Edit tour
Windows
Analysis Report
95.msi
Overview
General Information
| Sample name: | 95.msi |
| Analysis ID: | 1629426 |
| MD5: | b33b2c6c7073518f674f74dd19bc536f |
| SHA1: | 2ca97bf54a468f4cb5c83b679a16daf0c7f9530f |
| SHA256: | 342117d5786f6c02c86671fc05a1d7b86f8c20c7543c9ea2ea1cf7f3b56f82b0 |
| Tags: | msiuser-1ZRR4H |
| Infos: |  |
 | |
Detection
RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
msiexec.exe (PID: 6276 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ 95.msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 6296 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) 
SplashWin.exe (PID: 5660 cmdline: "C:\Users\ user\AppDa ta\Local\F lorilegium \SplashWin .exe" MD5: 4D20B83562EEC3660E45027AD56FB444) - SplashWin.exe (PID: 5700 cmdline:
C:\Users\u ser\AppDat a\Roaming\ sqSystem\S plashWin.e xe MD5: 4D20B83562EEC3660E45027AD56FB444) 
cmd.exe (PID: 2008 cmdline: C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
Syncsign_v1.exe (PID: 4248 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\Syncsig n_v1.exe MD5: 967F4470627F823F4D7981E511C9824F) - msiexec.exe (PID: 2756 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \UJTcSAwal eqsjRv9Hsp Dxp.msi" MD5: E5DA170027542E25EDE42FC54C929077) 
msedge.exe (PID: 3412 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --profi le-directo ry="Defaul t" MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 3740 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=22 12 --field -trial-han dle=2092,i ,656763138 5547770601 ,155670020 8160310497 7,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msiexec.exe (PID: 3796 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng F8E1D76 AA19B02239 F060918BBE 40BDC C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
ISBEW64.exe (PID: 2492 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{E2A270 F6-71BD-4C F4-BCD4-62 D608E7C6DE } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 2016 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{1387D0 3A-F134-44 42-AA6E-AD B2CD5C2ED0 } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 5548 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{F52B7A F0-9702-42 46-A1ED-1A 9047376A3D } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 2848 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{4C1622 30-114A-4D 2A-AEC6-15 BB323AE6BC } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 3176 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{A686CD 30-0C56-4C 54-86B5-DB EC67B4DBCD } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 2912 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{D78233 93-5AA6-4A B5-A0AE-4E EA1F8EB985 } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 1208 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{40795E 86-F3F1-4D 62-A29C-F6 0FADC828BF } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 5296 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{50347E EE-E43A-47 59-93EA-F2 8098E49F12 } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 5640 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{A0B21F 84-7F7C-43 41-B415-DC 7FBF2E3720 } MD5: 40F3A092744E46F3531A40B917CCA81E) - ISBEW64.exe (PID: 6096 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{479546 01-611E-45 CB-B5DF-BC BF1C48B102 }\ISBEW64. exe {EFB75 39B-24F3-4 6B6-AF6E-3 B021B51EFE F}:{BF103E 10-17E9-41 D3-ACA3-F4 0B15C7CB56 } MD5: 40F3A092744E46F3531A40B917CCA81E) - SplashWin.exe (PID: 824 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{9B7618 7E-770E-4D A5-BBE1-15 F96754ECC5 }\SplashWi n.exe MD5: 4D20B83562EEC3660E45027AD56FB444) - cmd.exe (PID: 4556 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5916 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - backgroundTaskHost.exe (PID: 7556 cmdline:
"C:\Window s\system32 \Backgroun dTaskHost. exe" -Serv erName:Bac kgroundTas kHost.WebA ccountProv ider MD5: DA7063B17DBB8BBB3015351016868006)
- SplashWin.exe (PID: 4268 cmdline:
"C:\Users\ user\AppDa ta\Roaming \sqSystem\ SplashWin. exe" MD5: 4D20B83562EEC3660E45027AD56FB444) - cmd.exe (PID: 1148 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Syncsign_v1.exe (PID: 6440 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Syncsig n_v1.exe MD5: 967F4470627F823F4D7981E511C9824F)
- msedge.exe (PID: 1860 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --profi le-directo ry=Default --flag-sw itches-beg in --flag- switches-e nd --disab le-nacl -- do-not-de- elevate MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 6632 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=27 36 --field -trial-han dle=2412,i ,759401283 2327003948 ,106354599 0671371435 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7624 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 6472 --fie ld-trial-h andle=2412 ,i,7594012 8323270039 48,1063545 9906713714 35,262144 /prefetch: 8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7632 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=6596 --field-t rial-handl e=2412,i,7 5940128323 27003948,1 0635459906 71371435,2 62144 /pre fetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - identity_helper.exe (PID: 7984 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\ident ity_helper .exe" --ty pe=utility --utility -sub-type= winrt_app_ id.mojom.W inrtAppIdS ervice --l ang=en-GB --service- sandbox-ty pe=none -- mojo-platf orm-channe l-handle=7 288 --fiel d-trial-ha ndle=2412, i,75940128 3232700394 8,10635459 9067137143 5,262144 / prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| MALWARE_Win_Arechclient2 | Detects Arechclient2 RAT | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-04T18:08:56.501424+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49762 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:08:58.561127+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49763 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:08:59.590569+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49766 | 172.67.164.91 | 443 | TCP |
| 2025-03-04T18:08:59.602162+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49765 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:09:35.795128+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50009 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:09:37.400850+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50019 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:09:38.293106+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50028 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:09:39.253405+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50034 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:09:40.579397+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50044 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:09:42.012602+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50052 | 104.21.40.182 | 443 | TCP |
| 2025-03-04T18:09:43.122118+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50063 | 104.21.40.182 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-04T18:09:39.578239+0100 | 2052248 | 1 | A Network Trojan was detected | 192.168.2.4 | 50035 | 92.255.85.23 | 9000 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||