Loading... Additional Content is being loaded
Windows Analysis Report Tf3nLO7O1l.exe
Overview
General Information
| Sample Name: | Tf3nLO7O1l.exe |
| Analysis ID: | 534011 |
| MD5: | a64489e6fe6114fb281356ac310add7d |
| SHA1: | 17ce52c3408283e02a575e167da91572440f977c |
| SHA256: | 8115c0c6764f265cdc4e5b3bf1653293d7074ef7e6f5fbb6faa23f07e2391453 |
| Tags: | exeRedLineStealer |
| Infos: | |
|
Most interesting Screenshot:  |
|
Errors
|
|
Detection
Clipboard Hijacker Cryptbot RedLine SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Yara detected Cryptbot
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Yara detected Clipboard Hijacker
Found malware configuration
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
.NET source code references suspicious native API functions
Delayed program exit found
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
PE file overlay found
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
PE file does not import any functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Classification
AV Detection: |
  |
|---|
| Antivirus detection for URL or domain |
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Avira URL Cloud: |
||
| Found malware configuration |
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Malware Configuration Extractor: | ||