Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Implosions.exe

Overview

General Information

Sample name:Implosions.exe
Analysis ID:1639986
MD5:1de3d44fc259e585d924d872d8224972
SHA1:d81dc1f25ea3df6dc4d2fb6520491721594fbe96
SHA256:3ef92d70a248a8e1b1cda278e99f80fa7e66c6c89cbb90c6d3b295faff061b5a
Tags:exeuser-BastianHein
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Implosions.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\Implosions.exe" MD5: 1DE3D44FC259E585D924D872D8224972)
    • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["209.38.151.4:55123"], "Bot Id": "vex4you"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Implosions.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Implosions.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      Implosions.exeWindows_Trojan_RedLineStealer_f54632ebunknownunknown
      • 0x135ca:$a4: get_ScannedWallets
      • 0x12428:$a5: get_ScanTelegram
      • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
      • 0x1106a:$a7: <Processes>k__BackingField
      • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
      • 0x1099e:$a9: <ScanFTP>k__BackingField
      Implosions.exeinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
      • 0x119cb:$gen01: ChromeGetRoamingName
      • 0x119ff:$gen02: ChromeGetLocalName
      • 0x11a28:$gen03: get_UserDomainName
      • 0x13c67:$gen04: get_encrypted_key
      • 0x131e3:$gen05: browserPaths
      • 0x1352b:$gen06: GetBrowsers
      • 0x12e61:$gen07: get_InstalledInputLanguages
      • 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
      • 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
      • 0x9118:$spe6: windows-1251, CommandLine:
      • 0x143bf:$spe9: *wallet*
      • 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20
      • 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
      • 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042
      • 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
      • 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63
      • 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
      • 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
      • 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
      • 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2
      • 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
      Implosions.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1048a:$u7: RunPE
      • 0x13b41:$u8: DownloadAndEx
      • 0x9130:$pat14: , CommandLine:
      • 0x13079:$v2_1: ListOfProcesses
      • 0x1068b:$v2_2: get_ScanVPN
      • 0x1072e:$v2_2: get_ScanFTP
      • 0x1141e:$v2_2: get_ScanDiscord
      • 0x1240c:$v2_2: get_ScanSteam
      • 0x12428:$v2_2: get_ScanTelegram
      • 0x124ce:$v2_2: get_ScanScreen
      • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
      • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
      • 0x13509:$v2_2: get_ScanBrowsers
      • 0x135ca:$v2_2: get_ScannedWallets
      • 0x135f0:$v2_2: get_ScanWallets
      • 0x13610:$v2_3: GetArguments
      • 0x11cd9:$v2_4: VerifyUpdate
      • 0x165ee:$v2_4: VerifyUpdate
      • 0x139ca:$v2_5: VerifyScanRequest
      • 0x130c6:$v2_6: GetUpdates
      • 0x165cf:$v2_6: GetUpdates

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          Process Memory Space: Implosions.exe PID: 6364JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: Implosions.exe PID: 6364JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.Implosions.exe.2f0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.0.Implosions.exe.2f0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.0.Implosions.exe.2f0000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x135ca:$a4: get_ScannedWallets
                  • 0x12428:$a5: get_ScanTelegram
                  • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x1106a:$a7: <Processes>k__BackingField
                  • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1099e:$a9: <ScanFTP>k__BackingField
                  0.0.Implosions.exe.2f0000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                  • 0x119cb:$gen01: ChromeGetRoamingName
                  • 0x119ff:$gen02: ChromeGetLocalName
                  • 0x11a28:$gen03: get_UserDomainName
                  • 0x13c67:$gen04: get_encrypted_key
                  • 0x131e3:$gen05: browserPaths
                  • 0x1352b:$gen06: GetBrowsers
                  • 0x12e61:$gen07: get_InstalledInputLanguages
                  • 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                  • 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                  • 0x9118:$spe6: windows-1251, CommandLine:
                  • 0x143bf:$spe9: *wallet*
                  • 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20
                  • 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                  • 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                  • 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                  • 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63
                  • 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                  • 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                  • 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                  • 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2
                  • 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                  0.0.Implosions.exe.2f0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1048a:$u7: RunPE
                  • 0x13b41:$u8: DownloadAndEx
                  • 0x9130:$pat14: , CommandLine:
                  • 0x13079:$v2_1: ListOfProcesses
                  • 0x1068b:$v2_2: get_ScanVPN
                  • 0x1072e:$v2_2: get_ScanFTP
                  • 0x1141e:$v2_2: get_ScanDiscord
                  • 0x1240c:$v2_2: get_ScanSteam
                  • 0x12428:$v2_2: get_ScanTelegram
                  • 0x124ce:$v2_2: get_ScanScreen
                  • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13509:$v2_2: get_ScanBrowsers
                  • 0x135ca:$v2_2: get_ScannedWallets
                  • 0x135f0:$v2_2: get_ScanWallets
                  • 0x13610:$v2_3: GetArguments
                  • 0x11cd9:$v2_4: VerifyUpdate
                  • 0x165ee:$v2_4: VerifyUpdate
                  • 0x139ca:$v2_5: VerifyScanRequest
                  • 0x130c6:$v2_6: GetUpdates
                  • 0x165cf:$v2_6: GetUpdates

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-16T19:57:11.193787+010028496621Malware Command and Control Activity Detected192.168.2.849682209.38.151.455123TCP
                  2025-03-16T19:57:17.801349+010028496621Malware Command and Control Activity Detected192.168.2.849683209.38.151.455123TCP
                  2025-03-16T19:57:24.583200+010028496621Malware Command and Control Activity Detected192.168.2.849684209.38.151.455123TCP
                  2025-03-16T19:57:31.217197+010028496621Malware Command and Control Activity Detected192.168.2.849690209.38.151.455123TCP
                  2025-03-16T19:57:37.840316+010028496621Malware Command and Control Activity Detected192.168.2.849691209.38.151.455123TCP
                  2025-03-16T19:57:44.479821+010028496621Malware Command and Control Activity Detected192.168.2.849692209.38.151.455123TCP
                  2025-03-16T19:57:51.090868+010028496621Malware Command and Control Activity Detected192.168.2.849696209.38.151.455123TCP
                  2025-03-16T19:57:57.695871+010028496621Malware Command and Control Activity Detected192.168.2.849699209.38.151.455123TCP
                  2025-03-16T19:58:04.306340+010028496621Malware Command and Control Activity Detected192.168.2.849700209.38.151.455123TCP
                  2025-03-16T19:58:10.922094+010028496621Malware Command and Control Activity Detected192.168.2.849702209.38.151.455123TCP
                  2025-03-16T19:58:17.506258+010028496621Malware Command and Control Activity Detected192.168.2.849703209.38.151.455123TCP
                  2025-03-16T19:58:24.120709+010028496621Malware Command and Control Activity Detected192.168.2.849704209.38.151.455123TCP
                  2025-03-16T19:58:30.733658+010028496621Malware Command and Control Activity Detected192.168.2.849705209.38.151.455123TCP
                  2025-03-16T19:58:37.340576+010028496621Malware Command and Control Activity Detected192.168.2.849706209.38.151.455123TCP
                  2025-03-16T19:58:43.966020+010028496621Malware Command and Control Activity Detected192.168.2.849707209.38.151.455123TCP
                  2025-03-16T19:58:50.725226+010028496621Malware Command and Control Activity Detected192.168.2.849708209.38.151.455123TCP
                  2025-03-16T19:58:57.320546+010028496621Malware Command and Control Activity Detected192.168.2.849709209.38.151.455123TCP
                  2025-03-16T19:59:03.915634+010028496621Malware Command and Control Activity Detected192.168.2.849710209.38.151.455123TCP
                  2025-03-16T19:59:10.509319+010028496621Malware Command and Control Activity Detected192.168.2.849711209.38.151.455123TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-16T19:57:11.193787+010018000001Malware Command and Control Activity Detected192.168.2.849682209.38.151.455123TCP
                  2025-03-16T19:57:17.801349+010018000001Malware Command and Control Activity Detected192.168.2.849683209.38.151.455123TCP
                  2025-03-16T19:57:24.583200+010018000001Malware Command and Control Activity Detected192.168.2.849684209.38.151.455123TCP
                  2025-03-16T19:57:31.217197+010018000001Malware Command and Control Activity Detected192.168.2.849690209.38.151.455123TCP
                  2025-03-16T19:57:37.840316+010018000001Malware Command and Control Activity Detected192.168.2.849691209.38.151.455123TCP
                  2025-03-16T19:57:44.479821+010018000001Malware Command and Control Activity Detected192.168.2.849692209.38.151.455123TCP
                  2025-03-16T19:57:51.090868+010018000001Malware Command and Control Activity Detected192.168.2.849696209.38.151.455123TCP
                  2025-03-16T19:57:57.695871+010018000001Malware Command and Control Activity Detected192.168.2.849699209.38.151.455123TCP
                  2025-03-16T19:58:04.306340+010018000001Malware Command and Control Activity Detected192.168.2.849700209.38.151.455123TCP
                  2025-03-16T19:58:10.922094+010018000001Malware Command and Control Activity Detected192.168.2.849702209.38.151.455123TCP
                  2025-03-16T19:58:17.506258+010018000001Malware Command and Control Activity Detected192.168.2.849703209.38.151.455123TCP
                  2025-03-16T19:58:24.120709+010018000001Malware Command and Control Activity Detected192.168.2.849704209.38.151.455123TCP
                  2025-03-16T19:58:30.733658+010018000001Malware Command and Control Activity Detected192.168.2.849705209.38.151.455123TCP
                  2025-03-16T19:58:37.340576+010018000001Malware Command and Control Activity Detected192.168.2.849706209.38.151.455123TCP
                  2025-03-16T19:58:43.966020+010018000001Malware Command and Control Activity Detected192.168.2.849707209.38.151.455123TCP
                  2025-03-16T19:58:50.725226+010018000001Malware Command and Control Activity Detected192.168.2.849708209.38.151.455123TCP
                  2025-03-16T19:58:57.320546+010018000001Malware Command and Control Activity Detected192.168.2.849709209.38.151.455123TCP
                  2025-03-16T19:59:03.915634+010018000001Malware Command and Control Activity Detected192.168.2.849710209.38.151.455123TCP
                  2025-03-16T19:59:10.509319+010018000001Malware Command and Control Activity Detected192.168.2.849711209.38.151.455123TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Implosions.exeAvira: detected
                  Found malware configuration
                  Source: Implosions.exeMalware Configuration Extractor: RedLine {"C2 url": ["209.38.151.4:55123"], "Bot Id": "vex4you"}
                  Multi AV Scanner detection for submitted file
                  Source: Implosions.exeVirustotal: Detection: 83%Perma Link
                  Source: Implosions.exeReversingLabs: Detection: 86%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: Implosions.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Implosions.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: oHC:\Windows\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: o.pdbService source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb0 source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbb source: Implosions.exe, 00000000.00000002.2078994669.0000000000889000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2082185598.0000000005E52000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb, source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49710 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49710 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49692 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49692 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49699 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49699 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49711 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49711 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49702 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49702 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49683 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49683 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49705 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49705 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49682 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49682 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49690 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49690 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49691 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49691 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49708 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49708 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49706 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49706 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49684 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49684 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49700 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49700 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49704 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49704 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49696 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49696 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49703 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49703 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49707 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49707 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49709 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49709 -> 209.38.151.4:55123
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 209.38.151.4:55123
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 55123
                  Source: global trafficTCP traffic: 192.168.2.8:49682 -> 209.38.151.4:55123
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.151.4:55123
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.151.4:55123/
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                  Source: Implosions.exeString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                  Source: Implosions.exeString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                  Source: Implosions.exeString found in binary or memory: https://ipinfo.io/ip%appdata%

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: Implosions.exe, type: SAMPLEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: Implosions.exe, type: SAMPLEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: Implosions.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: C:\Users\user\Desktop\Implosions.exeCode function: 0_2_00B3E7B00_2_00B3E7B0
                  Source: C:\Users\user\Desktop\Implosions.exeCode function: 0_2_00B3DC900_2_00B3DC90
                  Source: Implosions.exe, 00000000.00000002.2078994669.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Implosions.exe
                  Source: Implosions.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Implosions.exe, type: SAMPLEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: Implosions.exe, type: SAMPLEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: Implosions.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.winEXE@2/0@0/1
                  Source: C:\Users\user\Desktop\Implosions.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                  Source: Implosions.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Implosions.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\Implosions.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Implosions.exeVirustotal: Detection: 83%
                  Source: Implosions.exeReversingLabs: Detection: 86%
                  Source: unknownProcess created: C:\Users\user\Desktop\Implosions.exe "C:\Users\user\Desktop\Implosions.exe"
                  Source: C:\Users\user\Desktop\Implosions.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: dnsapi.dllJump to behavior
                  Source: Implosions.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Implosions.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: oHC:\Windows\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: o.pdbService source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb0 source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbb source: Implosions.exe, 00000000.00000002.2078994669.0000000000889000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2082185598.0000000005E52000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb, source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Implosions.exeStatic PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 55123
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeMemory allocated: 25D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeMemory allocated: 45D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exe TID: 6388Thread sleep time: -75000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Implosions.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Users\user\Desktop\Implosions.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: Implosions.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Implosions.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: Implosions.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		1
                  Process Injection                  		2
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory2
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media11
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Process Injection                  		Security Account Manager12
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Timestomp                  		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.