Edit tour
Windows
Analysis Report
aYf5ibGObB.exe
Overview
General Information
| Sample name: | aYf5ibGObB.exerenamed because original name is a hash value |
| Original sample name: | 8a65e4ace5821564817c5f343352474c.exe |
| Analysis ID: | 1580472 |
| MD5: | 8a65e4ace5821564817c5f343352474c |
| SHA1: | 5921aa00413c8ebcc7f639740e85f0389c8c7e09 |
| SHA256: | aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b |
| Tags: | exeRedLineStealeruser-abuse_ch |
| Infos: |  |
 | |
Detection
RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
aYf5ibGObB.exe (PID: 2104 cmdline: "C:\Users\ user\Deskt op\aYf5ibG ObB.exe" MD5: 8A65E4ACE5821564817C5F343352474C) 
RegSvcs.exe (PID: 3596 cmdline: "C:\Users\ user\Deskt op\aYf5ibG ObB.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) 
conhost.exe (PID: 2884 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
{"C2 url": ["185.222.58.90:55615"], "Bot Id": "cheat"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown |
| |
| infostealer_win_redline_strings | Finds Redline samples based on characteristic strings | Sekoia.io |
| |
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| Windows_Trojan_RedLineStealer_f54632eb | unknown | unknown |
| |
| infostealer_win_redline_strings | Finds Redline samples based on characteristic strings | Sekoia.io |
| |
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
| Click to see the 10 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T17:17:06.914116+0100 | 2045000 | 1 | Malware Command and Control Activity Detected | 185.222.58.90 | 55615 | 192.168.2.5 | 49704 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T17:16:52.882997+0100 | 2045001 | 1 | Malware Command and Control Activity Detected | 185.222.58.90 | 55615 | 192.168.2.5 | 49704 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T17:17:01.664167+0100 | 2849662 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49704 | 185.222.58.90 | 55615 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T17:17:07.226745+0100 | 2849351 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49704 | 185.222.58.90 | 55615 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T17:17:01.664167+0100 | 1800000 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49704 | 185.222.58.90 | 55615 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0103DBBE | |
| Source: | Code function: | 0_2_0100C2A2 | |
| Source: | Code function: | 0_2_0104698F | |
| Source: | Code function: | 0_2_010468EE | |
| Source: | Code function: | 0_2_0103D076 | |
| Source: | Code function: | 0_2_0103D3A9 | |
| Source: | Code function: | 0_2_0104979D | |
| Source: | Code function: | 0_2_01049642 | |
| Source: | Code function: | 0_2_01049B2B | |
| Source: | Code function: | 0_2_01045C97 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_0104CF1A | |
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_0104EAFF | |
| Source: | Code function: | 0_2_0104ED6A | |
| Source: | Code function: | 0_2_0104EAFF | |
| Source: | Code function: | 0_2_0103AB9C | |
| Source: | Code function: | 0_2_01069576 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_8cce0ccf-9 | |
| Source: | String found in binary or memory: | memstr_7f470b34-3 | |
| Source: | String found in binary or memory: | memstr_b948215a-8 | |
| Source: | String found in binary or memory: | memstr_cc446b16-0 | |
| Source: | Code function: | 0_2_0103D5EB | |
| Source: | Code function: | 0_2_01031201 | |
| Source: | Code function: | 0_2_0103E8F6 | |
| Source: | Code function: | 0_2_00FD8060 | |
| Source: | Code function: | 0_2_01042046 | |
| Source: | Code function: | 0_2_01038298 | |
| Source: | Code function: | 0_2_0100E4FF | |
| Source: | Code function: | 0_2_0100676B | |
| Source: | Code function: | 0_2_01064873 | |
| Source: | Code function: | 0_2_00FDCAF0 | |
| Source: | Code function: | 0_2_00FFCAA0 | |
| Source: | Code function: | 0_2_00FECC39 | |
| Source: | Code function: | 0_2_01006DD9 | |
| Source: | Code function: | 0_2_00FD91C0 | |
| Source: | Code function: | 0_2_00FEB119 | |
| Source: | Code function: | 0_2_00FF1394 | |
| Source: | Code function: | 0_2_00FF1706 | |
| Source: | Code function: | 0_2_00FF781B | |
| Source: | Code function: | 0_2_00FF19B0 | |
| Source: | Code function: | 0_2_00FE997D | |
| Source: | Code function: | 0_2_00FD7920 | |
| Source: | Code function: | 0_2_00FF7A4A | |
| Source: | Code function: | 0_2_00FF7CA7 | |
| Source: | Code function: | 0_2_00FF1C77 | |
| Source: | Code function: | 0_2_0105BE44 | |
| Source: | Code function: | 0_2_00FF1F32 | |
| Source: | Code function: | 0_2_01009EEE | |
| Source: | Code function: | 0_2_00D3C7C0 | |
| Source: | Code function: | 2_2_00CAE7B0 | |
| Source: | Code function: | 2_2_00CADC90 | |
| Source: | Code function: | 2_2_05D74468 | |
| Source: | Code function: | 2_2_05D79628 | |
| Source: | Code function: | 2_2_05D73320 | |
| Source: | Code function: | 2_2_05D7DD00 | |
| Source: | Code function: | 2_2_05D7D108 | |
| Source: | Code function: | 2_2_05D71210 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_010437B5 | |
| Source: | Code function: | 0_2_010310BF | |
| Source: | Code function: | 0_2_010316C3 | |
| Source: | Code function: | 0_2_010451CD | |
| Source: | Code function: | 0_2_0105A67C | |
| Source: | Code function: | 0_2_0104648E | |
| Source: | Code function: | 0_2_00FD42A2 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FD42DE | |
| Source: | Code function: | 0_2_00FF0A89 | |
| Source: | Code function: | 2_2_00CA1866 | |
| Source: | Code function: | 2_2_00CA186A | |
| Source: | Code function: | 2_2_05DC0E24 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | 0_2_00FEF98E | |
| Source: | Code function: | 0_2_01061C41 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Sandbox detection routine: | graph_0-96522 | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_0103DBBE | |
| Source: | Code function: | 0_2_0100C2A2 | |
| Source: | Code function: | 0_2_0104698F | |
| Source: | Code function: | 0_2_010468EE | |
| Source: | Code function: | 0_2_0103D076 | |
| Source: | Code function: | 0_2_0103D3A9 | |
| Source: | Code function: | 0_2_0104979D | |
| Source: | Code function: | 0_2_01049642 | |
| Source: | Code function: | 0_2_01049B2B | |
| Source: | Code function: | 0_2_01045C97 | |
| Source: | Code function: | 0_2_00FD42DE | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0104EAA2 | |
| Source: | Code function: | 0_2_01002622 | |
| Source: | Code function: | 0_2_00FD42DE | |
| Source: | Code function: | 0_2_00FF4CE8 | |
| Source: | Code function: | 0_2_00D3C6B0 | |
| Source: | Code function: | 0_2_00D3C650 | |
| Source: | Code function: | 0_2_00D3AFC0 | |
| Source: | Code function: | 0_2_01030B62 | |
| Source: | Code function: | 0_2_01002622 | |
| Source: | Code function: | 0_2_00FF083F | |
| Source: | Code function: | 0_2_00FF09D5 | |
| Source: | Code function: | 0_2_00FF0C21 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_01031201 | |
| Source: | Code function: | 0_2_01012BA5 | |
| Source: | Code function: | 0_2_0103B226 | |
| Source: | Code function: | 0_2_0103E355 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_01030B62 | |
| Source: | Code function: | 0_2_01031663 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00FF0698 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_01048195 | |
| Source: | Code function: | 0_2_0102D27A | |
| Source: | Code function: | 0_2_0100B952 | |
| Source: | Code function: | 0_2_00FD42DE | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_01051204 | |
| Source: | Code function: | 0_2_01051806 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 21 Input Capture | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Valid Accounts | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 21 Input Capture | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 2 Valid Accounts | 2 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 11 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 126 System Information Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 1 Masquerading | LSA Secrets | 221 Security Software Discovery | SSH | Keylogging | 12 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Valid Accounts | Cached Domain Credentials | 111 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 111 Virtualization/Sandbox Evasion | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 21 Access Token Manipulation | Proc Filesystem | 1 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 212 Process Injection | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 78% | ReversingLabs | Win32.Trojan.AutoitInject | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0035.t-0009.t-msedge.net | 13.107.246.63 | true | false | high | |
| api.ip.sb | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.222.58.90 | unknown | Netherlands | 51447 | ROOTLAYERNETNL | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1580472 |
| Start date and time: | 2024-12-24 17:16:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 30s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | aYf5ibGObB.exerenamed because original name is a hash value |
| Original Sample Name: | 8a65e4ace5821564817c5f343352474c.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@4/3@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172, 2.16.168.102, 2.16.168.117, 13.107.246.63
- Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: aYf5ibGObB.exe
| Time | Type | Description |
|---|---|---|
| 11:17:09 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.222.58.90 | Get hash | malicious | RedLine | Browse |
| |
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Ficker Stealer, RedLine | Browse |
| ||
| Get hash | malicious | Ficker Stealer, RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0035.t-0009.t-msedge.net | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | CobaltStrike | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ROOTLAYERNETNL | Get hash | malicious | RedLine | Browse |
| |
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
|
⊘No context
⊘No context
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2085 |
| Entropy (8bit): | 5.347800113426864 |
| Encrypted: | false |
| SSDEEP: | 48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHj:vq5qxqdqolqztYqh3oPtI6mq7qoT5D |
| MD5: | C83D97E3320B0B949C583E5BC51FF14B |
| SHA1: | 2E8C65CB1A038AD387F276B3F9B4008887913321 |
| SHA-256: | F30EF7CFC4A0DBDEF388578576D1C58628592A9EB85443574DB1979970C63AE5 |
| SHA-512: | 94671EB75241B67C8F443B1763028F2A2D7B10C6F147C860A6A4B9D19893FF4A2DCAF353ECE7BFF1A803191578B837BA4A0537EF29FAF78185ACAC8E77D1ABE8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\aYf5ibGObB.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 81044 |
| Entropy (8bit): | 7.926753643425252 |
| Encrypted: | false |
| SSDEEP: | 1536:2sORBvO4m4PF5Es/BAG8nrk1UnVBGa58xklOmJ0Vubey/YHX5FliLEqjsfRHRl:wRs4LEUJ8ncWVsaCkT3CyA3icn |
| MD5: | 3725ED2973882A1880DDD8B6D3DB9353 |
| SHA1: | 3FFF3E0966D9EB5D12C02354E48A5E9D8CF6E78A |
| SHA-256: | 64C90C2EE7E80215463186446A56385368F1F828808C50CE07404671C8A4170E |
| SHA-512: | EA3C338A17ED81BCFA0D186963FEC5B94874C381C32F0EA54211080F9144881B0B961994A6EA09B9E190F880118445DD2139D25EEB5CC47A9B517981EAA9F76A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\aYf5ibGObB.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 97792 |
| Entropy (8bit): | 7.019638296151846 |
| Encrypted: | false |
| SSDEEP: | 1536:hItUBDiEZ/kptweMfEqR7zR0+0T21/imVR1prUMGU5wJeS7kcIN5WibhweWQY9YX:YcXcqRV1/bVR1pIM95MeS7kcILNhw9x+ |
| MD5: | 696C6B600A8315043F81E59EA0A24071 |
| SHA1: | ABF8C35525C3EC81F6F0B12CA42D5A8A4122D4EF |
| SHA-256: | CA1AA360EAA8790C2265910DE07F179F3312C3567963698535096F0A3201719A |
| SHA-512: | 198CE1757128C6AB18EDD5068D68C7DD57B55F09B66E11335F8ACEFD2EC2E5FE0DC1AE00B857C8FDCBC9B2F7BBBD5956EDC9A9863BB25042EC7D61DC134E614A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.87502459468992 |
| TrID: |
|
| File name: | aYf5ibGObB.exe |
| File size: | 1'058'816 bytes |
| MD5: | 8a65e4ace5821564817c5f343352474c |
| SHA1: | 5921aa00413c8ebcc7f639740e85f0389c8c7e09 |
| SHA256: | aeb46a41343bbbfb2a1fc6b6eec7e60657361be81c61c3adaa11357898a45d4b |
| SHA512: | 9a44c2c1838567b9b1e1280b338a2b5a6eddb0ad7310e078a9a74e3374ba826ba5344b627c3a06fef90da0168fb6d6349954e867ceb09b68de0eca068f11bb28 |
| SSDEEP: | 24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8aNVscHOCWth:WTvC/MTQYxsWR7aNVsfCC |
| TLSH: | 9735AF0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z.... |
 | |
| Icon Hash: | aaf3e3e3938382a0 |
| Entrypoint: | 0x420577 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67625D89 [Wed Dec 18 05:28:41 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 948cc502fe9226992dce9417f952fce3 |
| Instruction |
|---|
| call 00007F909CB24AC3h |
| jmp 00007F909CB243CFh |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F909CB245ADh |
| mov dword ptr [esi], 0049FDF0h |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0049FDF8h |
| mov dword ptr [ecx], 0049FDF0h |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F909CB2457Ah |
| mov dword ptr [esi], 0049FE0Ch |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0049FE14h |
| mov dword ptr [ecx], 0049FE0Ch |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 0049FDD0h |
| and dword ptr [eax], 00000000h |
| and dword ptr [eax+04h], 00000000h |
| push eax |
| mov eax, dword ptr [ebp+08h] |
| add eax, 04h |
| push eax |
| call 00007F909CB2716Dh |
| pop ecx |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| lea eax, dword ptr [ecx+04h] |
| mov dword ptr [ecx], 0049FDD0h |
| push eax |
| call 00007F909CB271B8h |
| pop ecx |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 0049FDD0h |
| push eax |
| call 00007F909CB271A1h |
| test byte ptr [ebp+08h], 00000001h |
| pop ecx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc8e64 | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd4000 | 0x2bde8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x100000 | 0x7594 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xb0ff0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xc3400 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xb1010 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x9c000 | 0x894 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x9ab1d | 0x9ac00 | 0a1473f3064dcbc32ef93c5c8a90f3a6 | False | 0.565500681542811 | data | 6.668273581389308 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x9c000 | 0x2fb82 | 0x2fc00 | c9cf2468b60bf4f80f136ed54b3989fb | False | 0.35289185209424084 | data | 5.691811547483722 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xcc000 | 0x706c | 0x4800 | 53b9025d545d65e23295e30afdbd16d9 | False | 0.04356553819444445 | DOS executable (block device driver @\273\) | 0.5846666986982398 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xd4000 | 0x2bde8 | 0x2be00 | 9d3afbedc8b7c2c4b7e413f8d417fb1b | False | 0.8507278311965812 | data | 7.690583180369149 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x100000 | 0x7594 | 0x7600 | c68ee8931a32d45eb82dc450ee40efc3 | False | 0.7628111758474576 | data | 6.7972128181359786 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xd45a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xd46d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xd47f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xd4920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
| RT_ICON | 0xd4c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
| RT_ICON | 0xd4d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
| RT_ICON | 0xd5bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
| RT_ICON | 0xd6480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
| RT_ICON | 0xd69e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
| RT_ICON | 0xd8f90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
| RT_ICON | 0xda038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
| RT_MENU | 0xda4a0 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xda4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xdaa84 | 0x68a | data | English | Great Britain | 0.2735961768219833 |
| RT_STRING | 0xdb110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xdb5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xdbb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xdc1f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xdc660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xdc7b8 | 0x230af | data | 1.0003553140349044 | ||
| RT_GROUP_ICON | 0xff868 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
| RT_GROUP_ICON | 0xff8e0 | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xff8f4 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0xff908 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0xff91c | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0xff9f8 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W |
| WININET.dll | HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile |
| USERENV.dll | DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW |
| USER32.dll | GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient |
| GDI32.dll | EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath |
| COMDLG32.dll | GetSaveFileNameW, GetOpenFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW |
| SHELL32.dll | DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket |
| OLEAUT32.dll | CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T17:16:52.882997+0100 | 2045001 | ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound | 1 | 185.222.58.90 | 55615 | 192.168.2.5 | 49704 | TCP |
| 2024-12-24T17:17:01.664167+0100 | 1800000 | Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect | 1 | 192.168.2.5 | 49704 | 185.222.58.90 | 55615 | TCP |
| 2024-12-24T17:17:01.664167+0100 | 2849662 | ETPRO MALWARE RedLine - CheckConnect Request | 1 | 192.168.2.5 | 49704 | 185.222.58.90 | 55615 | TCP |
| 2024-12-24T17:17:06.914116+0100 | 2045000 | ET MALWARE RedLine Stealer - CheckConnect Response | 1 | 185.222.58.90 | 55615 | 192.168.2.5 | 49704 | TCP |
| 2024-12-24T17:17:07.226745+0100 | 2849351 | ETPRO MALWARE RedLine - EnvironmentSettings Request | 1 | 192.168.2.5 | 49704 | 185.222.58.90 | 55615 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 24, 2024 17:17:00.220318079 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:00.340564966 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:00.344433069 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:00.361663103 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:00.481458902 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:00.711252928 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:00.831367970 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:01.617656946 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:01.664166927 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:06.794298887 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:06.794342995 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:06.914115906 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:06.914385080 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.184669018 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.226744890 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:07.286967039 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.286988020 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.287003994 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.287081003 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.287094116 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:07.287096024 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.287122965 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:07.336005926 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:07.364341974 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.364362001 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.364371061 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.364476919 CET | 55615 | 49704 | 185.222.58.90 | 192.168.2.5 |
| Dec 24, 2024 17:17:07.364564896 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:07.364595890 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Dec 24, 2024 17:17:09.649188042 CET | 49704 | 55615 | 192.168.2.5 | 185.222.58.90 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 24, 2024 17:17:07.400832891 CET | 52010 | 53 | 192.168.2.5 | 1.1.1.1 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 24, 2024 17:17:07.400832891 CET | 192.168.2.5 | 1.1.1.1 | 0x3562 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 24, 2024 17:17:07.540652037 CET | 1.1.1.1 | 192.168.2.5 | 0x3562 | No error (0) | api.ip.sb.cdn.cloudflare.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 24, 2024 17:17:14.499885082 CET | 1.1.1.1 | 192.168.2.5 | 0x4082 | No error (0) | s-part-0035.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 24, 2024 17:17:14.499885082 CET | 1.1.1.1 | 192.168.2.5 | 0x4082 | No error (0) | 13.107.246.63 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 185.222.58.90 | 55615 | 3596 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 24, 2024 17:17:00.361663103 CET | 240 | OUT | |
| Dec 24, 2024 17:17:01.617656946 CET | 359 | IN | |
| Dec 24, 2024 17:17:06.794298887 CET | 223 | OUT | |
| Dec 24, 2024 17:17:07.184669018 CET | 25 | IN | |
| Dec 24, 2024 17:17:07.286967039 CET | 1236 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:16:56 |
| Start date: | 24/12/2024 |
| Path: | C:\Users\user\Desktop\aYf5ibGObB.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xfd0000 |
| File size: | 1'058'816 bytes |
| MD5 hash: | 8A65E4ACE5821564817C5F343352474C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 11:16:58 |
| Start date: | 24/12/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2b0000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 11:16:58 |
| Start date: | 24/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |