Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
inquiry for AP-103- FM-2400 project.exe

Overview

General Information

Sample name:inquiry for AP-103- FM-2400 project.exe
Analysis ID:1472089
MD5:965690b2881041a12b0b63d8d68be854
SHA1:86ab14ecf043d8efd1133a89623c6ea808e710a6
SHA256:b7585402d354395dd4cb9031486b62c65856189cdf27ebf5e0a9a3685970f187
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
One or more processes crash
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • inquiry for AP-103- FM-2400 project.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\inquiry for AP-103- FM-2400 project.exe" MD5: 965690B2881041A12B0B63D8D68BE854)
    • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7452 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • WerFault.exe (PID: 7540 cmdline: C:\Windows\system32\WerFault.exe -u -p 7316 -s 1016 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
{"C2 url": ["212.162.149.77:1912"], "Bot Id": "Vip-Data", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1978199377.0000028367793000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000002.00000002.1897006290.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1980914433.000002837752B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.1980914433.00000283775B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 6 entries
                SourceRuleDescriptionAuthorStrings
                0.2.inquiry for AP-103- FM-2400 project.exe.283775c21f0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.inquiry for AP-103- FM-2400 project.exe.28377576fa8.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.inquiry for AP-103- FM-2400 project.exe.28377576fa8.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        0.2.inquiry for AP-103- FM-2400 project.exe.283775c21f0.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          No Sigma rule has matched
                          Timestamp:07/12/24-09:53:06.619207
                          SID:2043231
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-09:52:59.543201
                          SID:2043234
                          Source Port:1912
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-09:53:04.717651
                          SID:2046056
                          Source Port:1912
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/12/24-09:52:59.414591
                          SID:2046045
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["212.162.149.77:1912"], "Bot Id": "Vip-Data", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Source: inquiry for AP-103- FM-2400 project.exeReversingLabs: Detection: 26%
                          Source: inquiry for AP-103- FM-2400 project.exeVirustotal: Detection: 33%Perma Link
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Source: inquiry for AP-103- FM-2400 project.exeJoe Sandbox ML: detected

                          Exploits

                          barindex
                          Source: Yara matchFile source: 00000000.00000002.1978199377.0000028367793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: inquiry for AP-103- FM-2400 project.exe PID: 7316, type: MEMORYSTR
                          Source: inquiry for AP-103- FM-2400 project.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: mscorlib.pdb source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: System.ni.pdbRSDS source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: System.Core.pdb source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: System.ni.pdb source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: System.pdb source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: System.Core.ni.pdb source: WER80C9.tmp.dmp.6.dr
                          Source: Binary string: Microsoft.VisualBasic.pdb source: WER80C9.tmp.dmp.6.dr

                          Networking

                          barindex
                          Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 212.162.149.77:1912
                          Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 212.162.149.77:1912
                          Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 212.162.149.77:1912 -> 192.168.2.4:49730
                          Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 212.162.149.77:1912 -> 192.168.2.4:49730
                          Source: Malware configuration extractorURLs: 212.162.149.77:1912
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 212.162.149.77:1912
                          Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.77
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: RegSvcs.exe, 00000002.00000002.1899653757.00000000029A7000.00000004.00000800.00020000.0