Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CATALOGUE.exe

Overview

General Information

Sample name:CATALOGUE.exe
Analysis ID:1471988
MD5:a3a55457b08e66b8246b3ab4f5afc5f8
SHA1:bcfbda193b0091361b4a9ddb06717e219a389351
SHA256:2c7c1638330a59ae2a7c7b549384b6cc6b915584c4c99c59256fdea1930437d7
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
One or more processes crash
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • CATALOGUE.exe (PID: 504 cmdline: "C:\Users\user\Desktop\CATALOGUE.exe" MD5: A3A55457B08E66B8246B3AB4F5AFC5F8)
    • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • CasPol.exe (PID: 5820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • AddInProcess32.exe (PID: 3476 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • RegSvcs.exe (PID: 3816 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • conhost.exe (PID: 2544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5004 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • WerFault.exe (PID: 7092 cmdline: C:\Windows\system32\WerFault.exe -u -p 504 -s 1052 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
{"C2 url": ["172.81.131.198:16383"], "Bot Id": "biss"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000005.00000002.2228949681.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.2228949681.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000005.00000002.2228949681.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          00000000.00000002.2152787219.000001E34F22D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000000.00000002.2153808775.000001E35F039000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 11 entries
              SourceRuleDescriptionAuthorStrings
              0.2.CATALOGUE.exe.1e35f0695f0.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.CATALOGUE.exe.1e35f0695f0.5.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.CATALOGUE.exe.1e35f0695f0.5.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                    • 0x117ca:$a4: get_ScannedWallets
                    • 0x10628:$a5: get_ScanTelegram
                    • 0x1144e:$a6: get_ScanGeckoBrowsersPaths
                    • 0xf26a:$a7: <Processes>k__BackingField
                    • 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                    • 0xeb9e:$a9: <ScanFTP>k__BackingField
                    5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security