Edit tour
Windows
Analysis Report
25704973.exe
Overview
General Information
Detection
RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Detected VMProtect packer
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Detected TCP or UDP traffic on non-standard ports
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- 25704973.exe (PID: 6520 cmdline:
"C:\Users\ user\Deskt op\2570497 3.exe" MD5: 8B2B5EBCF5A28A1CB95C1A3461C819D9) - AppLaunch.exe (PID: 6616 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 6807F903AC06FF7E1670181378690B22) - fl.exe (PID: 5492 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\fl.exe " MD5: F85A4CFBB0C8B32202385BBBD6169708) - WerFault.exe (PID: 6920 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 520 -s 452 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
{"C2 url": "yabynennet.xyz:81", "Bot Id": "@drubywork", "Authorization Header": "7df679708eef538b0f3950a07c83413e"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
Click to see the 11 entries |
There are no malicious signatures, click here to show all signatures.
Source: | Author: frack113: |
Source: | Author: frack113: |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | DNS query: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: |