Windows Analysis Report
RALbxU9itw.exe

Overview

General Information

Sample name: RALbxU9itw.exe
renamed because original name is a hash value
Original sample name: 42208ec96d3a525eb6c8fb7039dc680a.exe
Analysis ID: 1472646
MD5: 42208ec96d3a525eb6c8fb7039dc680a
SHA1: d32a62d8f0f3ae105196b8ce7ca9d4fdf3aaae4e
SHA256: 29655aaef91cebf364f529a19c1b435834cb0ea08e976b77765d202d5b6d056f
Tags: 32exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: RALbxU9itw.exe Avira: detected
Found malware configuration
Source: 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "amrican-sport-live-stream.cc:4581", "Bot Id": "TG-Source", "Authorization Header": "1a3c2a146bad47603eedf589c29c4868"}
Multi AV Scanner detection for domain / URL
Source: amrican-sport-live-stream.cc Virustotal: Detection: 17% Perma Link
Source: amrican-sport-live-stream.cc:4581 Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: RALbxU9itw.exe Virustotal: Detection: 52% Perma Link
Source: RALbxU9itw.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: RALbxU9itw.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RALbxU9itw.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RALbxU9itw.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb4 source: RegAsm.exe, 00000002.00000002.4554133065.000000000536B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.4547590200.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.4548719628.0000000001054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbdy source: RegAsm.exe, 00000002.00000002.4548719628.0000000001063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.4554369568.00000000053FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: RegAsm.exe, 00000002.00000002.4554133065.000000000536B000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_3D591FB8
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_3D591FB2
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 4x nop then jmp 3D59AB09h 0_2_3D59AA70
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 4x nop then jmp 3D59AB09h 0_2_3D59AA80

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: amrican-sport-live-stream.cc:4581
Yara detected Generic Downloader
Source: Yara match File source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: amrican-sport-live-stream.cc replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: amrican-sport-live-stream.cc
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000025F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmd
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyP~$
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Responsehi
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response&
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseMo
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Responsepu
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponsetY
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22(
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseP
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseX7
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseXO
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Responsedo
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Responsent
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3ResponseId
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Responseht
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4$
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4nt
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000025F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: RALbxU9itw.exe, 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, RALbxU9itw.exe, 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: RALbxU9itw.exe, 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, RALbxU9itw.exe, 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RALbxU9itw.exe.36bc9f8.2.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.RALbxU9itw.exe.37b2fa0.3.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RALbxU9itw.exe.39909d0.1.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RALbxU9itw.exe.4dd0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RALbxU9itw.exe.4dd0000.4.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RALbxU9itw.exe.39909d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RALbxU9itw.exe.37b2fa0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000002.00000002.4547322387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 00000000.00000002.2106256003.000000000362A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
.NET source code contains very large array initializations
Source: RALbxU9itw.exe, -.cs Large array initialization: _0001: array initializer size 1956368
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B84DE0 0_2_00B84DE0
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B8A6F0 0_2_00B8A6F0
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B811A0 0_2_00B811A0
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B81190 0_2_00B81190
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B84DD1 0_2_00B84DD1
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B80D3F 0_2_00B80D3F
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B80D50 0_2_00B80D50
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04B795AF 0_2_04B795AF
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04B7A9F5 0_2_04B7A9F5
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04B72935 0_2_04B72935
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04B795F8 0_2_04B795F8
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04B707B0 0_2_04B707B0
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04B707C0 0_2_04B707C0
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04B71390 0_2_04B71390
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_050905EE 0_2_050905EE
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_3D592588 0_2_3D592588
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_3D5965A0 0_2_3D5965A0
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_3D5973D0 0_2_3D5973D0
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_3D592578 0_2_3D592578
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_3D596050 0_2_3D596050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01215810 2_2_01215810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01210848 2_2_01210848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01214BC0 2_2_01214BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01211C60 2_2_01211C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_012144C9 2_2_012144C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_012144D8 2_2_012144D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_012147A8 2_2_012147A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01210827 2_2_01210827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_012108FD 2_2_012108FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_012108DF 2_2_012108DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01210B63 2_2_01210B63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01214BB1 2_2_01214BB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01211BD9 2_2_01211BD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01213A00 2_2_01213A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01213A10 2_2_01213A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01211C4F 2_2_01211C4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01214FE9 2_2_01214FE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01214FF8 2_2_01214FF8
Sample file is different than original file name gathered from version info
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000025F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIncision.exe4 vs RALbxU9itw.exe
Source: RALbxU9itw.exe, 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameQqwrcedpmzbytngepaxawb.dll" vs RALbxU9itw.exe
Source: RALbxU9itw.exe, 00000000.00000002.2102913161.000000000073E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs RALbxU9itw.exe
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000026C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIncision.exe4 vs RALbxU9itw.exe
Source: RALbxU9itw.exe, 00000000.00000000.2087779005.0000000000359000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTrkyzwvg-TG-R.exej% vs RALbxU9itw.exe
Source: RALbxU9itw.exe, 00000000.00000002.2106256003.000000000362A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIncision.exe4 vs RALbxU9itw.exe
Source: RALbxU9itw.exe, 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIncision.exe4 vs RALbxU9itw.exe
Source: RALbxU9itw.exe, 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQqwrcedpmzbytngepaxawb.dll" vs RALbxU9itw.exe
Source: RALbxU9itw.exe Binary or memory string: OriginalFilenameTrkyzwvg-TG-R.exej% vs RALbxU9itw.exe
Uses 32bit PE files
Source: RALbxU9itw.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.RALbxU9itw.exe.36bc9f8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.RALbxU9itw.exe.37b2fa0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RALbxU9itw.exe.39909d0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RALbxU9itw.exe.4dd0000.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RALbxU9itw.exe.4dd0000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RALbxU9itw.exe.39909d0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RALbxU9itw.exe.37b2fa0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000002.00000002.4547322387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 00000000.00000002.2106256003.000000000362A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: RALbxU9itw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/1@50/0
Source: C:\Users\user\Desktop\RALbxU9itw.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RALbxU9itw.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: RALbxU9itw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RALbxU9itw.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\RALbxU9itw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RALbxU9itw.exe Virustotal: Detection: 52%
Source: RALbxU9itw.exe ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\RALbxU9itw.exe "C:\Users\user\Desktop\RALbxU9itw.exe"
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: RALbxU9itw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RALbxU9itw.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: RALbxU9itw.exe Static file information: File size 3046400 > 1048576
Source: RALbxU9itw.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1df000
Source: RALbxU9itw.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x108800
Source: RALbxU9itw.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb4 source: RegAsm.exe, 00000002.00000002.4554133065.000000000536B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.4547590200.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.4548719628.0000000001054000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbdy source: RegAsm.exe, 00000002.00000002.4548719628.0000000001063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000002.00000002.4554369568.00000000053FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: RegAsm.exe, 00000002.00000002.4554133065.000000000536B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: RALbxU9itw.exe, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B86905 push ebx; retf 0_2_00B8690A
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_00B87791 push eax; retf 0_2_00B87799
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04B79F5C pushad ; iretd 0_2_04B79F5D
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04FC27FB push ecx; iretd 0_2_04FC27FC
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04FC4FB8 push eax; ret 0_2_04FC4FB9
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_04FC6903 push ebp; retf 0_2_04FC6908
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_05009986 push E8000006h; iretd 0_2_0500998D
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_050796EF push dword ptr [esp+ecx*2-75h]; ret 0_2_050796F3
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_050730D6 push ds; retn 0002h 0_2_050730D7
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_05077AEE push cs; ret 0_2_05077AEF
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_0509BC38 push esp; iretd 0_2_0509BC39
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_05094C82 pushad ; iretd 0_2_05094C89
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_05093B68 push esp; ret 0_2_05093B69
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_050C2AC4 pushad ; iretd 0_2_050C2AC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01216129 push 97E800F3h; iretd 2_2_0121612E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0121418C push ecx; iretd 2_2_0121418D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0121F850 pushfd ; iretd 2_2_0121FB71
Source: RALbxU9itw.exe Static PE information: section name: .text entropy: 7.999771369659182
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RALbxU9itw.exe PID: 2144, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000025F5000.00000004.00000800.00020000.00000000.sdmp, RALbxU9itw.exe, 00000000.00000002.2105165314.00000000028A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory allocated: B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory allocated: 25D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory allocated: 45D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1210000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 5360000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 6360000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 6490000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 7490000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 77E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 87E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\RALbxU9itw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 488 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9479 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RALbxU9itw.exe TID: 1816 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5840 Thread sleep count: 488 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5840 Thread sleep time: -488000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5840 Thread sleep count: 9479 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5840 Thread sleep time: -9479000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\RALbxU9itw.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\RALbxU9itw.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\RALbxU9itw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000028A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware\V
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000025F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000028A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000025F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000028A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000025F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000028A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR
Source: RALbxU9itw.exe, 00000000.00000002.2105165314.00000000028A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWareLR
Source: RegAsm.exe, 00000002.00000002.4554133065.00000000053A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\RALbxU9itw.exe Code function: 0_2_3D591FB8 CheckRemoteDebuggerPresent, 0_2_3D591FB8
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000 Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000 Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A14008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RALbxU9itw.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RALbxU9itw.exe Queries volume information: C:\Users\user\Desktop\RALbxU9itw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RALbxU9itw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.RALbxU9itw.exe.37b2fa0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.39909d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.4dd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.4dd0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.39909d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.37b2fa0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4547322387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2106256003.000000000362A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7148, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 0.2.RALbxU9itw.exe.37b2fa0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.39909d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.4dd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.4dd0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.39909d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.37b2fa0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.RALbxU9itw.exe.37b2fa0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.39909d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.4dd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.4dd0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.39909d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.37b2fa0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4547322387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2106256003.000000000362A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2106256003.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4549647177.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7148, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 0.2.RALbxU9itw.exe.37b2fa0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.39909d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.4dd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.4dd0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.39909d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.37b2fa0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RALbxU9itw.exe.36bc9f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2110692857.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1472646 Sample: RALbxU9itw.exe Startdate: 13/07/2024 Architecture: WINDOWS Score: 100 15 amrican-sport-live-stream.cc 2->15 17 Multi AV Scanner detection for domain / URL 2->17 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 13 other signatures 2->23 7 RALbxU9itw.exe 3 2->7         started        signatures3 process4 file5 13 C:\Users\user\AppData\...\RALbxU9itw.exe.log, ASCII 7->13 dropped 25 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->25 27 Writes to foreign memory regions 7->27 29 Allocates memory in foreign processes 7->29 31 2 other signatures 7->31 11 RegAsm.exe 2 7->11         started        signatures6 process7
⊘No contacted IP infos

Contacted Domains

Name IP Active
amrican-sport-live-stream.cc unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
amrican-sport-live-stream.cc:4581 true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown