Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2sibxc6cB1.exe

Overview

General Information

Sample Name:2sibxc6cB1.exe
Analysis ID:626607
MD5:bba7db09449a22cfe8f3310bf1238210
SHA1:49ce80fb77d7a06c4de52ddf2457e1dfceb7661c
SHA256:ffd0e59168d8d32c26f16e557b26d7fc45a748ae3d2621f40c740848762249a6
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

  • System is w10x64
  • 2sibxc6cB1.exe (PID: 6204 cmdline: "C:\Users\user\Desktop\2sibxc6cB1.exe" MD5: BBA7DB09449A22CFE8F3310BF1238210)
  • cleanup
{"C2 url": ["185.215.113.75:4531"], "Bot Id": "swttestmet", "Authorization Header": "adc5dc30debab8d39a706f26a199fa7e"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000003.246398659.0000000000A30000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 9A 88 44 24 2B 88 44 24 2F B0 67 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.306736738.0000000000400000.00000040.00000001.01000000.00000003.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 9A 88 44 24 2B 88 44 24 2F B0 67 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          00000000.00000002.308928908.0000000002752000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 10 entries
            SourceRuleDescriptionAuthorStrings
            0.2.2sibxc6cB1.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.2sibxc6cB1.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x1300:$s3: 83 EC 38 53 B0 9A 88 44 24 2B 88 44 24 2F B0 67 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1fdd0:$s5: delete[]
              • 0x1f288:$s6: constructor or from DllMain.
              0.2.2sibxc6cB1.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.2sibxc6cB1.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                • 0x700:$s3: 83 EC 38 53 B0 9A 88 44 24 2B 88 44 24 2F B0 67 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                • 0x1e9d0:$s5: delete[]
                • 0x1de88:$s6: constructor or from DllMain.
                0.3.2sibxc6cB1.exe.a30000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 27 entries
                  No Sigma rule has matched
                  Timestamp:185.215.113.75192.168.2.44531497602850353 05/14/22-15:38:34.055550
                  SID:2850353
                  Source Port:4531
                  Destination Port:49760
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4185.215.113.754976045312850027 05/14/22-15:38:32.157673
                  SID:2850027
                  Source Port:49760
                  Destination Port:4531
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.4185.215.113.754976045312850286 05/14/22-15:38:35.355126
                  SID:2850286
                  Source Port:49760
                  Destination Port:4531
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: 0.2.2sibxc6cB1.exe.238373e.3.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.75:4531"], "Bot Id": "swttestmet", "Authorization Header": "adc5dc30debab8d39a706f26a199fa7e"}
                  Source: 2sibxc6cB1.exeReversingLabs: Detection: 46%
                  Source: 2sibxc6cB1.exeJoe Sandbox ML: detected

                  Compliance

                  barindex
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeUnpacked PE file: 0.2.2sibxc6cB1.exe.400000.0.unpack
                  Source: 2sibxc6cB1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\2sibxc6cB1.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: ^C:\laloze-bifer\giyekibu\bozecotocijaci\gad cah.pdbp source: 2sibxc6cB1.exe
                  Source: Binary string: _.pdb source: 2sibxc6cB1.exe, 00000000.00000002.308048938.0000000002343000.00000004.00000800.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000003.246882548.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, 2sibxc6cB1.exe, 00000000.00000002.308192150.00000000024D0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\laloze-bifer\giyekibu\bozecotocijaci\gad cah.pdb source: 2sibxc6cB1.exe

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49760 -> 185.215.113.75:4531
                  Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49760 -> 185.215.113.75:4531
                  Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 185.215.113.75:4531 -> 192.168.2.4:49760
                  Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                  Source: Joe Sandbox ViewIP Address: 185.215.113.75 185.215.113.75
                  Source: global trafficTCP traffic: 192.168.2.4:49760 -> 185.215.113.75:4531
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.75