Edit tour
Windows
Analysis Report
8v0aSYe34Q
Overview
General Information
Detection
RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Tries to evade debugger and weak emulator (self modifying code)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Found large amount of non-executed APIs
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- 8v0aSYe34Q.exe (PID: 6260 cmdline:
"C:\Users\ user\Deskt op\8v0aSYe 34Q.exe" MD5: 859E6CF84FF73E9A9921FB829C3A386E)
- cleanup
{"C2 url": "51.79.188.112:7110", "Bot Id": "KOL"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 05/04/22-21:09:50.022363 05/04/22-21:09:50.022363 |
SID: | 2850286 |
Source Port: | 49748 |
Destination Port: | 7110 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/04/22-21:09:31.442963 05/04/22-21:09:31.442963 |
SID: | 2850286 |
Source Port: | 49748 |
Destination Port: | 7110 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/04/22-21:09:31.611126 05/04/22-21:09:31.611126 |
SID: | 2850353 |
Source Port: | 7110 |
Destination Port: | 49748 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/04/22-21:09:28.360368 05/04/22-21:09:28.360368 |
SID: | 2850027 |
Source Port: | 49748 |
Destination Port: | 7110 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/04/22-21:09:40.013577 05/04/22-21:09:40.013577 |
SID: | 2850286 |
Source Port: | 49748 |
Destination Port: | 7110 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_009949C8 | |
Source: | Code function: | 0_2_009949C8 | |
Source: | Code function: | 0_2_00994A6F | |
Source: | Code function: | 0_2_00994A6F | |
Source: | Code function: | 0_2_00988ECD | |
Source: | Code function: | 0_2_02A388D4 | |
Source: | Code function: | 0_2_02A38857 | |
Source: | Code function: | 0_2_02A38EFC | |
Source: | Code function: | 0_2_02A25DA0 | |
Source: | Code function: | 0_2_02A25DA0 | |
Source: | Code function: | 0_2_02A31AA1 | |
Source: | Code function: | 0_2_02A252BD | |
Source: | Code function: | 0_2_02A2629F | |
Source: | Code function: | 0_2_02A2629F | |
Source: | Code function: | 0_2_02A2629F | |
Source: | Code function: | 0_2_02A2629F | |
Source: | Code function: | 0_2_02A31AEB | |
Source: | Code function: | 0_2_02A37A1D | |
Source: | Code function: | 0_2_02A37A1D | |
Source: | Code function: | 0_2_02A37A1D | |
Source: | Code function: | 0_2_02A29BB2 | |
Source: | Code function: | 0_2_02A37B24 | |
Source: | Code function: | 0_2_02A29B2E | |
Source: | Code function: | 0_2_02A31B6F | |
Source: | Code function: | 0_2_02A31B6F | |
Source: | Code function: | 0_2_02A3BB78 | |
Source: | Code function: | 0_2_02A3834A | |
Source: | Code function: | 0_2_02A3834A | |
Source: | Code function: | 0_2_02A280A8 | |
Source: | Code function: | 0_2_02A280B2 | |
Source: | Code function: | 0_2_02A280BC | |
Source: | Code function: | 0_2_02A2808B | |
Source: | Code function: | 0_2_02A3188D | |
Source: | Code function: | 0_2_02A3188D | |
Source: | Code function: | 0_2_02A3188D | |
Source: | Code function: | 0_2_02A28098 | |
Source: | Code function: | 0_2_02A258DF | |
Source: | Code function: | 0_2_02A2802B | |
Source: | Code function: | 0_2_02A28028 | |
Source: | Code function: | 0_2_02A2807B | |
Source: | Code function: | 0_2_02A28040 | |
Source: | Code function: | 0_2_02A2805B | |
Source: | Code function: | 0_2_02A29859 | |
Source: | Code function: | 0_2_02A3B997 | |
Source: | Code function: | 0_2_02A3B997 | |
Source: | Code function: | 0_2_02A319D1 | |
Source: | Code function: | 0_2_02A319D1 | |
Source: | Code function: | 0_2_02A31926 | |
Source: | Code function: | 0_2_02A31926 | |
Source: | Code function: | 0_2_02A31926 | |
Source: | Code function: | 0_2_02A3210F | |
Source: | Code function: | 0_2_02A2594F | |
Source: | Code function: | 0_2_02A27EEB | |
Source: | Code function: | 0_2_02A316C8 | |
Source: | Code function: | 0_2_02A316C8 | |
Source: | Code function: | 0_2_02A27ED9 | |
Source: | Code function: | 0_2_02A29EDE | |
Source: | Code function: | 0_2_02A27EDC | |
Source: | Code function: | 0_2_02A31661 | |
Source: | Code function: | 0_2_02A39670 | |
Source: | Code function: | 0_2_02A39670 | |
Source: | Code function: | 0_2_02A31E4B | |
Source: | Code function: | 0_2_02A37E49 | |
Source: | Code function: | 0_2_02A33E5C | |
Source: | Code function: | 0_2_02A33E5C | |
Source: | Code function: | 0_2_02A33E5C | |
Source: | Code function: | 0_2_02A33E5C | |
Source: | Code function: | 0_2_02A317BD | |
Source: | Code function: | 0_2_02A317BD | |
Source: | Code function: | 0_2_02A31F2C | |
Source: | Code function: | 0_2_02A27F32 | |
Source: | Code function: | 0_2_02A27F36 | |
Source: | Code function: | 0_2_02A27F03 | |
Source: | Code function: | 0_2_02A2DF0E | |
Source: | Code function: | 0_2_02A2DF0E | |
Source: | Code function: | 0_2_02A2DF0E | |
Source: | Code function: | 0_2_02A27F0D | |
Source: | Code function: | 0_2_02A27F66 | |
Source: | Code function: | 0_2_02A2977A | |
Source: | Code function: | 0_2_02A27F47 | |
Source: | Code function: | 0_2_02A27F55 | |
Source: | Code function: | 0_2_02A27F5E | |
Source: | Code function: | 0_2_02A27CBA | |
Source: | Code function: | 0_2_02A27CE4 | |
Source: | Code function: | 0_2_02A27CEE | |
Source: | Code function: | 0_2_02A31CF1 | |
Source: | Code function: | 0_2_02A31CF1 | |
Source: | Code function: | 0_2_02A27CF9 | |
Source: | Code function: | 0_2_02A27CC0 | |
Source: | Code function: | 0_2_02A29CC6 | |
Source: | Code function: | 0_2_02A27CC6 | |
Source: | Code function: | 0_2_02A27CD9 | |
Source: | Code function: | 0_2_02A3042D | |
Source: | Code function: | 0_2_02A3042D | |
Source: | Code function: | 0_2_02A3042D | |
Source: | Code function: | 0_2_02A3042D | |
Source: | Code function: | 0_2_02A3042D | |
Source: | Code function: | 0_2_02A3042D | |
Source: | Code function: | 0_2_02A3042D | |
Source: | Code function: | 0_2_02A29402 | |
Source: | Code function: | 0_2_02A29402 | |
Source: | Code function: | 0_2_02A29402 | |
Source: | Code function: | 0_2_02A29402 | |
Source: | Code function: | 0_2_02A29402 | |
Source: | Code function: | 0_2_02A31C15 | |
Source: | Code function: | 0_2_02A31C7C | |
Source: | Code function: | 0_2_02A29C49 | |
Source: | Code function: | 0_2_02A31DA5 | |
Source: | Code function: | 0_2_02A31DA5 | |
Source: | Code function: | 0_2_02A27D8B | |
Source: | Code function: | 0_2_02A27D3A | |
Source: | Code function: | 0_2_02A27D0F | |
Source: | Code function: | 0_2_02A27D1F | |
Source: | Code function: | 0_2_02A29540 | |
Source: | Code function: | 0_2_02A29540 | |
Source: | Code function: | 0_2_02A27D46 | |
Source: | Code function: | 0_2_02A27D4E | |
Source: | Code function: | 0_2_02A27D5F |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |