GetACP	0x14002a088
GetOEMCP	0x14002a090
GetModuleHandleW	0x14002a098
MulDiv	0x14002a0a0
GetLastError	0x14002a0a8
SetDllDirectoryW	0x14002a0b0
GetModuleFileNameW	0x14002a0b8
GetProcAddress	0x14002a0c0
GetCommandLineW	0x14002a0c8
GetCPInfo	0x14002a0d0
SetEnvironmentVariableW	0x14002a0d8
ExpandEnvironmentStringsW	0x14002a0e0
CreateDirectoryW	0x14002a0e8
GetTempPathW	0x14002a0f0
WaitForSingleObject	0x14002a0f8
Sleep	0x14002a100
GetExitCodeProcess	0x14002a108
CreateProcessW	0x14002a110
GetStartupInfoW	0x14002a118
FreeLibrary	0x14002a120
LoadLibraryExW	0x14002a128
FindClose	0x14002a130
FindFirstFileExW	0x14002a138
CloseHandle	0x14002a140
GetCurrentProcess	0x14002a148
LocalFree	0x14002a150
FormatMessageW	0x14002a158
MultiByteToWideChar	0x14002a160
WideCharToMultiByte	0x14002a168
GetEnvironmentStringsW	0x14002a170
FreeEnvironmentStringsW	0x14002a178
GetProcessHeap	0x14002a180
GetTimeZoneInformation	0x14002a188
HeapSize	0x14002a190
WriteConsoleW	0x14002a198
SetEndOfFile	0x14002a1a0
GetEnvironmentVariableW	0x14002a1a8
RtlCaptureContext	0x14002a1b0
RtlLookupFunctionEntry	0x14002a1b8
RtlVirtualUnwind	0x14002a1c0
UnhandledExceptionFilter	0x14002a1c8
SetUnhandledExceptionFilter	0x14002a1d0
TerminateProcess	0x14002a1d8
IsProcessorFeaturePresent	0x14002a1e0
QueryPerformanceCounter	0x14002a1e8
GetCurrentProcessId	0x14002a1f0
GetCurrentThreadId	0x14002a1f8
GetSystemTimeAsFileTime	0x14002a200
InitializeSListHead	0x14002a208
IsDebuggerPresent	0x14002a210
RtlUnwindEx	0x14002a218
SetLastError	0x14002a220
EnterCriticalSection	0x14002a228
LeaveCriticalSection	0x14002a230
DeleteCriticalSection	0x14002a238
InitializeCriticalSectionAndSpinCount	0x14002a240
TlsAlloc	0x14002a248
TlsGetValue	0x14002a250
TlsSetValue	0x14002a258
TlsFree	0x14002a260
EncodePointer	0x14002a268
RaiseException	0x14002a270
RtlPcToFileHeader	0x14002a278
GetCommandLineA	0x14002a280
CreateFileW	0x14002a288
GetDriveTypeW	0x14002a290
GetFileInformationByHandle	0x14002a298
GetFileType	0x14002a2a0
PeekNamedPipe	0x14002a2a8
SystemTimeToTzSpecificLocalTime	0x14002a2b0
FileTimeToSystemTime	0x14002a2b8
GetFullPathNameW	0x14002a2c0
RemoveDirectoryW	0x14002a2c8
FindNextFileW	0x14002a2d0
SetStdHandle	0x14002a2d8
SetConsoleCtrlHandler	0x14002a2e0
DeleteFileW	0x14002a2e8
ReadFile	0x14002a2f0
GetStdHandle	0x14002a2f8
WriteFile	0x14002a300
ExitProcess	0x14002a308
GetModuleHandleExW	0x14002a310
HeapFree	0x14002a318
GetConsoleMode	0x14002a320
ReadConsoleW	0x14002a328
SetFilePointerEx	0x14002a330
GetConsoleOutputCP	0x14002a338
GetFileSizeEx	0x14002a340
HeapAlloc	0x14002a348
FlsAlloc	0x14002a350
FlsGetValue	0x14002a358
FlsSetValue	0x14002a360
FlsFree	0x14002a368
CompareStringW	0x14002a370
LCMapStringW	0x14002a378

Function	Address	Souspicious	Anti Debug
SelectObject	0x14002a038
DeleteObject	0x14002a040
CreateFontIndirectW	0x14002a048

Function	Address	Souspicious	Anti Debug
CreateWindowExW	0x14002a388
MessageBoxW	0x14002a390
MessageBoxA	0x14002a398
SystemParametersInfoW	0x14002a3a0
DestroyIcon	0x14002a3a8
SetWindowLongPtrW	0x14002a3b0
GetWindowLongPtrW	0x14002a3b8
GetClientRect	0x14002a3c0
InvalidateRect	0x14002a3c8
ReleaseDC	0x14002a3d0
GetDC	0x14002a3d8
DrawTextW	0x14002a3e0
GetDialogBaseUnits	0x14002a3e8
EndDialog	0x14002a3f0
DialogBoxIndirectParamW	0x14002a3f8
MoveWindow	0x14002a400
SendMessageW	0x14002a408

Function	Address	Souspicious	Anti Debug
None	0x14002a028

Name	Latest seen	MD5
p.exe	2023-02-03 12:25:03	827c83f08d1c139e4b6698bdcf386da8
os.exe	2023-02-26 07:32:03	6de5d012e62d89d1cd13da4b73fa4c1f
FortniteSeason.exe?ex=670c6711&is=670b1591&hm=1838944b424d1f3f4707b2217308c0efca9ea83971731367222b05135df55e0a&	2024-10-13 19:39:04	4bb4e8cd407b78326e017d130816fd7e

RedEngine.exe?ex=670ee657&is=670d94d7&hm=1fb3be7c5dbd639fd3fe9c400d7f1b7ee0c687c2bd04b1a006af92203233d76b&

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 3

Packers detected 1

Anti debug functions 6

Anti debug functions 1

Strings analysis - File found

Strings analysis - Possible URLs found 1

Import functions

Related files by ImpHash 3 1e92fd54d65284238a0e3b74b2715062