Windows Analysis Report
https://westmaidentrue.click/mirage/magestique

Overview

General Information

Sample URL:	https://westmaidentrue.click/mirage/magestique
Analysis ID:	1636623
Infos:

Detection

RedLine

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found direct / indirect Syscall (likely to bypass EDR)

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Found dropped PE file which has not been started or loaded

Queries the volume information (name, serial number etc) of a device

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

Source: C:\Program Files\7-Zip\7zG.exe

File opened: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll

Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.86.251.25:443 -> 192.168.2.17:49740 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60

Source: global traffic	HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft

Source: global traffic	DNS traffic detected: DNS query: westmaidentrue.click
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.86.251.25:443 -> 192.168.2.17:49740 version: TLS 1.2

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir4660_2138186876

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir4660_2138186876

Source: classification engine

Classification label: mal60.troj.evad.win@32/14@4/102

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\d5d6b308-bfbb-4dd4-bf8b-ff8f825d0b61.tmp

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe

File created: C:\Users\user\AppData\Local\Temp\c149800b

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,14732196840622358889,9722313244404987971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1580 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://westmaidentrue.click/mirage/magestique"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,14732196840622358889,9722313244404987971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1580 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe "C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe"
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\Stars_pack_version_21.3.1\" -spe -an -ai#7zMap13774:114:7zEvent31951
Source: unknown	Process created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe "C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe"
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: qtcore4.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: qtgui4.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: qtnetwork4.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: comn.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: qtcore4.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: qtgui4.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: qtnetwork4.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: comn.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: libssl-1_1.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: samcli.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: pla.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: pdh.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: tdh.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\7-Zip\7zG.exe

File opened: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll

Drops PE files

Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\Comn.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtCore4.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtGui4.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtNetwork4.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	API/Special instruction interceptor: Address: 6CB27C44
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	API/Special instruction interceptor: Address: 6CB27945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6CB23B54

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll	Jump to dropped file

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	NtProtectVirtualMemory: Direct from: 0x77DF7B2E
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	NtQueryInformationToken: Direct from: 0x6500399D
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	NtSetSecurityObject: Direct from: 0x77DF63E1

Maps a DLL or memory area into another process

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe

Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match

File source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match

File source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match

File source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.99	unknown	United States	15169	GOOGLEUS	false
142.250.110.84	unknown	United States	15169	GOOGLEUS	false
142.250.181.238	unknown	United States	15169	GOOGLEUS	false
104.21.16.1	westmaidentrue.click	United States	13335	CLOUDFLARENETUS	false
142.250.185.206	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.181.228	www.google.com	United States	15169	GOOGLEUS	false
142.250.186.142	unknown	United States	15169	GOOGLEUS	false
142.250.184.227	unknown	United States	15169	GOOGLEUS	false
216.58.212.163	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17

Contacted Domains

Name	IP	Active
westmaidentrue.click	104.21.16.1	true
www.google.com	142.250.181.228	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://otelrules.svc.static.microsoft/rules/rule702450v1s19.xml	false	Avira URL Cloud: safe	unknown
https://otelrules.svc.static.microsoft/rules/rule701100v1s19.xml	false	Avira URL Cloud: safe	unknown
https://otelrules.svc.static.microsoft/rules/rule120128v0s19.xml	false	Avira URL Cloud: safe	unknown
https://otelrules.svc.static.microsoft/rules/rule120603v8s19.xml	false		high
https://otelrules.svc.static.microsoft/rules/rule701101v1s19.xml	false	Avira URL Cloud: safe	unknown

Source: C:\Program Files\7-Zip\7zG.exe

File opened: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll

Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.86.251.25:443 -> 192.168.2.17:49740 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknown	TCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.60

Source: global traffic	HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.svc.static.microsoft

Source: global traffic	DNS traffic detected: DNS query: westmaidentrue.click
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.76:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.86.251.25:443 -> 192.168.2.17:49740 version: TLS 1.2

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir4660_2138186876

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir4660_2138186876

Source: classification engine

Classification label: mal60.troj.evad.win@32/14@4/102

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\d5d6b308-bfbb-4dd4-bf8b-ff8f825d0b61.tmp

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe

File created: C:\Users\user\AppData\Local\Temp\c149800b

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,14732196840622358889,9722313244404987971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1580 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://westmaidentrue.click/mirage/magestique"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,14732196840622358889,9722313244404987971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1580 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe "C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe"
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\Stars_pack_version_21.3.1\" -spe -an -ai#7zMap13774:114:7zEvent31951
Source: unknown	Process created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe "C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe"
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: qtcore4.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: qtgui4.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: qtnetwork4.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_Stars_pack_version_21.3.1.zip\version_21\zkwindow.exe	Section loaded: comn.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: qtcore4.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: qtgui4.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: qtnetwork4.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: comn.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: libssl-1_1.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: samcli.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: pla.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: pdh.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: tdh.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\7-Zip\7zG.exe

File opened: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll

Drops PE files

Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\Comn.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtCore4.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtGui4.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtNetwork4.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	API/Special instruction interceptor: Address: 6CB27C44
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	API/Special instruction interceptor: Address: 6CB27945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6CB23B54

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll	Jump to dropped file

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	NtProtectVirtualMemory: Direct from: 0x77DF7B2E
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	NtQueryInformationToken: Direct from: 0x6500399D
Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	NtSetSecurityObject: Direct from: 0x77DF63E1

Maps a DLL or memory area into another process

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe

Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match

File source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match

File source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match

File source: 00000013.00000002.2319472527.00000000056A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	1636623
Product:	CloudBasic
Start time:	00:54:14
Start date:	13.03.2025
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\c149800b	data	FE456788132917CE89DC14974A4EEBE1	8F73A042EC8F996273E1F351D219055FF161D397	DF12CB39E129E6E4BC8711D1CF78CCE05B99D5A2137B3C9B24BAD0A53682754A
C:\Users\user\Downloads\Stars_pack_version_21.3.1.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=store	AA29FF8DCBFB8156EBA033E28F03A04F	1453014278C8891FCE9685C0A6BD4D079A763C24	1A34C9B4500CF7859C36C102209902202FB7188ACA1BA759F2D5018BF2655CC1
C:\Users\user\Downloads\Stars_pack_version_21.3.1.zip.crdownload	Zip archive data, at least v2.0 to extract, compression method=store	AA29FF8DCBFB8156EBA033E28F03A04F	1453014278C8891FCE9685C0A6BD4D079A763C24	1A34C9B4500CF7859C36C102209902202FB7188ACA1BA759F2D5018BF2655CC1
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\Comn.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	F76F5A566CBB5F561D26E7ACA841C723	4838FD2DD9DBFCDAF2B1F11091F15A17F93C29BE	0576FC3B0C9381C47A8A9443ABDD195EEBB34ECE0ADC5C6D17624CA0E914E8E3
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtCore4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	03985B7B207E63B6BB894EA6EA78D92B	0E6FC44B1F3C724E6050152D9E240A548314A6FF	793153A9262E4C280A71EA595FE49208A89766D6D344766AF0ABF8C32648F3E0
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtGui4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4346A780699F377A189A38247A0D513A	5D5AA81A6CA07862A8A7E48D592CDA6377C1AA60	DBDF5E11EC81ED1D941EC16FC7B94AB65F814CEB1E7FB524F2C64CBB422F7382
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\QtNetwork4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A3C0C0B1442CDC0A2F49C2B2AE39D245	6AFF3D64E06955FB9AD4B19C394DCFDC212B423A	901FC44992636086F2BC958AA3BDBE2D9AC3E169FC11E0F9D92D235CC906A35A
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\acajou.dmg	Matlab v4 mat-file (little endian) l, numeric, rows 20557, columns 7301632	FFE5B815B53AEFA2A3F9841B769E81CF	7CA12C0A136835C659F3DAFF0E6ECEAB396F45E2	881E7EF68C2A1BCFBDC5ED6F487964B5DE35D0D089EFC070392695012E9D25D0
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libcrypto-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	832205883448AB8C689D8A434D92F80B	890C403A288C65683EDBE9917B972CEB6EB7EBA7	558ADDAE67D50612ACD60A02FB29D41BE61999D299348DF9A225E419CC9395ED
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\libssl-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CDBF8CD36924FFB81B19487746F7F18E	781190C5A979359054CE56CEEF714A8F5384CFBB	0813C77DF688B39F26BAD0BE2B3E4AFDE13E97D9A1EBCBDB3B1F4184218D1A57
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\mickey.db	data	09EC1026D8E37966569B4E0E342085FD	A5478A19E3C258CA1FC58E5C9E8CCA8181FE103E	DD024320B537CDD9D2604BA6FE6B1D1B25856B03F65F791B646BA0DC5A8DCD78
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcp80.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	272A9E637ADCAF30B34EA184F4852836	6DE8A52A565F813F8AC7362E0C8BA334B680F8F8	35B15B78C31111DB4FA11D9C9CAD3A6F22C92DAA5E6F069DC455E72073266CC4
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\msvcr80.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	43143ABB001D4211FAB627C136124A44	EDB99760AE04BFE68AAACF34EB0287A3C10EC885	CB8928FF2FAF2921B1EDDC267DCE1BB64E6FEE4D15B68CD32588E0F3BE116B03
C:\Users\user\Downloads\Stars_pack_version_21.3.1\version_21\zkwindow.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7700F61BECA60DB53658C52A05B01941	983F920FFEC60B308C02CC07E0ABF465C8BA965A	7E6B2664F4417F5A8F981CED5F2EEF867CB72BCA990FE3864D76D878FF62CF52
C:\Users\user\Downloads\d5d6b308-bfbb-4dd4-bf8b-ff8f825d0b61.tmp	Zip archive data, at least v2.0 to extract, compression method=store	20DBDA147132B510BC9F05980E014135	76645CD414FD5537FA7B99F1ADF932C931E02C35	815359E2A1F07CAFDE6F5B986320EF87CC84627499817C5FBF210A74727751B0

Windows Analysis Report
https://westmaidentrue.click/mirage/magestique

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://westmaidentrue.click/mirage/magestique

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://westmaidentrue.click/mirage/magestique

Malware Threat Intel
Provided by