Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.MSILHeracles.37401.28222.31688

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.MSILHeracles.37401.28222.31688 (renamed file extension from 31688 to exe)
Analysis ID:	640279
MD5:	9c10bef611a483bc74ad92c9e8556f75
SHA1:	959200c9b9bc114c9eabba65d3cdd0cb682432f7
SHA256:	0b54ceec5383b80e59b25a7b2b3a4a04211598ce4de90e03286f8310392c0e41
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Tries to steal Crypto Currency Wallets

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

.NET source code contains very large array initializations

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe" MD5: 9C10BEF611A483BC74AD92C9E8556F75)

SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe (PID: 6568 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe MD5: 9C10BEF611A483BC74AD92C9E8556F75)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.90:17910"], "Bot Id": "Lxx"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.326819931.0000000004360000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.326819931.0000000004360000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.302735458.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.302735458.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.306626308.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.306626308.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.413960092.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.413960092.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.326770233.0000000004315000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.326770233.0000000004315000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.415272531.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.326707986.00000000042F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.326707986.00000000042F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.305776907.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000000.305776907.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6388	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6388	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6388	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6388	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6568	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4bf7a68.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4bf7a68.3.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2418d:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x241c4:$e2: Add-MpPreference -ExclusionPath
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4bf7a68.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x24059:$r1: Classes\Folder\shell\open\command 0x24080:$k1: DelegateExecute 0x23fcc:$s1: /EXEFilename "{0} 0x23fdf:$s2: /WindowState "" 0x24d6b:$s2: /WindowState "" 0x23ff4:$s3: /PriorityClass ""32"" /CommandLine " 0x24d7e:$s3: /PriorityClass ""32"" /CommandLine " 0x2401a:$s4: /StartDirectory " 0x24da4:$s4: /StartDirectory " 0x2402d:$s5: /RunAs 0x24db7:$s5: /RunAs
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
Click to see the 36 entries

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ip.sb

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4bf7a68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4bf7a68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

.NET source code contains very large array initializations

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, McVLOcXcbRNWQVWQI/PTXbSLWUVIhaPSYMa.cs	Large array initialization: ZcNVeeLWOTPhgMQUf: array initializer size 398848
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.cf0000.0.unpack, McVLOcXcbRNWQVWQI/PTXbSLWUVIhaPSYMa.cs	Large array initialization: ZcNVeeLWOTPhgMQUf: array initializer size 398848
Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.cf0000.0.unpack, McVLOcXcbRNWQVWQI/PTXbSLWUVIhaPSYMa.cs	Large array initialization: ZcNVeeLWOTPhgMQUf: array initializer size 398848
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.cf0000.9.unpack, McVLOcXcbRNWQVWQI/PTXbSLWUVIhaPSYMa.cs	Large array initialization: ZcNVeeLWOTPhgMQUf: array initializer size 398848

Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4bf7a68.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4bf7a68.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_03242578	0_2_03242578
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_03248B70	0_2_03248B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_0324A9D0	0_2_0324A9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_0324EAE8	0_2_0324EAE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_0324EF97	0_2_0324EF97
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_0324AEC8	0_2_0324AEC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_032B2720	0_2_032B2720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_032B5420	0_2_032B5420
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_032B3478	0_2_032B3478
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_032B14A0	0_2_032B14A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_032B73A0	0_2_032B73A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_032B0960	0_2_032B0960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_02F66380	4_2_02F66380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_02F690D0	4_2_02F690D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_02F64900	4_2_02F64900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_02F67730	4_2_02F67730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_02F67738	4_2_02F67738
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_060E8440	4_2_060E8440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_060E15A8	4_2_060E15A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_060E6870	4_2_060E6870

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.320490571.0000000000E8C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Tools.ServiceModel.Svcutil.dllZ vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.324498966.00000000034B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGVAn PyU.exe2 vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.326819931.0000000004360000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameZakrytyeKupla.exe< vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.326770233.0000000004315000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGVAn PyU.exe2 vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.326707986.00000000042F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGVAn PyU.exe2 vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000000.298722830.0000000000E8C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Tools.ServiceModel.Svcutil.dllZ vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGVAn PyU.exe2 vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415396238.0000000003011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Binary or memory string: OriginalFilenameMicrosoft.Tools.ServiceModel.Svcutil.dllZ vs SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Virustotal: Detection: 31%

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4871.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@4/27@2/1

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Binary or memory string: .csprojMSystem.Runtime.InteropServices.PInvokeIMicrosoft.EntityFrameworkCore.Design]Microsoft.EntityFrameworkCore.SqlServer.DesignGMicrosoft.EntityFrameworkCore.ToolsaMicrosoft.VisualStudio.Web.CodeGeneration.DesignEdotnet-aspnet-codegenerator-design
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Binary or memory string: .csproj

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: #EndpointReferenceahttp://schemas.xmlsoap.org/ws/2004/08/addressing
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: wsa`http://schemas.xmlsoap.org/ws/2004/08/addressing

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static file information: File size 1693696 > 1048576

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x199000

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\A\_work\1\s\obj\Release\Microsoft.Tools.ServiceModel.Svcutil\Microsoft.Tools.ServiceModel.Svcutil.pdb source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_032468E0 push C30170BEh; ret	0_2_032469CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 0_2_032B49F0 push eax; mov dword ptr [esp], edx	0_2_032B4A01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_02F6E1F2 push eax; retf	4_2_02F6E1F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_02F6E1F0 pushad ; retf	4_2_02F6E1F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Code function: 4_2_02F6B5C0 push cs; ret	4_2_02F6B5F4

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Static PE information: 0x8F451F1E [Sat Mar 3 06:37:18 2046 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.00948681811

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (67).png

Contains functionality to hide user accounts

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: localgroup administrators aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 17910
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 17910 -> 49759

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6388, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.322194403.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe TID: 6408	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe TID: 6384	Thread sleep time: -19369081277395017s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Window / User API: threadDelayed 1954			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Window / User API: threadDelayed 7006			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.421118786.00000000066D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\EnumNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000000.00000002.327098624.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.421118786.00000000066D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareGM5U1TN2Win32_VideoControllerOM9_ZBOCVideoController120060621000000.000000-0003374.727display.infMSBDAN_6V7XZYPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsML3XU8WR]
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.414737521.00000000012F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Code function: 4_2_060EC798 LdrInitializeThunk,

4_2_060EC798

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.420767295.0000000006634000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.326819931.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.302735458.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.306626308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.413960092.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326770233.0000000004315000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.415272531.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326707986.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.305776907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6568, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.326819931.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.302735458.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.306626308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.413960092.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326770233.0000000004315000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326707986.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.305776907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6568, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.4315550.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.42f5530.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.326819931.0000000004360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.302735458.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.306626308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.413960092.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326770233.0000000004315000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.415272531.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.326707986.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.305776907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe PID: 6568, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	221 Windows Management Instrumentation	Path Interception	111 Process Injection	11 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Users	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.90:17910Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.90:17910Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.90:17910Content-Length: 1129292Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.90:17910Content-Length: 1129284Expect: 100-continueAccept-Encoding: gzip, deflate

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)

Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415396238.0000000003011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.90:17910/
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.414737521.00000000012F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.rea
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: http://go.mic
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.382700486.0000000008901000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413656681.0000000008910000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413733781.0000000008911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413677512.0000000008910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado/1
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.382700486.0000000008901000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413656681.0000000008910000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413733781.0000000008911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413677512.0000000008910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.382700486.0000000008901000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413656681.0000000008910000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413733781.0000000008911000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000003.413677512.0000000008910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415272531.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415272531.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.r
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.a
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415272531.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415396238.0000000003011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415272531.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415396238.0000000003011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415396238.0000000003011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415200414.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415272531.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/t_
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp, tmp8CBC.tmp.4.dr, tmpF2F9.tmp.4.dr, tmpE78F.tmp.4.dr, tmpC05F.tmp.4.dr, tmpCA33.tmp.4.dr, tmp5762.tmp.4.dr, tmpBA24.tmp.4.dr, tmpBD42.tmp.4.dr, tmp2054.tmp.4.dr, tmp658B.tmp.4.dr, tmpC2F1.tmp.4.dr, tmpC225.tmp.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000000.302735458.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe	String found in binary or memory: https://api.ipify.orgcoo
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000000.302735458.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.421118786.00000000066D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp, tmp8CBC.tmp.4.dr, tmpF2F9.tmp.4.dr, tmpE78F.tmp.4.dr, tmpC05F.tmp.4.dr, tmpCA33.tmp.4.dr, tmp5762.tmp.4.dr, tmpBA24.tmp.4.dr, tmpBD42.tmp.4.dr, tmp2054.tmp.4.dr, tmp658B.tmp.4.dr, tmpC2F1.tmp.4.dr, tmpC225.tmp.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp, tmp8CBC.tmp.4.dr, tmpF2F9.tmp.4.dr, tmpE78F.tmp.4.dr, tmpC05F.tmp.4.dr, tmpCA33.tmp.4.dr, tmp5762.tmp.4.dr, tmpBA24.tmp.4.dr, tmpBD42.tmp.4.dr, tmp2054.tmp.4.dr, tmp658B.tmp.4.dr, tmpC2F1.tmp.4.dr, tmpC225.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.421118786.00000000066D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp, tmp8CBC.tmp.4.dr, tmpF2F9.tmp.4.dr, tmpE78F.tmp.4.dr, tmpC05F.tmp.4.dr, tmpCA33.tmp.4.dr, tmp5762.tmp.4.dr, tmpBA24.tmp.4.dr, tmpBD42.tmp.4.dr, tmp2054.tmp.4.dr, tmp658B.tmp.4.dr, tmpC2F1.tmp.4.dr, tmpC225.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp, tmp8CBC.tmp.4.dr, tmpF2F9.tmp.4.dr, tmpE78F.tmp.4.dr, tmpC05F.tmp.4.dr, tmpCA33.tmp.4.dr, tmp5762.tmp.4.dr, tmpBA24.tmp.4.dr, tmpBD42.tmp.4.dr, tmp2054.tmp.4.dr, tmp658B.tmp.4.dr, tmpC2F1.tmp.4.dr, tmpC225.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.adob
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://helpx.ad
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000000.302735458.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000000.304627336.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp, tmp8CBC.tmp.4.dr, tmpF2F9.tmp.4.dr, tmpE78F.tmp.4.dr, tmpC05F.tmp.4.dr, tmpCA33.tmp.4.dr, tmp5762.tmp.4.dr, tmpBA24.tmp.4.dr, tmpBD42.tmp.4.dr, tmp2054.tmp.4.dr, tmp658B.tmp.4.dr, tmpC2F1.tmp.4.dr, tmpC225.tmp.4.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp, tmp8CBC.tmp.4.dr, tmpF2F9.tmp.4.dr, tmpE78F.tmp.4.dr, tmpC05F.tmp.4.dr, tmpCA33.tmp.4.dr, tmp5762.tmp.4.dr, tmpBA24.tmp.4.dr, tmpBD42.tmp.4.dr, tmp2054.tmp.4.dr, tmp658B.tmp.4.dr, tmpC2F1.tmp.4.dr, tmpC225.tmp.4.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415771506.0000000003223000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415510372.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415666003.0000000003199000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416523305.0000000003354000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.416763620.00000000033ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.415906539.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417142204.0000000003486000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.MSILHeracles.37401.28222.exe, 00000004.00000002.417610660.000000000351F000.00000004.00000800.00020000.00000000.sdmp, tmp8CBC.tmp.4.dr, tmpF2F9.tmp.4.dr, tmpE78F.tmp.4.dr, tmpC05F.tmp.4.dr, tmpCA33.tmp.4.dr, tmp5762.tmp.4.dr, tmpBA24.tmp.4.dr, tmpBD42.tmp.4.dr, tmp2054.tmp.4.dr, tmp658B.tmp.4.dr, tmpC2F1.tmp.4.dr, tmpC225.tmp.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.90

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.MSILHeracles.37401.28222.31688

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Variant.MSILHeracles.37401.28222.31688