Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:3VtKPs7ESr.exe
Analysis ID:671708


Eternity Clipper, RedLine
Range:0 - 100


Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Eternity Clipper
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses TOR for connection hidding
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
May check the online IP address of the machine
.NET source code contains potential unpacker
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to detect virtual machines (STR)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)


  • System is w10x64
  • 3VtKPs7ESr.exe (PID: 584 cmdline: "C:\Users\user\Desktop\3VtKPs7ESr.exe" MD5: 28121F220582DF68FBE058B6F24B7E81)
    • 0.exe (PID: 2860 cmdline: "C:\Users\user\AppData\Roaming\0.exe" MD5: 12E0F770A0133FDCED521962B0363AA4)
      • cmd.exe (PID: 6356 cmdline: C:\Windows\System32\cmd.exe" /C chcp 65001 && ping && schtasks /create /tn "0" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Roaming\0.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\0.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chcp.com (PID: 6452 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)
        • PING.EXE (PID: 6468 cmdline: ping MD5: 70C24A306F768936563ABDADB9CA9108)
        • schtasks.exe (PID: 6520 cmdline: schtasks /create /tn "0" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\0.exe" /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
        • 0.exe (PID: 6536 cmdline: "C:\Users\user\AppData\Local\ServiceHub\0.exe" MD5: 12E0F770A0133FDCED521962B0363AA4)
    • 1.exe (PID: 6172 cmdline: "C:\Users\user\AppData\Roaming\1.exe" MD5: 0FE3AED7C7723105FA1646E3C3077721)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 0.exe (PID: 6552 cmdline: C:\Users\user\AppData\Local\ServiceHub\0.exe MD5: 12E0F770A0133FDCED521962B0363AA4)
  • 0.exe (PID: 6328 cmdline: C:\Users\user\AppData\Local\ServiceHub\0.exe MD5: 12E0F770A0133FDCED521962B0363AA4)
  • cleanup
{"C2 url": [""], "Bot Id": "cheat"}
{"C2 url": "http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion"}
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      C:\Users\user\AppData\Roaming\1.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        C:\Users\user\AppData\Roaming\1.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\1.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            C:\Users\user\AppData\Roaming\1.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1048a:$u7: RunPE
            • 0x13b41:$u8: DownloadAndEx
            • 0x9130:$pat14: , CommandLine:
            • 0x13079:$v2_1: ListOfProcesses
            • 0x1068b:$v2_2: get_ScanVPN
            • 0x1072e:$v2_2: get_ScanFTP
            • 0x1141e:$v2_2: get_ScanDiscord
            • 0x1240c:$v2_2: get_ScanSteam
            • 0x12428:$v2_2: get_ScanTelegram
            • 0x124ce:$v2_2: get_ScanScreen
            • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
            • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
            • 0x13509:$v2_2: get_ScanBrowsers
            • 0x135ca:$v2_2: get_ScannedWallets
            • 0x135f0:$v2_2: get_ScanWallets
            • 0x13610:$v2_3: GetArguments
            • 0x11cd9:$v2_4: VerifyUpdate
            • 0x165ea:$v2_4: VerifyUpdate
            • 0x139ca:$v2_5: VerifyScanRequest
            • 0x130c6:$v2_6: GetUpdates
            • 0x165cb:$v2_6: GetUpdates
            C:\Users\user\AppData\Roaming\0.exeJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
              Click to see the 1 entries
              00000015.00000002.534323316.0000000000482000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                0000000D.00000000.328453535.0000000000082000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0000000D.00000000.328453535.0000000000082000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0000001D.00000000.490369432.0000000000E92000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                      00000016.00000000.359163101.0000000000552000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                        Click to see the 29 entries
                        0.2.3VtKPs7ESr.exe.71061cc.4.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                          12.0.0.exe.260000.0.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                            12.2.0.exe.260000.0.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                              21.2.0.exe.480000.0.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                                22.0.0.exe.550000.0.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security