Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c.exe

Overview

General Information

Sample Name:e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c.exe
Analysis ID:1313298
MD5:6bf4c9d2b8dbd206c60ca8cd78c66141
SHA1:638da5eaece51d6cf4ac16b8c157d0794b873eb1
SHA256:e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c880e91bd0b053bbc79a
Tags:exeRedLineStealer
Infos:

Detection

Fabookie, Mystic Stealer, RedLine, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Mystic Stealer
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Fabookie
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Maps a DLL or memory area into another process
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Disable Windows Defender notifications (registry)
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

  • System is w10x64
  • e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c.exe (PID: 6488 cmdline: C:\Users\user\Desktop\e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c.exe MD5: 6BF4C9D2B8DBD206C60CA8CD78C66141)
    • v0139395.exe (PID: 6504 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\v0139395.exe MD5: D9F040D855D241E47DE3A1453BA55A1E)
      • v5523814.exe (PID: 6520 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\v5523814.exe MD5: 8C88F4E2A9CBD0F50308ECFBF2682492)
        • v2232713.exe (PID: 6536 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\v2232713.exe MD5: B632113C967BF119C2FFB113D0EC60C1)
          • a3839540.exe (PID: 6552 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\a3839540.exe MD5: C8A8CEA45E9B40590620ED7BE3A231AA)
          • b1121980.exe (PID: 6648 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\b1121980.exe MD5: 4512B6C7E1F51DB836D1540F2C9A75AC)
            • conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • AppLaunch.exe (PID: 6764 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F)
            • WerFault.exe (PID: 6836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • c5286836.exe (PID: 7136 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\c5286836.exe MD5: 9B45E6934F5BC977E2A1A36B641EFAD9)
          • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • AppLaunch.exe (PID: 6312 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F)
          • AppLaunch.exe (PID: 2996 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F)
            • explorer.exe (PID: 3512 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
              • 3F93.exe (PID: 4716 cmdline: C:\Users\user\AppData\Local\Temp\3F93.exe MD5: F6FE596CB820A7D48DF6F79A66112644)
                • x1895805.exe (PID: 4272 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\x1895805.exe MD5: 38EED433351602811990E57317F5A52E)
          • WerFault.exe (PID: 3548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 140 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • rundll32.exe (PID: 6612 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • rundll32.exe (PID: 6744 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6316 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • rundll32.exe (PID: 3808 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • svchost.exe (PID: 6640 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6720 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6792 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 3252 cmdline: c:\windows\system32\svchost.exe -k local