Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bLN8lqw5uc.exe

Overview

General Information

Sample Name:bLN8lqw5uc.exe
Analysis ID:626608
MD5:ad4d543a610b12e9de73e3654118af6b
SHA1:62d6d12e38360040f713ce0fed7c5cdda6332df0
SHA256:6a583a994ac5171af4ebb505284cd054ef34b19f4fc9dfe55d82018f8468d593
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

  • System is w10x64
  • bLN8lqw5uc.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\bLN8lqw5uc.exe" MD5: AD4D543A610B12E9DE73E3654118AF6B)
  • cleanup
{"C2 url": ["193.106.191.182:23196"], "Bot Id": "51", "Authorization Header": "21351f5b8358ade7446b0c10ec81735e"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000003.259302527.00000000008F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000003.259302527.00000000008F0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
      • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
      • 0x700:$s3: 83 EC 38 53 B0 B9 88 44 24 2B 88 44 24 2F B0 9E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
      • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
      • 0x1e9d0:$s5: delete[]
      • 0x1de88:$s6: constructor or from DllMain.
      00000000.00000003.259850346.00000000006E9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.306218018.0000000002690000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.306218018.0000000002690000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x26a24:$pat14: , CommandLine:
          • 0x1b4ce:$v2_1: ListOfProcesses
          • 0x1ac40:$v4_3: base64str
          • 0x1ac0d:$v4_4: stringKey
          • 0x1ac4a:$v4_5: BytesToStringConverted
          • 0x1ac35:$v4_6: FromBase64
          • 0x1b189:$v4_8: procName
          • 0x18ec9:$v5_7: RecordHeaderField
          • 0x18e05:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
          Click to see the 9 entries
          SourceRuleDescriptionAuthorStrings
          0.2.bLN8lqw5uc.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0.2.bLN8lqw5uc.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x1300:$s3: 83 EC 38 53 B0 B9 88 44 24 2B 88 44 24 2F B0 9E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1fdd0:$s5: delete[]
            • 0x1f288:$s6: constructor or from DllMain.
            0.3.bLN8lqw5uc.exe.8f0000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.3.bLN8lqw5uc.exe.8f0000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x700:$s3: 83 EC 38 53 B0 B9 88 44 24 2B 88 44 24 2F B0 9E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1e9d0:$s5: delete[]
              • 0x1de88:$s6: constructor or from DllMain.
              0.2.bLN8lqw5uc.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 27 entries
                No Sigma rule has matched
                Timestamp:192.168.2.3193.106.191.18249742231962850286 05/14/22-15:48:52.678431
                SID:2850286
                Source Port:49742
                Destination Port:23196
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:193.106.191.182192.168.2.323196497422850353 05/14/22-15:48:50.920569
                SID:2850353
                Source Port:23196
                Destination Port:49742
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3193.106.191.18249742231962850027 05/14/22-15:48:49.715430
                SID:2850027
                Source Port:49742
                Destination Port:23196
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 0.3.bLN8lqw5uc.exe.6e9b88.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["193.106.191.182:23196"], "Bot Id": "51", "Authorization Header": "21351f5b8358ade7446b0c10ec81735e"}
                Source: bLN8lqw5uc.exeReversingLabs: Detection: 46%
                Source: bLN8lqw5uc.exeJoe Sandbox ML: detected

                Compliance

                barindex
                Source: C:\Users\user\Desktop\bLN8lqw5uc.exeUnpacked PE file: 0.2.bLN8lqw5uc.exe.400000.0.unpack
                Source: bLN8lqw5uc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Users\user\Desktop\bLN8lqw5uc.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: NC:\madugehu\81\kutape\lij-weteciwevuja\xoduxihetifosi_xulicujab.pdb source: bLN8lqw5uc.exe
                Source: Binary string: _.pdb source: bLN8lqw5uc.exe, 00000000.00000003.259850346.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000002.306008386.0000000002520000.00000004.08000000.00040000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000003.262557484.0000000000711000.00000004.00000020.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000003.260835459.0000000000711000.00000004.00000020.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000002.305946038.0000000002433000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\madugehu\81\kutape\lij-weteciwevuja\xoduxihetifosi_xulicujab.pdb source: bLN8lqw5uc.exe

                Networking

                barindex
                Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49742 -> 193.106.191.182:23196
                Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49742 -> 193.106.191.182:23196
                Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 193.106.191.182:23196 -> 192.168.2.3:49742
                Source: global trafficTCP traffic: 193.106.191.182 ports 1,2,3,23196,6,9
                Source: Joe Sandbox ViewASN Name: BOSPOR-ASRU BOSPOR-ASRU
                Source: Joe Sandbox ViewIP Address: 193.106.191.182 193.106.191.182
                Source: global trafficTCP traffic: 192.168.2.3:49742 -> 193.106.191.182:23196
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: unknownTCP traffic detected without corresponding DNS query: 193.106.191.182
                Source: bLN8lqw5uc.exe, 00000000.00000002.306816180.0000000002A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                Source: bLN8lqw5uc.exe, 00000000.00000002.306546681.000000000295A000.00000004.00000800.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000002.307666351.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000002.306816180.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                Source: bLN8lqw5uc.exe, 00000000.00000002.306546681.000000000295A000.00000004.00000800.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000002.307666351.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000002.306816180.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                Source: bLN8lqw5uc.exe, 00000000.00000002.306361517.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                Source: bLN8lqw5uc.exe,