Windows Analysis Report
Implosions.exe

Overview

General Information

Sample name: Implosions.exe
Analysis ID: 1639986
MD5: 1de3d44fc259e585d924d872d8224972
SHA1: d81dc1f25ea3df6dc4d2fb6520491721594fbe96
SHA256: 3ef92d70a248a8e1b1cda278e99f80fa7e66c6c89cbb90c6d3b295faff061b5a
Tags: exeuser-BastianHein
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Implosions.exe Avira: detected
Found malware configuration
Source: Implosions.exe Malware Configuration Extractor: RedLine {"C2 url": ["209.38.151.4:55123"], "Bot Id": "vex4you"}
Multi AV Scanner detection for submitted file
Source: Implosions.exe Virustotal: Detection: 83% Perma Link
Source: Implosions.exe ReversingLabs: Detection: 86%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: Implosions.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Implosions.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oHC:\Windows\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: o.pdbService source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb0 source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbb source: Implosions.exe, 00000000.00000002.2078994669.0000000000889000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2082185598.0000000005E52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb, source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49710 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49710 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49692 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49692 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49699 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49699 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49711 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49711 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49702 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49702 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49683 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49683 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49705 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49705 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49682 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49682 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49690 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49690 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49691 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49691 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49708 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49708 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49706 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49706 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49684 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49684 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49700 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49700 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49704 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49704 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49696 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49696 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49703 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49703 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49707 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49707 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49709 -> 209.38.151.4:55123
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49709 -> 209.38.151.4:55123
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 209.38.151.4:55123
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49684 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 55123
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49682 -> 209.38.151.4:55123
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ATT-INTERNET4US ATT-INTERNET4US
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown TCP traffic detected without corresponding DNS query: 209.38.151.4
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://209.38.151.4:55123
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://209.38.151.4:55123/
Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/
Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: Implosions.exe String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: Implosions.exe String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: Implosions.exe String found in binary or memory: https://ipinfo.io/ip%appdata%

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Implosions.exe, type: SAMPLE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Implosions.exe, type: SAMPLE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: Implosions.exe, type: SAMPLE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00B3E7B0 0_2_00B3E7B0
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00B3DC90 0_2_00B3DC90
Sample file is different than original file name gathered from version info
Source: Implosions.exe, 00000000.00000002.2078994669.00000000007AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Implosions.exe
Uses 32bit PE files
Source: Implosions.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: Implosions.exe, type: SAMPLE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Implosions.exe, type: SAMPLE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: Implosions.exe, type: SAMPLE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.winEXE@2/0@0/1
Source: C:\Users\user\Desktop\Implosions.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: Implosions.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Implosions.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Implosions.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Implosions.exe Virustotal: Detection: 83%
Source: Implosions.exe ReversingLabs: Detection: 86%
Source: unknown Process created: C:\Users\user\Desktop\Implosions.exe "C:\Users\user\Desktop\Implosions.exe"
Source: C:\Users\user\Desktop\Implosions.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: dnsapi.dll Jump to behavior
Source: Implosions.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Implosions.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oHC:\Windows\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: o.pdbService source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb0 source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbb source: Implosions.exe, 00000000.00000002.2078994669.0000000000889000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2082185598.0000000005E52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb, source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: Implosions.exe Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49684 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 55123
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 55123
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Implosions.exe Memory allocated: B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Memory allocated: 25D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Memory allocated: 45D0000 memory reserve | memory write watch Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Implosions.exe TID: 6388 Thread sleep time: -75000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\Implosions.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Users\user\Desktop\Implosions.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: Implosions.exe, type: SAMPLE
Source: Yara match File source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: Implosions.exe, type: SAMPLE
Source: Yara match File source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: Implosions.exe, type: SAMPLE
Source: Yara match File source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1639986 Sample: Implosions.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 13 Suricata IDS alerts for network traffic 2->13 15 Found malware configuration 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 6 other signatures 2->19 6 Implosions.exe 15 3 2->6         started        process3 dnsIp4 11 209.38.151.4, 49682, 49683, 49684 ATT-INTERNET4US United States 6->11 9 conhost.exe 6->9         started        process5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
209.38.151.4
 unknown United States
7018 ATT-INTERNET4US true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://209.38.151.4:55123/ true
  • Avira URL Cloud: safe
 unknown
209.38.151.4:55123 true
  • Avira URL Cloud: safe
 unknown