Play interactive tourEdit tour
Windows Analysis Report VYeSXonMT1.exe
Overview
General Information
Detection
RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Yara detected Evader
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Creates HTML files with .exe extension (expired dropper behavior)
Contains functionality to register a low level keyboard hook
Sample or dropped binary is a compiled AutoHotkey binary
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Yara detected Autohotkey Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to communicate with device drivers
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: RedLine |
---|
{"C2 url": ["185.215.113.15:21508"], "Bot Id": "mix25.11"}
Yara Overview |
---|
PCAP (Network Traffic) |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AutohotkeyDownloaderGeneric | Yara detected Autohotkey Downloader Generic | Joe Security | ||
JoeSecurity_Evader | Yara detected Evader | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 11 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
Click to see the 9 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Spreading: |
---|
Yara detected Autohotkey Downloader Generic | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking: |
---|
Connects to many ports of the same IP (likely port scanning) | Show sources |
Source: | TCP traffic: |
May check the online IP address of the machine | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
Creates HTML files with .exe extension (expired dropper behavior) | Show sources |
Source: | File created: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |