Edit tour

Windows Analysis Report
NWzeEUBQ7F.exe

Overview

General Information

Sample name:	NWzeEUBQ7F.exe renamed because original name is a hash value
Original sample name:	eac8d64bfbc083aa74bcf866c9dea7ac.exe
Analysis ID:	1616250
MD5:	eac8d64bfbc083aa74bcf866c9dea7ac
SHA1:	35b212e526376571b475664237a0d9b55810ad9e
SHA256:	5de17a5a924075eff342030dc58fab7443edb2a68c90749f674a5465552d1978
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Uses known network protocols on non-standard ports

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

NWzeEUBQ7F.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\NWzeEUBQ7F.exe" MD5: EAC8D64BFBC083AA74BCF866C9DEA7AC)

NWzeEUBQ7F.exe (PID: 6948 cmdline: "C:\Users\user\Desktop\NWzeEUBQ7F.exe" MD5: EAC8D64BFBC083AA74BCF866C9DEA7AC)

conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.234:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x347fa:$a4: get_ScannedWallets 0x4c61a:$a4: get_ScannedWallets 0x33658:$a5: get_ScanTelegram 0x4b478:$a5: get_ScanTelegram 0x3447e:$a6: get_ScanGeckoBrowsersPaths 0x4c29e:$a6: get_ScanGeckoBrowsersPaths 0x3229a:$a7: <Processes>k__BackingField 0x4a0ba:$a7: <Processes>k__BackingField 0x301ac:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x47fcc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x31bce:$a9: <ScanFTP>k__BackingField 0x499ee:$a9: <ScanFTP>k__BackingField
00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x24cbba:$a4: get_ScannedWallets 0x24ba18:$a5: get_ScanTelegram 0x24c83e:$a6: get_ScanGeckoBrowsersPaths 0x24a65a:$a7: <Processes>k__BackingField 0x24856c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x249f8e:$a9: <ScanFTP>k__BackingField
Process Memory Space: NWzeEUBQ7F.exe PID: 6596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NWzeEUBQ7F.exe PID: 6596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NWzeEUBQ7F.exe PID: 6596	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: NWzeEUBQ7F.exe PID: 6596	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1c145:$a4: get_ScannedWallets 0x726b4:$a4: get_ScannedWallets 0x1afec:$a5: get_ScanTelegram 0x7176a:$a5: get_ScanTelegram 0x1bdce:$a6: get_ScanGeckoBrowsersPaths 0x723a7:$a6: get_ScanGeckoBrowsersPaths 0x19c7f:$a7: <Processes>k__BackingField 0x70649:$a7: <Processes>k__BackingField 0x171b2:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x6dc38:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x195b3:$a9: <ScanFTP>k__BackingField 0x6ff7d:$a9: <ScanFTP>k__BackingField
Process Memory Space: NWzeEUBQ7F.exe PID: 6948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NWzeEUBQ7F.exe PID: 6948	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: NWzeEUBQ7F.exe PID: 6948	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x6529:$a4: get_ScannedWallets 0x53d0:$a5: get_ScanTelegram 0x61b2:$a6: get_ScanGeckoBrowsersPaths 0x4063:$a7: <Processes>k__BackingField 0x1596:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3997:$a9: <ScanFTP>k__BackingField
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.NWzeEUBQ7F.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.NWzeEUBQ7F.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.NWzeEUBQ7F.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
3.2.NWzeEUBQ7F.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.NWzeEUBQ7F.exe.34a2050.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.34a2050.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.NWzeEUBQ7F.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.NWzeEUBQ7F.exe.34a2050.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.NWzeEUBQ7F.exe.34a2050.3.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.NWzeEUBQ7F.exe.34a2050.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.NWzeEUBQ7F.exe.348a230.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.348a230.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.348a230.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.NWzeEUBQ7F.exe.348a230.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.NWzeEUBQ7F.exe.348a230.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x6f5ea:$a4: get_ScannedWallets 0x6e448:$a5: get_ScanTelegram 0x6f26e:$a6: get_ScanGeckoBrowsersPaths 0x6d08a:$a7: <Processes>k__BackingField 0x6af9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x6c9be:$a9: <ScanFTP>k__BackingField
0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x6d9eb:$gen01: ChromeGetRoamingName 0x6da1f:$gen02: ChromeGetLocalName 0x6da48:$gen03: get_UserDomainName 0x6fc87:$gen04: get_encrypted_key 0x6f203:$gen05: browserPaths 0x6f54b:$gen06: GetBrowsers 0x6ee81:$gen07: get_InstalledInputLanguages 0x6c66f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x64758:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x65138:$spe6: windows-1251, CommandLine: 0x703dd:$spe9: wallet 0x6ae2c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0x6af27:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x6b284:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x6b391:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x6b510:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0x6aeb8:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x6aee1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x6b07f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x6b3ba:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0x6b459:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x6c4aa:$u7: RunPE 0x6fb61:$u8: DownloadAndEx 0x65150:$pat14: , CommandLine: 0x6f099:$v2_1: ListOfProcesses 0x6c6ab:$v2_2: get_ScanVPN 0x6c74e:$v2_2: get_ScanFTP 0x6d43e:$v2_2: get_ScanDiscord 0x6e42c:$v2_2: get_ScanSteam 0x6e448:$v2_2: get_ScanTelegram 0x6e4ee:$v2_2: get_ScanScreen 0x6f236:$v2_2: get_ScanChromeBrowsersPaths 0x6f26e:$v2_2: get_ScanGeckoBrowsersPaths 0x6f529:$v2_2: get_ScanBrowsers 0x6f5ea:$v2_2: get_ScannedWallets 0x6f610:$v2_2: get_ScanWallets 0x6f630:$v2_3: GetArguments 0x6dcf9:$v2_4: VerifyUpdate 0x7260a:$v2_4: VerifyUpdate 0x6f9ea:$v2_5: VerifyScanRequest 0x6f0e6:$v2_6: GetUpdates 0x725eb:$v2_6: GetUpdates
0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField
0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x297eb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2981f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29848:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2ba87:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2b003:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b34b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2ac81:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x2846f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x20558:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x20f38:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet
0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284ab:$v2_2: get_ScanVPN 0x2854e:$v2_2: get_ScanFTP
0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0xcb80a:$a4: get_ScannedWallets 0xca668:$a5: get_ScanTelegram 0xcb48e:$a6: get_ScanGeckoBrowsersPaths 0xc92aa:$a7: <Processes>k__BackingField 0xc71bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xc8bde:$a9: <ScanFTP>k__BackingField
0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xc9c0b:$gen01: ChromeGetRoamingName 0xc9c3f:$gen02: ChromeGetLocalName 0xc9c68:$gen03: get_UserDomainName 0xcbea7:$gen04: get_encrypted_key 0xcb423:$gen05: browserPaths 0xcb76b:$gen06: GetBrowsers 0xcb0a1:$gen07: get_InstalledInputLanguages 0xc888f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0xc0978:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0xc1358:$spe6: windows-1251, CommandLine: 0xcc5fd:$spe9: wallet 0xc704c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xc7147:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xc74a4:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xc75b1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xc7730:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xc70d8:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xc7101:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xc729f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xc75da:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xc7679:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xc86ca:$u7: RunPE 0xcbd81:$u8: DownloadAndEx 0xc1370:$pat14: , CommandLine: 0xcb2b9:$v2_1: ListOfProcesses 0xc88cb:$v2_2: get_ScanVPN 0xc896e:$v2_2: get_ScanFTP 0xc965e:$v2_2: get_ScanDiscord 0xca64c:$v2_2: get_ScanSteam 0xca668:$v2_2: get_ScanTelegram 0xca70e:$v2_2: get_ScanScreen 0xcb456:$v2_2: get_ScanChromeBrowsersPaths 0xcb48e:$v2_2: get_ScanGeckoBrowsersPaths 0xcb749:$v2_2: get_ScanBrowsers 0xcb80a:$v2_2: get_ScannedWallets 0xcb830:$v2_2: get_ScanWallets 0xcb850:$v2_3: GetArguments 0xc9f19:$v2_4: VerifyUpdate 0xce82a:$v2_4: VerifyUpdate 0xcbc0a:$v2_5: VerifyScanRequest 0xcb306:$v2_6: GetUpdates 0xce80b:$v2_6: GetUpdates
Click to see the 30 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-16T08:54:13.804745+0100	2045000	1	Malware Command and Control Activity Detected	45.137.22.234	55615	192.168.2.5	49706	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-16T08:54:00.749678+0100	2045001	1	Malware Command and Control Activity Detected	45.137.22.234	55615	192.168.2.5	49706	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-16T08:54:08.624572+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.5	49706	45.137.22.234	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-16T08:54:14.015254+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.5	49706	45.137.22.234	55615	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-16T08:54:08.624572+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.5	49706	45.137.22.234	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.137.22.234:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: NWzeEUBQ7F.exe	ReversingLabs: Detection: 70%
Source: NWzeEUBQ7F.exe	Virustotal: Detection: 37%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: NWzeEUBQ7F.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.75.172:443 -> 192.168.2.5:49710 version: TLS 1.0

Source: NWzeEUBQ7F.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.5:49706 -> 45.137.22.234:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49706 -> 45.137.22.234:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 45.137.22.234:55615 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49706 -> 45.137.22.234:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 45.137.22.234:55615 -> 192.168.2.5:49706

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.137.22.234:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 45.137.22.234:55615

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.234:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.234:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate

Source: Joe Sandbox View

IP Address: 172.67.75.172 172.67.75.172

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 172.67.75.172:443 -> 192.168.2.5:49710 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.234
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.234:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.234:55615
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.234:55615/
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ip.sb
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ip.sb.cdn.cloudflare.net
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003410000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: NWzeEUBQ7F.exe, NWzeEUBQ7F.exe, 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: NWzeEUBQ7F.exe, NWzeEUBQ7F.exe, 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: NWzeEUBQ7F.exe, NWzeEUBQ7F.exe, 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: NWzeEUBQ7F.exe PID: 6596, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: NWzeEUBQ7F.exe PID: 6948, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 0_2_009FDC3C	0_2_009FDC3C
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 3_2_019CE7B0	3_2_019CE7B0
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 3_2_019CDC90	3_2_019CDC90
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 3_2_06C79628	3_2_06C79628
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 3_2_06C74468	3_2_06C74468
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 3_2_06C71210	3_2_06C71210
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 3_2_06C73311	3_2_06C73311
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 3_2_06C7DD00	3_2_06C7DD00
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Code function: 3_2_06C7D108	3_2_06C7D108

Source: NWzeEUBQ7F.exe, 00000000.00000002.2054245595.000000000079E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NWzeEUBQ7F.exe
Source: NWzeEUBQ7F.exe, 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs NWzeEUBQ7F.exe
Source: NWzeEUBQ7F.exe, 00000000.00000002.2055279801.0000000002630000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs NWzeEUBQ7F.exe
Source: NWzeEUBQ7F.exe, 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs NWzeEUBQ7F.exe
Source: NWzeEUBQ7F.exe, 00000000.00000000.2043602693.00000000001CA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSyJk.exeD vs NWzeEUBQ7F.exe
Source: NWzeEUBQ7F.exe, 00000000.00000002.2070847420.0000000009C50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs NWzeEUBQ7F.exe
Source: NWzeEUBQ7F.exe, 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs NWzeEUBQ7F.exe
Source: NWzeEUBQ7F.exe	Binary or memory string: OriginalFilenameSyJk.exeD vs NWzeEUBQ7F.exe

Source: NWzeEUBQ7F.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: NWzeEUBQ7F.exe PID: 6596, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: NWzeEUBQ7F.exe PID: 6948, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: NWzeEUBQ7F.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, Q34OKbf2V9JB3Qycci.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, qCUdiBnau1qK7r4CFY.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, qCUdiBnau1qK7r4CFY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, qCUdiBnau1qK7r4CFY.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, qCUdiBnau1qK7r4CFY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, qCUdiBnau1qK7r4CFY.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, qCUdiBnau1qK7r4CFY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/1@1/2

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NWzeEUBQ7F.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03

Source: NWzeEUBQ7F.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NWzeEUBQ7F.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NWzeEUBQ7F.exe	ReversingLabs: Detection: 70%
Source: NWzeEUBQ7F.exe	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\NWzeEUBQ7F.exe "C:\Users\user\Desktop\NWzeEUBQ7F.exe"
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process created: C:\Users\user\Desktop\NWzeEUBQ7F.exe "C:\Users\user\Desktop\NWzeEUBQ7F.exe"
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process created: C:\Users\user\Desktop\NWzeEUBQ7F.exe "C:\Users\user\Desktop\NWzeEUBQ7F.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: NWzeEUBQ7F.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NWzeEUBQ7F.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, Q34OKbf2V9JB3Qycci.cs	.Net Code: XmfDEUrOnI System.Reflection.Assembly.Load(byte[])
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, Q34OKbf2V9JB3Qycci.cs	.Net Code: XmfDEUrOnI System.Reflection.Assembly.Load(byte[])
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, Q34OKbf2V9JB3Qycci.cs	.Net Code: XmfDEUrOnI System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

Code function: 3_2_06C71810 push es; ret

3_2_06C71820

Source: NWzeEUBQ7F.exe

Static PE information: section name: .text entropy: 7.739823548561373

Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, TFryqKyrxWQOPHqCaSA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rk7YjDKc1N', 'soaYTGZ4TY', 'nrxYWxNayC', 'idfYG3gKQS', 'Fp2YZE1BjE', 'TqvYaxCwg6', 'QmWY3QcjW2'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, Sm2jPM48AhSiYIjeqb.cs	High entropy of concatenated method names: 'kC1HhlR6g1', 'rNQHuPxCgW', 'qDOHEOdj8q', 'Fl1HqAoFkj', 'daKHKSN89m', 'JESHNp7oB1', 'p7bHiR0G2U', 'oGiHn9QXjt', 'aPiHJSowag', 'qjsHPfAxAR'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, zoTArIDcKT3oP9urIa.cs	High entropy of concatenated method names: 'PAMyHCUdiB', 'Su1yfqK7r4', 'sesy2TVq5B', 'EFcyxA2nDM', 'vuuy91CNrS', 'T3byoAkFIu', 'IaybC2NyBLPSXEKnyj', 'dtnMAD7t4PQBe7WQny', 'PSUyy0iEQV', 'MYJyIaBQJW'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, AZWgtBJesTVq5BJFcA.cs	High entropy of concatenated method names: 'lPqCq2v35k', 'HoUCNGuXek', 'iiACnkip2j', 'kwNCJDOsb2', 'aWDC9pVphG', 'PDaCoRKQBc', 'KqtCMVp7AO', 'IniC0q6O1P', 'Y79CBettUd', 'hU9CYSCXpE'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, LP6CAtmIOs9WIMgJ8V.cs	High entropy of concatenated method names: 'rdq6aNdWSJ', 'jhG63KeFDF', 'cN06VXxhg3', 'ToString', 'VdL61wuJ42', 'FSs6Uy5tuO', 'MWxpEiaJhIb3vs7FIRX', 'wFadNZabVpxZKIl3MDJ', 'IhuVgsaknvbRxrEAySh', 'Vw8IYAaLCfMga5sJano'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, qCUdiBnau1qK7r4CFY.cs	High entropy of concatenated method names: 'PpIsGHPjIe', 'GZIsZkDRmW', 'h0isaVXHyL', 'pbLs387XAb', 'sFAsVBN9j5', 'pmbs1sZqXh', 'Xg1sUwOtpj', 'LU1spSJwaB', 'Jn1s5aZqjy', 'j40svAShnO'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, FB4l9kW2y1kJG1GdpM.cs	High entropy of concatenated method names: 'LlscnCCyxP', 'eDXcJnyp0Z', 'lcEcSWkcTY', 'fB3cd2AtUr', 'ulUcXnRSZT', 'UXycLDfBC3', 'vaDc7KdeWE', 'VVZckGM8Ap', 'jp8cw1ZL4V', 'gI3cj0o8ma'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, SCPvt2eQNe3nJGC18B.cs	High entropy of concatenated method names: 'aNQEvcArG', 'ySUqN522M', 'nAONk0HIh', 'p9mi9aqaI', 'F3eJFxyvg', 'SUXPyQ1Tv', 'Bxm79kxVQfVGXxwe1f', 'tPetJ9iCZKlMAsq3kq', 'Umm0nHL8Z', 'txJYnvkRx'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, Q34OKbf2V9JB3Qycci.cs	High entropy of concatenated method names: 'NbKIRQBAbM', 'IMLIbyhtl6', 'sqxIssxbH2', 't3VIC9pqsT', 'kSJIQXt9rA', 'QldI6gWROO', 'jFyIHRNOl1', 'GjZIfGYsX0', 'QGYIALwCum', 'kE4I2O3rdc'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, JLIwNtsmKhtlC8qMeJ.cs	High entropy of concatenated method names: 'Dispose', 'Kvhy5MNTMm', 'URbedSoWtA', 'KEgdobsUPD', 'fGGyvU04pn', 'rQWyzBHfKB', 'ProcessDialogKey', 'ykUerChEM6', 'y6IeyBgBcm', 'Ob9eelIhc3'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, WTPJsyyeJvKYpY4Qyii.cs	High entropy of concatenated method names: 'ToString', 'CAignoh3Vl', 'E5tgJWT0Ho', 'rblgPlmovZ', 'AAogSy7S1C', 'kL0gd425JB', 'Lw0glJ1EcV', 'L8cgXY962Z', 'Qkrriur77aVYCMo5FHF', 'z3lgVkruvgUIFEpbB0P'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, KjycDEyDC6IJ4A0rDRo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YpJ8BDbYU8', 'CUV8Y1PoSt', 'jJe8gK70Iu', 'Jc988lDAay', 'fn28OTmMeH', 'xil8F1AWgr', 'gLv8tbK3aN'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, WChEM65u6IBgBcmjb9.cs	High entropy of concatenated method names: 'bXlBS0SLKq', 'AhrBdxmWvD', 'j5mBln9x59', 'npNBXSDtL1', 'YSTBLvygPU', 'OnDBm3PpNc', 'RWjB7w6f3G', 'PGhBkyIoMu', 'SNYB4rgIJA', 'N1pBwX0iwZ'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, HIhc3ZvE3JnCXAgBN0.cs	High entropy of concatenated method names: 'xs5YCWkp1B', 'MLKYQy7ZG2', 'mGVY61QHSu', 'meZYHDd0p6', 'vBPYBerNTD', 'cNEYfOgg4G', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, cUiRVfGJgL7arru56p.cs	High entropy of concatenated method names: 'RiF9wWJTF6', 'hvd9TNr6oN', 'mpS9GefNse', 'EPy9ZFIyXt', 'CQ89dOJwHe', 'Vlf9l2fHtH', 'Le89XNES9c', 'rTt9LEFvTW', 'eu29mtDhuw', 'sgj974w6tq'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, BrSa3bSAkFIu5WcXRN.cs	High entropy of concatenated method names: 'Md36R2iYFo', 'eEV6sVFjwL', 'y0Q6QmIkok', 'O1j6H9UYJU', 'pmj6fiAtjt', 'hutQV9LQpA', 'KX8Q15BeRU', 'ocGQUa0uAC', 'qT2Qp47DJS', 'S1OQ5vZYV3'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, IwvvmMUkpmvhMNTMms.cs	High entropy of concatenated method names: 'PwcB9De2FF', 'zE0BMfagn6', 'p2FBBEWojw', 'OfqBgqnXqO', 'ePtBOyH69G', 'zbaBtD875D', 'Dispose', 'C7V0bY5hkD', 'boW0sVW2oD', 'ta50CTySqT'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, C40ewydlBEnYIQEvDU.cs	High entropy of concatenated method names: 'BHeFdOacp0gBwYjZyIl', 'mfMWoUaYSttRqu0uLR5', 'qfo60os2Ai', 'jmk6BV3CQw', 'VOk6YSbk3f', 'tgwGKRaRZEZxDch572H', 'BbuKZuaVCvq3EYHrp1v'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, qUYFws3BxZxAqcMQEv.cs	High entropy of concatenated method names: 'kW1M2ap40v', 'owbMxOH683', 'ToString', 'dQmMbGZ2B9', 'FSIMsUOaSc', 'sTXMCPb7Aq', 'MhdMQrHjJ2', 't8tM67bqCk', 'WkEMHwykJR', 'X2YMfZfwNQ'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, vJ23joyywpcRLfBqnmH.cs	High entropy of concatenated method names: 'njSYvF36ke', 'lyGYzLgKmg', 'vT0grCVFad', 'hnZgy69lws', 'Ioqge3D4jM', 'AorgIgEM2Y', 'dVcgDGpPQ8', 'yrBgRB4gao', 'umsgbqg0pr', 'IiOgsXSPkd'
Source: 0.2.NWzeEUBQ7F.exe.9c50000.5.raw.unpack, M8poHS1oFTq1kvs7E5.cs	High entropy of concatenated method names: 'c52MpvDm3r', 'qskMvg7GgG', 'bbM0rcPBSa', 'VW70yJ6Hgb', 'mDnMjc81yu', 'epTMTqlxbl', 'VxCMWXZVNd', 'O7ZMGUPo1W', 'KhgMZe3cPv', 'OjVMaLgtZZ'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, TFryqKyrxWQOPHqCaSA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rk7YjDKc1N', 'soaYTGZ4TY', 'nrxYWxNayC', 'idfYG3gKQS', 'Fp2YZE1BjE', 'TqvYaxCwg6', 'QmWY3QcjW2'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, Sm2jPM48AhSiYIjeqb.cs	High entropy of concatenated method names: 'kC1HhlR6g1', 'rNQHuPxCgW', 'qDOHEOdj8q', 'Fl1HqAoFkj', 'daKHKSN89m', 'JESHNp7oB1', 'p7bHiR0G2U', 'oGiHn9QXjt', 'aPiHJSowag', 'qjsHPfAxAR'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, zoTArIDcKT3oP9urIa.cs	High entropy of concatenated method names: 'PAMyHCUdiB', 'Su1yfqK7r4', 'sesy2TVq5B', 'EFcyxA2nDM', 'vuuy91CNrS', 'T3byoAkFIu', 'IaybC2NyBLPSXEKnyj', 'dtnMAD7t4PQBe7WQny', 'PSUyy0iEQV', 'MYJyIaBQJW'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, AZWgtBJesTVq5BJFcA.cs	High entropy of concatenated method names: 'lPqCq2v35k', 'HoUCNGuXek', 'iiACnkip2j', 'kwNCJDOsb2', 'aWDC9pVphG', 'PDaCoRKQBc', 'KqtCMVp7AO', 'IniC0q6O1P', 'Y79CBettUd', 'hU9CYSCXpE'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, LP6CAtmIOs9WIMgJ8V.cs	High entropy of concatenated method names: 'rdq6aNdWSJ', 'jhG63KeFDF', 'cN06VXxhg3', 'ToString', 'VdL61wuJ42', 'FSs6Uy5tuO', 'MWxpEiaJhIb3vs7FIRX', 'wFadNZabVpxZKIl3MDJ', 'IhuVgsaknvbRxrEAySh', 'Vw8IYAaLCfMga5sJano'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, qCUdiBnau1qK7r4CFY.cs	High entropy of concatenated method names: 'PpIsGHPjIe', 'GZIsZkDRmW', 'h0isaVXHyL', 'pbLs387XAb', 'sFAsVBN9j5', 'pmbs1sZqXh', 'Xg1sUwOtpj', 'LU1spSJwaB', 'Jn1s5aZqjy', 'j40svAShnO'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, FB4l9kW2y1kJG1GdpM.cs	High entropy of concatenated method names: 'LlscnCCyxP', 'eDXcJnyp0Z', 'lcEcSWkcTY', 'fB3cd2AtUr', 'ulUcXnRSZT', 'UXycLDfBC3', 'vaDc7KdeWE', 'VVZckGM8Ap', 'jp8cw1ZL4V', 'gI3cj0o8ma'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, SCPvt2eQNe3nJGC18B.cs	High entropy of concatenated method names: 'aNQEvcArG', 'ySUqN522M', 'nAONk0HIh', 'p9mi9aqaI', 'F3eJFxyvg', 'SUXPyQ1Tv', 'Bxm79kxVQfVGXxwe1f', 'tPetJ9iCZKlMAsq3kq', 'Umm0nHL8Z', 'txJYnvkRx'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, Q34OKbf2V9JB3Qycci.cs	High entropy of concatenated method names: 'NbKIRQBAbM', 'IMLIbyhtl6', 'sqxIssxbH2', 't3VIC9pqsT', 'kSJIQXt9rA', 'QldI6gWROO', 'jFyIHRNOl1', 'GjZIfGYsX0', 'QGYIALwCum', 'kE4I2O3rdc'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, JLIwNtsmKhtlC8qMeJ.cs	High entropy of concatenated method names: 'Dispose', 'Kvhy5MNTMm', 'URbedSoWtA', 'KEgdobsUPD', 'fGGyvU04pn', 'rQWyzBHfKB', 'ProcessDialogKey', 'ykUerChEM6', 'y6IeyBgBcm', 'Ob9eelIhc3'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, WTPJsyyeJvKYpY4Qyii.cs	High entropy of concatenated method names: 'ToString', 'CAignoh3Vl', 'E5tgJWT0Ho', 'rblgPlmovZ', 'AAogSy7S1C', 'kL0gd425JB', 'Lw0glJ1EcV', 'L8cgXY962Z', 'Qkrriur77aVYCMo5FHF', 'z3lgVkruvgUIFEpbB0P'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, KjycDEyDC6IJ4A0rDRo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YpJ8BDbYU8', 'CUV8Y1PoSt', 'jJe8gK70Iu', 'Jc988lDAay', 'fn28OTmMeH', 'xil8F1AWgr', 'gLv8tbK3aN'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, WChEM65u6IBgBcmjb9.cs	High entropy of concatenated method names: 'bXlBS0SLKq', 'AhrBdxmWvD', 'j5mBln9x59', 'npNBXSDtL1', 'YSTBLvygPU', 'OnDBm3PpNc', 'RWjB7w6f3G', 'PGhBkyIoMu', 'SNYB4rgIJA', 'N1pBwX0iwZ'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, HIhc3ZvE3JnCXAgBN0.cs	High entropy of concatenated method names: 'xs5YCWkp1B', 'MLKYQy7ZG2', 'mGVY61QHSu', 'meZYHDd0p6', 'vBPYBerNTD', 'cNEYfOgg4G', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, cUiRVfGJgL7arru56p.cs	High entropy of concatenated method names: 'RiF9wWJTF6', 'hvd9TNr6oN', 'mpS9GefNse', 'EPy9ZFIyXt', 'CQ89dOJwHe', 'Vlf9l2fHtH', 'Le89XNES9c', 'rTt9LEFvTW', 'eu29mtDhuw', 'sgj974w6tq'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, BrSa3bSAkFIu5WcXRN.cs	High entropy of concatenated method names: 'Md36R2iYFo', 'eEV6sVFjwL', 'y0Q6QmIkok', 'O1j6H9UYJU', 'pmj6fiAtjt', 'hutQV9LQpA', 'KX8Q15BeRU', 'ocGQUa0uAC', 'qT2Qp47DJS', 'S1OQ5vZYV3'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, IwvvmMUkpmvhMNTMms.cs	High entropy of concatenated method names: 'PwcB9De2FF', 'zE0BMfagn6', 'p2FBBEWojw', 'OfqBgqnXqO', 'ePtBOyH69G', 'zbaBtD875D', 'Dispose', 'C7V0bY5hkD', 'boW0sVW2oD', 'ta50CTySqT'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, C40ewydlBEnYIQEvDU.cs	High entropy of concatenated method names: 'BHeFdOacp0gBwYjZyIl', 'mfMWoUaYSttRqu0uLR5', 'qfo60os2Ai', 'jmk6BV3CQw', 'VOk6YSbk3f', 'tgwGKRaRZEZxDch572H', 'BbuKZuaVCvq3EYHrp1v'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, qUYFws3BxZxAqcMQEv.cs	High entropy of concatenated method names: 'kW1M2ap40v', 'owbMxOH683', 'ToString', 'dQmMbGZ2B9', 'FSIMsUOaSc', 'sTXMCPb7Aq', 'MhdMQrHjJ2', 't8tM67bqCk', 'WkEMHwykJR', 'X2YMfZfwNQ'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, vJ23joyywpcRLfBqnmH.cs	High entropy of concatenated method names: 'njSYvF36ke', 'lyGYzLgKmg', 'vT0grCVFad', 'hnZgy69lws', 'Ioqge3D4jM', 'AorgIgEM2Y', 'dVcgDGpPQ8', 'yrBgRB4gao', 'umsgbqg0pr', 'IiOgsXSPkd'
Source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, M8poHS1oFTq1kvs7E5.cs	High entropy of concatenated method names: 'c52MpvDm3r', 'qskMvg7GgG', 'bbM0rcPBSa', 'VW70yJ6Hgb', 'mDnMjc81yu', 'epTMTqlxbl', 'VxCMWXZVNd', 'O7ZMGUPo1W', 'KhgMZe3cPv', 'OjVMaLgtZZ'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, TFryqKyrxWQOPHqCaSA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rk7YjDKc1N', 'soaYTGZ4TY', 'nrxYWxNayC', 'idfYG3gKQS', 'Fp2YZE1BjE', 'TqvYaxCwg6', 'QmWY3QcjW2'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, Sm2jPM48AhSiYIjeqb.cs	High entropy of concatenated method names: 'kC1HhlR6g1', 'rNQHuPxCgW', 'qDOHEOdj8q', 'Fl1HqAoFkj', 'daKHKSN89m', 'JESHNp7oB1', 'p7bHiR0G2U', 'oGiHn9QXjt', 'aPiHJSowag', 'qjsHPfAxAR'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, zoTArIDcKT3oP9urIa.cs	High entropy of concatenated method names: 'PAMyHCUdiB', 'Su1yfqK7r4', 'sesy2TVq5B', 'EFcyxA2nDM', 'vuuy91CNrS', 'T3byoAkFIu', 'IaybC2NyBLPSXEKnyj', 'dtnMAD7t4PQBe7WQny', 'PSUyy0iEQV', 'MYJyIaBQJW'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, AZWgtBJesTVq5BJFcA.cs	High entropy of concatenated method names: 'lPqCq2v35k', 'HoUCNGuXek', 'iiACnkip2j', 'kwNCJDOsb2', 'aWDC9pVphG', 'PDaCoRKQBc', 'KqtCMVp7AO', 'IniC0q6O1P', 'Y79CBettUd', 'hU9CYSCXpE'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, LP6CAtmIOs9WIMgJ8V.cs	High entropy of concatenated method names: 'rdq6aNdWSJ', 'jhG63KeFDF', 'cN06VXxhg3', 'ToString', 'VdL61wuJ42', 'FSs6Uy5tuO', 'MWxpEiaJhIb3vs7FIRX', 'wFadNZabVpxZKIl3MDJ', 'IhuVgsaknvbRxrEAySh', 'Vw8IYAaLCfMga5sJano'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, qCUdiBnau1qK7r4CFY.cs	High entropy of concatenated method names: 'PpIsGHPjIe', 'GZIsZkDRmW', 'h0isaVXHyL', 'pbLs387XAb', 'sFAsVBN9j5', 'pmbs1sZqXh', 'Xg1sUwOtpj', 'LU1spSJwaB', 'Jn1s5aZqjy', 'j40svAShnO'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, FB4l9kW2y1kJG1GdpM.cs	High entropy of concatenated method names: 'LlscnCCyxP', 'eDXcJnyp0Z', 'lcEcSWkcTY', 'fB3cd2AtUr', 'ulUcXnRSZT', 'UXycLDfBC3', 'vaDc7KdeWE', 'VVZckGM8Ap', 'jp8cw1ZL4V', 'gI3cj0o8ma'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, SCPvt2eQNe3nJGC18B.cs	High entropy of concatenated method names: 'aNQEvcArG', 'ySUqN522M', 'nAONk0HIh', 'p9mi9aqaI', 'F3eJFxyvg', 'SUXPyQ1Tv', 'Bxm79kxVQfVGXxwe1f', 'tPetJ9iCZKlMAsq3kq', 'Umm0nHL8Z', 'txJYnvkRx'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, Q34OKbf2V9JB3Qycci.cs	High entropy of concatenated method names: 'NbKIRQBAbM', 'IMLIbyhtl6', 'sqxIssxbH2', 't3VIC9pqsT', 'kSJIQXt9rA', 'QldI6gWROO', 'jFyIHRNOl1', 'GjZIfGYsX0', 'QGYIALwCum', 'kE4I2O3rdc'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, JLIwNtsmKhtlC8qMeJ.cs	High entropy of concatenated method names: 'Dispose', 'Kvhy5MNTMm', 'URbedSoWtA', 'KEgdobsUPD', 'fGGyvU04pn', 'rQWyzBHfKB', 'ProcessDialogKey', 'ykUerChEM6', 'y6IeyBgBcm', 'Ob9eelIhc3'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, WTPJsyyeJvKYpY4Qyii.cs	High entropy of concatenated method names: 'ToString', 'CAignoh3Vl', 'E5tgJWT0Ho', 'rblgPlmovZ', 'AAogSy7S1C', 'kL0gd425JB', 'Lw0glJ1EcV', 'L8cgXY962Z', 'Qkrriur77aVYCMo5FHF', 'z3lgVkruvgUIFEpbB0P'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, KjycDEyDC6IJ4A0rDRo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YpJ8BDbYU8', 'CUV8Y1PoSt', 'jJe8gK70Iu', 'Jc988lDAay', 'fn28OTmMeH', 'xil8F1AWgr', 'gLv8tbK3aN'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, WChEM65u6IBgBcmjb9.cs	High entropy of concatenated method names: 'bXlBS0SLKq', 'AhrBdxmWvD', 'j5mBln9x59', 'npNBXSDtL1', 'YSTBLvygPU', 'OnDBm3PpNc', 'RWjB7w6f3G', 'PGhBkyIoMu', 'SNYB4rgIJA', 'N1pBwX0iwZ'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, HIhc3ZvE3JnCXAgBN0.cs	High entropy of concatenated method names: 'xs5YCWkp1B', 'MLKYQy7ZG2', 'mGVY61QHSu', 'meZYHDd0p6', 'vBPYBerNTD', 'cNEYfOgg4G', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, cUiRVfGJgL7arru56p.cs	High entropy of concatenated method names: 'RiF9wWJTF6', 'hvd9TNr6oN', 'mpS9GefNse', 'EPy9ZFIyXt', 'CQ89dOJwHe', 'Vlf9l2fHtH', 'Le89XNES9c', 'rTt9LEFvTW', 'eu29mtDhuw', 'sgj974w6tq'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, BrSa3bSAkFIu5WcXRN.cs	High entropy of concatenated method names: 'Md36R2iYFo', 'eEV6sVFjwL', 'y0Q6QmIkok', 'O1j6H9UYJU', 'pmj6fiAtjt', 'hutQV9LQpA', 'KX8Q15BeRU', 'ocGQUa0uAC', 'qT2Qp47DJS', 'S1OQ5vZYV3'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, IwvvmMUkpmvhMNTMms.cs	High entropy of concatenated method names: 'PwcB9De2FF', 'zE0BMfagn6', 'p2FBBEWojw', 'OfqBgqnXqO', 'ePtBOyH69G', 'zbaBtD875D', 'Dispose', 'C7V0bY5hkD', 'boW0sVW2oD', 'ta50CTySqT'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, C40ewydlBEnYIQEvDU.cs	High entropy of concatenated method names: 'BHeFdOacp0gBwYjZyIl', 'mfMWoUaYSttRqu0uLR5', 'qfo60os2Ai', 'jmk6BV3CQw', 'VOk6YSbk3f', 'tgwGKRaRZEZxDch572H', 'BbuKZuaVCvq3EYHrp1v'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, qUYFws3BxZxAqcMQEv.cs	High entropy of concatenated method names: 'kW1M2ap40v', 'owbMxOH683', 'ToString', 'dQmMbGZ2B9', 'FSIMsUOaSc', 'sTXMCPb7Aq', 'MhdMQrHjJ2', 't8tM67bqCk', 'WkEMHwykJR', 'X2YMfZfwNQ'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, vJ23joyywpcRLfBqnmH.cs	High entropy of concatenated method names: 'njSYvF36ke', 'lyGYzLgKmg', 'vT0grCVFad', 'hnZgy69lws', 'Ioqge3D4jM', 'AorgIgEM2Y', 'dVcgDGpPQ8', 'yrBgRB4gao', 'umsgbqg0pr', 'IiOgsXSPkd'
Source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, M8poHS1oFTq1kvs7E5.cs	High entropy of concatenated method names: 'c52MpvDm3r', 'qskMvg7GgG', 'bbM0rcPBSa', 'VW70yJ6Hgb', 'mDnMjc81yu', 'epTMTqlxbl', 'VxCMWXZVNd', 'O7ZMGUPo1W', 'KhgMZe3cPv', 'OjVMaLgtZZ'

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: NWzeEUBQ7F.exe PID: 6596, type: MEMORYSTR

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 4460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 7640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 8800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 9800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 9CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: ACB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: BCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 19C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Memory allocated: 5350000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe TID: 1520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe TID: 1220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe TID: 2352	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe TID: 4148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: NWzeEUBQ7F.exe, 00000003.00000002.2142663308.00000000014F2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

Process created: C:\Users\user\Desktop\NWzeEUBQ7F.exe "C:\Users\user\Desktop\NWzeEUBQ7F.exe"

Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Users\user\Desktop\NWzeEUBQ7F.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Users\user\Desktop\NWzeEUBQ7F.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NWzeEUBQ7F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NWzeEUBQ7F.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NWzeEUBQ7F.exe PID: 6948, type: MEMORYSTR

Source: Yara match	File source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NWzeEUBQ7F.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NWzeEUBQ7F.exe PID: 6948, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.NWzeEUBQ7F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.34a2050.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.348a230.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.34a2050.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.3e9f5d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.348a230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NWzeEUBQ7F.exe.3e433b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NWzeEUBQ7F.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NWzeEUBQ7F.exe PID: 6948, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NWzeEUBQ7F.exe	70%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
NWzeEUBQ7F.exe	38%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://45.137.22.234:55615	0%	Avira URL Cloud	safe
http://45.137.22.234:55615/	0%	Avira URL Cloud	safe
45.137.22.234:55615	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb.cdn.cloudflare.net	172.67.75.172	true	false		high
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.137.22.234:55615/	true	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	false		high
45.137.22.234:55615	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	NWzeEUBQ7F.exe, NWzeEUBQ7F.exe, 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://api.ip.sb	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003441000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectLR	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.234:55615	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033EF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	NWzeEUBQ7F.exe, NWzeEUBQ7F.exe, 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ip.sb	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003410000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003410000.00000004.00000800.00020000.00000000.sdmp, NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnect	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033EF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsLR	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentLR	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	NWzeEUBQ7F.exe, NWzeEUBQ7F.exe, 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesLR	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateLR	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectT	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033EF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.00000000033EF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/actor/next	NWzeEUBQ7F.exe, 00000003.00000002.2143761709.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.75.172	api.ip.sb.cdn.cloudflare.net	United States		13335	CLOUDFLARENETUS	false
45.137.22.234	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1616250
Start date and time:	2025-02-16 08:53:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NWzeEUBQ7F.exe renamed because original name is a hash value
Original Sample Name:	eac8d64bfbc083aa74bcf866c9dea7ac.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/1@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.106.160, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:54:05	API Interceptor	3x Sleep call for process: NWzeEUBQ7F.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.75.172	https://je.engl6.shop/webro-DPD-notificare/	Get hash	malicious	Unknown	Browse
	https://tt.vg/notificareDPD02	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse
	random.exe	Get hash	malicious	RedLine	Browse
	lzUfwE2sh3.exe	Get hash	malicious	RedLine	Browse
	xI0ubnUcsV.exe	Get hash	malicious	RedLine	Browse
	VXB84UvyHp.exe	Get hash	malicious	RedLine	Browse
	http://www.fcc-movil.com/80th/enphem1sX2F0dG9ybmV5YXpAZmQub3Jn	Get hash	malicious	Phisher	Browse
	https://bityl.co/Rdhj#MmpKcFFEVVI2TVllaWsyVHoxbTVjNVQ2OFJkV0I2UW53emdGdFlabWtLYlFDd3ZmMjIydmh0VVc3SEJnZUNkeG11THhoRWM4cS95OXhmejFJQXRJWlE9PQ__	Get hash	malicious	Phisher	Browse
	https://www.popisoft.com	Get hash	malicious	Unknown	Browse
45.137.22.234	A18OkaGxHz.exe	Get hash	malicious	RedLine	Browse	45.137.22.234:55615/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ip.sb.cdn.cloudflare.net	A18OkaGxHz.exe	Get hash	malicious	RedLine	Browse	104.26.12.31
	Uv4EriqDCj.exe	Get hash	malicious	RedLine	Browse	104.26.12.31
	nePPsHIZ1m.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	CxfUzjqyxz.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	1w5RpHuliE.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader, Vidar	Browse	172.67.75.172
	SecuriteInfo.com.Win32.Evo-gen.12305.7160.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	rH3TpuMpZn.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Quasar, RedLine, Vidar	Browse	104.26.12.31
	Ryay9q4aDy.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, RedLine	Browse	104.26.13.31
	random.exe	Get hash	malicious	RedLine	Browse	104.26.12.31
	random.exe	Get hash	malicious	Amadey, Credential Flusher, GCleaner, KeyLogger, LummaC Stealer, PureLog Stealer, RedLine	Browse	104.26.13.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	TIu0E8HsCn.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.21.54.32
	Hilix.ppc.elf	Get hash	malicious	Mirai	Browse	104.29.132.182
	Gx7.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.18.220
	lum.ps1	Get hash	malicious	LummaC Stealer	Browse	104.21.23.85
	mma.ps1	Get hash	malicious	LummaC Stealer	Browse	104.21.23.85
	8GOnV6VJZG.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.33.71
	http://1115928.wcomhost.com/KIWI/12/paiement.php	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://web-dappconnect.pages.dev/js/js/web3.js	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://cdn.trytraffics.com/rdr/YWE9Mzc3ODkzNjY1JnNlaT0zMDUwNzYxMCZ0az0wVkhsaWhMRklaWTFYbzh2VlZDeiZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://cdn.trytraffics.com/rdr/YWE9Mzc3ODkzNTA5JnNlaT0zMDU1ODkwNiZ0az1FUm5PTlVjblRUSUZTYk0wVnlkeSZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=	Get hash	malicious	Unknown	Browse	188.114.97.3
ROOTLAYERNETNL	A18OkaGxHz.exe	Get hash	malicious	RedLine	Browse	45.137.22.234
	Uv4EriqDCj.exe	Get hash	malicious	RedLine	Browse	185.222.58.36
	nePPsHIZ1m.exe	Get hash	malicious	RedLine	Browse	45.137.22.165
	3WSFIhTu1M.exe	Get hash	malicious	RedLine	Browse	185.222.58.254
	qJ64p5G1XJ.exe	Get hash	malicious	RedLine	Browse	45.137.22.227
	chTJmCR9bS.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.57.84
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	185.222.57.67
	p0GiAimtNm.exe	Get hash	malicious	RedLine	Browse	185.222.58.237
	nzLoHpgAln.exe	Get hash	malicious	RedLine	Browse	185.222.57.76
	ljMiHZ8MwZ.exe	Get hash	malicious	RedLine	Browse	45.137.22.250

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rPO_9077364653BBG.cmd	Get hash	malicious	DBatLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.75.172
	A18OkaGxHz.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	LEC3KQZZqZ	Get hash	malicious	Unknown	Browse	172.67.75.172
	FGfFsID8ug.exe	Get hash	malicious	Unknown	Browse	172.67.75.172
	Uv4EriqDCj.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	Justificante67ab404ffe31b359e00a499e656454545.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.75.172
	PO1302202500018273645.exe	Get hash	malicious	GuLoader	Browse	172.67.75.172
	000999374847565342.exe	Get hash	malicious	GuLoader	Browse	172.67.75.172
	nePPsHIZ1m.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	SPECIFICATIONS112025.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.75.172

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NWzeEUBQ7F.exe.log

Download File

Process:	C:\Users\user\Desktop\NWzeEUBQ7F.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.734521295945995
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	NWzeEUBQ7F.exe
File size:	689'664 bytes
MD5:	eac8d64bfbc083aa74bcf866c9dea7ac
SHA1:	35b212e526376571b475664237a0d9b55810ad9e
SHA256:	5de17a5a924075eff342030dc58fab7443edb2a68c90749f674a5465552d1978
SHA512:	ac91135c1244ee8d4db77a04b9e2544eb1b3511935480881d3b91e751723d7f46308df579831d8651fc8d59938d3c85b8eb5cb421c2beb8cf95700e99c9384b4
SSDEEP:	12288:FcvVY6ao4/7xefpM4gwzzsCCB4sQqF8oDfArJPobxrJ+AS74kP:6vVJutehqUzzsQE8MfiotMA0
TLSH:	9BE4E1C43B26A71ACD6529309A35EEB553A80DBCB100B9E36FD93B57B9EC2115E0CF05
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..h............... ........@.. ....................................`................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x4a86fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67AC2EE5 [Wed Feb 12 05:17:25 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa86a8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x19a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa6700	0xa6800	d858021c3e66624370dd1d4c60b07ac3	False	0.9047133070570571	data	7.739823548561373	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x19a0	0x1a00	195a507551a72bee384b6fc74fbb5ac5	False	0.7932692307692307	data	7.185676021545843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	619b52948ae90a6f5e6cefb283c06bd6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xaa118	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0xab634	0x14	data	0.9
RT_GROUP_ICON	0xab648	0x14	data	1.05
RT_VERSION	0xab65c	0x342	data	0.42565947242206237

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	Baking Management
CompanyName	Microsoft
FileDescription
FileVersion	36.1.0.0
InternalName	SyJk.exe
LegalCopyright	Microsoft 2025
LegalTrademarks
OriginalFilename	SyJk.exe
ProductName	Baking Management
ProductVersion	36.1.0.0
Assembly Version	36.1.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-16T08:54:00.749678+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	45.137.22.234	55615	192.168.2.5	49706	TCP
2025-02-16T08:54:08.624572+0100	1800000	Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect	1	192.168.2.5	49706	45.137.22.234	55615	TCP
2025-02-16T08:54:08.624572+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.5	49706	45.137.22.234	55615	TCP
2025-02-16T08:54:13.804745+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	45.137.22.234	55615	192.168.2.5	49706	TCP
2025-02-16T08:54:14.015254+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.5	49706	45.137.22.234	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 16, 2025 08:54:07.950368881 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:07.955378056 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:07.955467939 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:07.979176998 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:07.984056950 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:08.327879906 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:08.332834959 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:08.571717978 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:08.624572039 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:13.799640894 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:13.799640894 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:13.804744959 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:13.805169106 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:13.974102020 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.015254021 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:14.255558968 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255605936 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255642891 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255677938 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255711079 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255747080 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255775928 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255805016 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:14.255810022 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255844116 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255870104 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:14.255875111 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255899906 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:14.255912066 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.255975008 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:14.256720066 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.256756067 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.256793022 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:14.256886005 CET	55615	49706	45.137.22.234	192.168.2.5
Feb 16, 2025 08:54:14.256957054 CET	49706	55615	192.168.2.5	45.137.22.234
Feb 16, 2025 08:54:14.307301998 CET	49710	443	192.168.2.5	172.67.75.172
Feb 16, 2025 08:54:14.307411909 CET	443	49710	172.67.75.172	192.168.2.5
Feb 16, 2025 08:54:14.307533026 CET	49710	443	192.168.2.5	172.67.75.172
Feb 16, 2025 08:54:14.336102962 CET	49710	443	192.168.2.5	172.67.75.172
Feb 16, 2025 08:54:14.336146116 CET	443	49710	172.67.75.172	192.168.2.5
Feb 16, 2025 08:54:14.803633928 CET	443	49710	172.67.75.172	192.168.2.5
Feb 16, 2025 08:54:14.803798914 CET	49710	443	192.168.2.5	172.67.75.172
Feb 16, 2025 08:54:14.809268951 CET	49710	443	192.168.2.5	172.67.75.172
Feb 16, 2025 08:54:14.809314966 CET	443	49710	172.67.75.172	192.168.2.5
Feb 16, 2025 08:54:14.810033083 CET	443	49710	172.67.75.172	192.168.2.5
Feb 16, 2025 08:54:14.855447054 CET	49710	443	192.168.2.5	172.67.75.172
Feb 16, 2025 08:54:14.903337955 CET	443	49710	172.67.75.172	192.168.2.5
Feb 16, 2025 08:54:15.208646059 CET	443	49710	172.67.75.172	192.168.2.5
Feb 16, 2025 08:54:15.208735943 CET	443	49710	172.67.75.172	192.168.2.5
Feb 16, 2025 08:54:15.208800077 CET	49710	443	192.168.2.5	172.67.75.172
Feb 16, 2025 08:54:15.211839914 CET	49710	443	192.168.2.5	172.67.75.172
Feb 16, 2025 08:54:15.321857929 CET	49706	55615	192.168.2.5	45.137.22.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 16, 2025 08:54:14.294670105 CET	57897	53	192.168.2.5	1.1.1.1
Feb 16, 2025 08:54:14.304691076 CET	53	57897	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 16, 2025 08:54:14.294670105 CET	192.168.2.5	1.1.1.1	0x2344	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 16, 2025 08:54:14.304691076 CET	1.1.1.1	192.168.2.5	0x2344	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 16, 2025 08:54:14.304691076 CET	1.1.1.1	192.168.2.5	0x2344	No error (0)	api.ip.sb.cdn.cloudflare.net		172.67.75.172	A (IP address)	IN (0x0001)	false
Feb 16, 2025 08:54:14.304691076 CET	1.1.1.1	192.168.2.5	0x2344	No error (0)	api.ip.sb.cdn.cloudflare.net		104.26.13.31	A (IP address)	IN (0x0001)	false
Feb 16, 2025 08:54:14.304691076 CET	1.1.1.1	192.168.2.5	0x2344	No error (0)	api.ip.sb.cdn.cloudflare.net		104.26.12.31	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ip.sb

45.137.22.234:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	45.137.22.234	55615	6948	C:\Users\user\Desktop\NWzeEUBQ7F.exe

Timestamp	Bytes transferred	Direction	Data
Feb 16, 2025 08:54:07.979176998 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 45.137.22.234:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Feb 16, 2025 08:54:08.571717978 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 16 Feb 2025 14:54:06 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Feb 16, 2025 08:54:13.799640894 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 45.137.22.234:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Feb 16, 2025 08:54:13.974102020 CET	25	IN	HTTP/1.1 100 Continue
Feb 16, 2025 08:54:14.255558968 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 11829 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 16 Feb 2025 14:54:11 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>183.197.44.144</b:string><b:string>113.132.183.77</b:string><b:string>113.73.237.73</b:string><b:string>119.130.131.242</b:string><b:string>183.245.29.139</b:string><b:string>113.120.83.102</b:string><b:string>218.77.103.84</b:string><b:string>218.77.103.84</b:string><b:string>117.84.202.254</b:string><b:string>89.251.26.11</b:string><b:string>119.112.124.49</b:string><b:string>219.130.184.162</b:string><b:string>139.186.206.86</b:string><b:string>60.184.203.156</b:string><b:string>117.81.13.205</b:string><b:string>115.60.61.127</b:string><b:string>183.17.50.99</b:string><b:string>120.34.88.1 [TRUNCATED]
Feb 16, 2025 08:54:14.255912066 CET	25	IN	HTTP/1.1 100 Continue

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	172.67.75.172	443	6948	C:\Users\user\Desktop\NWzeEUBQ7F.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-16 07:54:14 UTC	64	OUT	GET /geoip HTTP/1.1 Host: api.ip.sb Connection: Keep-Alive
2025-02-16 07:54:15 UTC	945	IN	HTTP/1.1 200 OK Date: Sun, 16 Feb 2025 07:54:15 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding Cache-Control: no-cache access-control-allow-origin: * cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zRjgqEVQvJz4E3y7Es%2B9JRy3KFMsi7l70xUKCemNgowmz64rYUQUpTLI54w7w%2FeZCRXi6Fw9pJP%2BE09ACJetxvkaErNfD0qA5f2gDjSnmw6Z63v6%2FnngNj3%2FuA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 912bf7f33e204240-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1597&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2805&recv_bytes=678&delivery_rate=1784841&cwnd=244&unsent_bytes=0&cid=d313f1e8a83bdf74&ts=421&x=0"
2025-02-16 07:54:15 UTC	351	IN	Data Raw: 31 35 38 0d 0a 7b 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 36 36 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 22 2c 22 6f 66 66 73 65 74 22 3a 2d 31 38 30 30 30 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 61 73 6e 5f 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 6c 61 74 69 74 75 64 65 Data Ascii: 158{"organization":"CenturyLink","longitude":-74.0066,"city":"New York","timezone":"America\/New_York","isp":"CenturyLink","offset":-18000,"region":"New York","asn":3356,"asn_organization":"LEVEL3","country":"United States","ip":"8.46.123.189","latitude
2025-02-16 07:54:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: NWzeEUBQ7F.exePID: 6596, Parent PID: 1028

General

Target ID:	0
Start time:	02:54:04
Start date:	16/02/2025
Path:	C:\Users\user\Desktop\NWzeEUBQ7F.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NWzeEUBQ7F.exe"
Imagebase:	0x120000
File size:	689'664 bytes
MD5 hash:	EAC8D64BFBC083AA74BCF866C9DEA7AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2055676867.0000000003469000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2055676867.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: NWzeEUBQ7F.exePID: 6948, Parent PID: 6596

General

Target ID:	3
Start time:	02:54:05
Start date:	16/02/2025
Path:	C:\Users\user\Desktop\NWzeEUBQ7F.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NWzeEUBQ7F.exe"
Imagebase:	0xfc0000
File size:	689'664 bytes
MD5 hash:	EAC8D64BFBC083AA74BCF866C9DEA7AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2143761709.0000000003403000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000003.00000002.2142435235.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6224, Parent PID: 6948

General

Target ID:	4
Start time:	02:54:05
Start date:	16/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: NWzeEUBQ7F.exePID: 6596, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	3

Executed Functions

Function 009FAD98 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009FAFFE

Memory Dump Source

Source File: 00000000.00000002.2054943278.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_NWzeEUBQ7F.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9f27302033153ac5d5d699ceb8375238e8778dbfc286f1d85e8296ad58653aba
Instruction ID: 88d167a6821f509cc6d00c6c0ec1d681aa3722288e4107a86349ff146d0d9e80
Opcode Fuzzy Hash: 9f27302033153ac5d5d699ceb8375238e8778dbfc286f1d85e8296ad58653aba
Instruction Fuzzy Hash: 218168B0A00B498FD724DF29C4457AABBF5FF88300F008A2DD58AD7A50D774E945CB92

Function 009F5A64 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2054943278.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb095837758de6c787e898d8e50e029140df31df5599e8bba2b58c0c54ce39e
Instruction ID: d156f811b41a166f7bcd79ea00b8e1e23e770f37cb5d4c2050d29b85ab3f7fc8
Opcode Fuzzy Hash: efb095837758de6c787e898d8e50e029140df31df5599e8bba2b58c0c54ce39e
Instruction Fuzzy Hash: 4B310EB1805B4DCFCB15CFE8C8846EDBBF1AF46314F15828AC209AB251C775A846CB42

Function 009F58ED Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009F59A9

Memory Dump Source

Source File: 00000000.00000002.2054943278.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_NWzeEUBQ7F.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8d06616fe94e2c36516bf421b7dcee3db2e7a19d559e162230408101a2d03d62
Instruction ID: c8938c0651886029fca370d96bf1fb403b25f0a31b1fbe9463e3e1b51a1a2de1
Opcode Fuzzy Hash: 8d06616fe94e2c36516bf421b7dcee3db2e7a19d559e162230408101a2d03d62
Instruction Fuzzy Hash: EE41E2B0C0061DCBDB24DFA9C8846DDBBF5BF49304F20806AD518AB265DB75694ACF91

Function 009F44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009F59A9

Memory Dump Source

Source File: 00000000.00000002.2054943278.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_NWzeEUBQ7F.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9f63ad9270917e1ecf9ab852b8bfb3d0408baed9427038d3c010fad065ab7d16
Instruction ID: 16a14c99b80c521e633dc02f7a5e9d38370d70681490456ec248881155a9df5b
Opcode Fuzzy Hash: 9f63ad9270917e1ecf9ab852b8bfb3d0408baed9427038d3c010fad065ab7d16
Instruction Fuzzy Hash: CB41D1B0C0071DCBDB24DFA9C844B9DBBF5BF48304F20816AD518AB255DB75694ACF91

Function 009FD398 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009FD366,?,?,?,?,?), ref: 009FD427

Memory Dump Source

Source File: 00000000.00000002.2054943278.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_NWzeEUBQ7F.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c3f8f70898eaf255de8e3b7dd99afc1e56750c86411bdba318098a3641cc17f0
Instruction ID: 802a0fd85f0dfa1775d7799854f40a7bca2724c562b7920f967858d06911e927
Opcode Fuzzy Hash: c3f8f70898eaf255de8e3b7dd99afc1e56750c86411bdba318098a3641cc17f0
Instruction Fuzzy Hash: B921E3B59012089FDB10CFAAD585AEEBFF5FF48310F14805AE958A7250D378A945CFA1

Function 009FB3F0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009FD366,?,?,?,?,?), ref: 009FD427

Memory Dump Source

Source File: 00000000.00000002.2054943278.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_NWzeEUBQ7F.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fbcbb8ad844c2da949c2e0d9e1d5ce08fbc448c9b9ac7ae63c79d118030f2a20
Instruction ID: ad780932260bd20bbd536a0441e893bbfe05e27243c5788b37d7b21d683bbaba
Opcode Fuzzy Hash: fbcbb8ad844c2da949c2e0d9e1d5ce08fbc448c9b9ac7ae63c79d118030f2a20
Instruction Fuzzy Hash: 5C21E3B5901308AFDB10CF9AD584AEEBBF9EB48310F14841AE918A3350D378A950DFA5

Function 009FAF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009FAFFE

Memory Dump Source

Source File: 00000000.00000002.2054943278.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_NWzeEUBQ7F.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 35310078aa4b0ef9173545d2c51c8e2c68331ca48e88e73f584e1c02542bb62f
Instruction ID: 14c2da1e0bc42ef250a9f5d0bb9c687f45792deb4f73aea20d09004857cee303
Opcode Fuzzy Hash: 35310078aa4b0ef9173545d2c51c8e2c68331ca48e88e73f584e1c02542bb62f
Instruction Fuzzy Hash: A411E0B5C003498FCB20DF9AC444ADEFBF8EF88314F14845AD929A7214D379A545CFA5

Function 0077D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054144782.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b45d7c48d8a53965ef2cb8deeb56351022ecf47dd3b6d32098f3831ea96d40
Instruction ID: 556484502440a2acd1421f56c841a1f41c8709d5e83d1527d244a0ad7fe188bb
Opcode Fuzzy Hash: c2b45d7c48d8a53965ef2cb8deeb56351022ecf47dd3b6d32098f3831ea96d40
Instruction Fuzzy Hash: EF2100B2100284DFCF25DF14C980B26BF75FF98364F20C169ED0D0A256C33AE806CAA2

Function 0077D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054144782.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df53ab37bc3be2a16634b465d6809d870fa8b456f0ad04b1be87b2b803629735
Instruction ID: 4bdcc8d7f76c8073339edff1cdaf4fb161d29758a8a69134005891085f7275f3
Opcode Fuzzy Hash: df53ab37bc3be2a16634b465d6809d870fa8b456f0ad04b1be87b2b803629735
Instruction Fuzzy Hash: D521F171500240DFCF25DF14D980B26BF75FF98358F24C569E9090A256C33AD826DAA2

Function 0078D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054209852.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9eda51235ef9d7900cc9d1c81b73c05fa8fe58d1aa3ee1350391ef3d1ab046e
Instruction ID: 920a99d798cf6356d3836b0822f5891bbdaaaa8beef2deb2b7af06703779b4d2
Opcode Fuzzy Hash: f9eda51235ef9d7900cc9d1c81b73c05fa8fe58d1aa3ee1350391ef3d1ab046e
Instruction Fuzzy Hash: 7721D071684204DFDB24EF24D984B26BB65EB88314F20C569D94A4B296C33EDC06CB62

Function 0078D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054209852.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6f39a103416b4ef461183fbcc64e84949476cdb58b55c64d443590398249e3
Instruction ID: c75eb149584a90d227c77a4b898f9f977047e8636f5e5d8dec2d595a5fc114d4
Opcode Fuzzy Hash: ae6f39a103416b4ef461183fbcc64e84949476cdb58b55c64d443590398249e3
Instruction Fuzzy Hash: B021D071584204AFDB25EF64D980F26BBA5FB88314F20C669E9094B296C33ADC06CB61

Function 0077D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054144782.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: ff4990abd012c8b1ff963902f2886bcfba52bb411952911c1a22af4895387007
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 4811A276504240CFCF16CF14D5C4B16BF71FB94314F24C6A9D9490B656C33AD866CBA1

Function 0077D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054144782.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: ae23df15c2615cdf016dd1c90fea2ea43d27075f8ee63f1e996ba8a813c7645b
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 5711CD72404280DFCF12CF00D5C4B16BF72FB94324F24C6A9DD090A256C33AE85ACBA2

Function 0078D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054209852.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 74ba039f38e72c990c3cf80aa9e7484d0223f74dbfddd233128adecc1c5d51ca
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 0711BB75544280DFCB12DF14C5C4B15BBA1FB84324F24C6A9D8494B296C33AD80ACB62

Function 0078D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054209852.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: da7b8a9b5c9d5bae3b922f2e054cb4bb861ce92521d12fb717ce00e1bf4a8d77
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5C11DD75544284CFDB22DF14D5C4B15FFA2FB88314F24C6AAD8494B696C33AD80ACBA2

Non-executed Functions

Function 009FDC3C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054943278.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8adf3d98423472b943c8e3303916d7076770bdadacd53b74181b5fc516bae48
Instruction ID: 1f98cc63f8448516872c346221f520bfc47b858390054cdda1559921bed89df6
Opcode Fuzzy Hash: a8adf3d98423472b943c8e3303916d7076770bdadacd53b74181b5fc516bae48
Instruction Fuzzy Hash: 71A16D32E002098FCF09DFB4C8546AEB7B6FF84300B15857AEA05AB265DB71ED15CB80

Analysis Process: NWzeEUBQ7F.exePID: 6948, Parent PID: 6596COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	2

Executed Functions

Function 06C775E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06C774A6), ref: 06C77656

Strings

zaE&, xrefs: 06C7760F

Memory Dump Source

Source File: 00000003.00000002.2145682226.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c70000_NWzeEUBQ7F.jbxd

Similarity

API ID: LibraryLoad
String ID: zaE&
API String ID: 1029625771-869269582
Opcode ID: 37066ec0db7bc1eadc02052cac586900d068241582650bc4501a73ed0a78b868
Instruction ID: 951c347dd10049c3240845a17eee49859212555f5f12bba4bd0aa9fae180797d
Opcode Fuzzy Hash: 37066ec0db7bc1eadc02052cac586900d068241582650bc4501a73ed0a78b868
Instruction Fuzzy Hash: 1D1123B5C0064A8FCB20DF9AD844ADEFBF4EF88310F10842AD419A7710C378A646CFA0

Function 06C77148 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06C774A6), ref: 06C77656

Strings

zaE&, xrefs: 06C7760F

Memory Dump Source

Source File: 00000003.00000002.2145682226.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c70000_NWzeEUBQ7F.jbxd

Similarity

API ID: LibraryLoad
String ID: zaE&
API String ID: 1029625771-869269582
Opcode ID: a690f5db1e426f0e681a08f483eb4e655bc9a6ab689bac6ce84170e6e470115e
Instruction ID: 2b152f5b5264bd7789bf78cd0ea3ef1268a88fabf1a5236642b9ad0b7488d51d
Opcode Fuzzy Hash: a690f5db1e426f0e681a08f483eb4e655bc9a6ab689bac6ce84170e6e470115e
Instruction Fuzzy Hash: 121120B1C007498FCB20DF9AC844A9EFBF4EF88210F14842AD419B7210D379A645CFA4

Function 019C0CE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 019C0D47

Strings

zaE&, xrefs: 019C0CFF

Memory Dump Source

Source File: 00000003.00000002.2143461389.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19c0000_NWzeEUBQ7F.jbxd

Similarity

API ID: ConsoleWindow
String ID: zaE&
API String ID: 2863861424-869269582
Opcode ID: df276822dfdd29d0fdb5d95f6c3d541dab8af8d4f4fdac11382446c6ca3ae39f
Instruction ID: 9ab952e58ff135cf1402e11ff487e486ad89d07d5676e6e3bb3a74f7595764b9
Opcode Fuzzy Hash: df276822dfdd29d0fdb5d95f6c3d541dab8af8d4f4fdac11382446c6ca3ae39f
Instruction Fuzzy Hash: 841134B5D003098FCB24DFAAC4457EEBBF4EB88324F20842AD419A7250C738A945CBA0

Function 019C0CE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 019C0D47

Strings

zaE&, xrefs: 019C0CFF

Memory Dump Source

Source File: 00000003.00000002.2143461389.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19c0000_NWzeEUBQ7F.jbxd

Similarity

API ID: ConsoleWindow
String ID: zaE&
API String ID: 2863861424-869269582
Opcode ID: 46151ad7b8885b9856e32b56c93e6f20a9215372456358cd26865b04377ab4af
Instruction ID: bd258e28bcc1992a3b18eacb94d55628b14dd03d3cd4505a6f7643f6da51e909
Opcode Fuzzy Hash: 46151ad7b8885b9856e32b56c93e6f20a9215372456358cd26865b04377ab4af
Instruction Fuzzy Hash: B01122B5D003098FCB24DFAAC8457AEFFF4EB48324F24841AD559A7250CB39A544CBA1

Function 06CC0048 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2145749302.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446071b15cb5406d201eafa9eb939b1b7ee3dcdd7f5f70dc960f572933c04648
Instruction ID: c664d706b61b6bf0238d85653bee39f51c896896a4d78b2aaceac0d3d3fce728
Opcode Fuzzy Hash: 446071b15cb5406d201eafa9eb939b1b7ee3dcdd7f5f70dc960f572933c04648
Instruction Fuzzy Hash: 52428630740625CFCB25DF78D450A6EBABAFFC9310F014A5CC5069B294CB7AED098B96

Function 06CC04F4 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2145749302.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b15cb4c117caaf3f932974b09cc25b8a68711550925f71ca5fd35cc7751d65
Instruction ID: 1e7028ca2ad069be8ca9f2a643d35b25c0d68e049dc269c6b636d5f76ea0189a
Opcode Fuzzy Hash: 82b15cb4c117caaf3f932974b09cc25b8a68711550925f71ca5fd35cc7751d65
Instruction Fuzzy Hash: 4B128730740615CFCB15DF68D440A6EBBBAFFC9710F01495CD5069B2A5CBBAEE098B92

Function 06CC056A Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2145749302.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1cef8259a39c436ae15d8cbc34bb557a24b49eeabb4b2a0f78e7c09b304cc6
Instruction ID: e96a0b353bc046deed011965ab0c84ed5b0e28fb0c4cc69987b20a54beff14e0
Opcode Fuzzy Hash: ee1cef8259a39c436ae15d8cbc34bb557a24b49eeabb4b2a0f78e7c09b304cc6
Instruction Fuzzy Hash: 2C028930740615CFCB14DF68D450A6EBBBAFFC9710F00895DD5069B2A5CBBAED098B92

Function 06CC05E0 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2145749302.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4448f60e502c17e9d8848e86ac66c9a792022a6ce425c514935bcb731cf94ea
Instruction ID: 64403573171ab730767fd1841b1e573ac1fcdcadf615b4a0c8677d1fd51c00c4
Opcode Fuzzy Hash: c4448f60e502c17e9d8848e86ac66c9a792022a6ce425c514935bcb731cf94ea
Instruction Fuzzy Hash: 20028B30B40215DFDB14DF68C450A6EBBB6FF89710F00895DD5069B3A5CBBAED058B91

Function 06CC0656 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2145749302.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe88f11567b42b15ff98f60356311af948ff9874cca2346dd0d6ec10688d316
Instruction ID: d4117d2a5fe3f0eb2a7f7143cb4460f31e64cef0986f4c10458b106869b6391e
Opcode Fuzzy Hash: bfe88f11567b42b15ff98f60356311af948ff9874cca2346dd0d6ec10688d316
Instruction Fuzzy Hash: DBF17930B40214DFDB44DF68C850A6EBBBAFF89710F00855DE5068B3A5CBB6EA05CB91

Function 06CC06CC Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2145749302.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502c07be0385a99894365e9b16411b490afc47d0133f8becb7c9800d2eea6e3f
Instruction ID: ed1c817881c3fc2c29e88fe9986d22b8e513471492ae36956a36cfc48fefe955
Opcode Fuzzy Hash: 502c07be0385a99894365e9b16411b490afc47d0133f8becb7c9800d2eea6e3f
Instruction Fuzzy Hash: 67E17D70B40204DFDB44DF68C951A6EBBB6FF88710F008559E5068B3A5CBB6DE45CBA1

Function 06CC0000 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2145749302.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc0000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0134e1500b821bc052516b9a2a7cb51969d45fa2536c7c2642f0ea8236408b6
Instruction ID: 7a979aebd00e9629f6024b03815141e7ed92aabe63b69cc6466735cb7c1b068e
Opcode Fuzzy Hash: f0134e1500b821bc052516b9a2a7cb51969d45fa2536c7c2642f0ea8236408b6
Instruction Fuzzy Hash: 65D1AE30B00244DFDB05CF64C855AAA7BBAFF89710F01815AE505CB3A6CBB6DD45CBA2

Function 0192D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2143228502.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_192d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86916067ed0cb6271f84544ba74170f12b4a263059a45f1659f67ed785d0b943
Instruction ID: 9159d16308789e047d4006a8bb96044255123f245f8c455ebe85cf32fad3e14f
Opcode Fuzzy Hash: 86916067ed0cb6271f84544ba74170f12b4a263059a45f1659f67ed785d0b943
Instruction Fuzzy Hash: 4821D671544240DFDB1ADF94D9C4F26BFA9FB88314F24C669EA0D0B25AC33AD416CBA1

Function 0192D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2143228502.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_192d000_NWzeEUBQ7F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction ID: 8f3272f655cf077bf99a54914ba99622ef885e09ec5b63fe5468bcd2ce8edf43
Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction Fuzzy Hash: 3821C072404280DFCB06CF44D9C4B16BFB2FB88314F2486A9DD480A65BC33AD416CB91

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NWzeEUBQ7F.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NWzeEUBQ7F.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
NWzeEUBQ7F.exe

Function 009FAD98 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Function 009F5A64 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Function 009F58ED Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 009F44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 009FD398 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 009FB3F0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 009FAF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 06C775E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Function 06C77148 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
libraryCOMMON

Function 019C0CE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Function 019C0CE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON