Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3VtKPs7ESr.exe

Overview

General Information

Sample Name:3VtKPs7ESr.exe
Analysis ID:671708
MD5:28121f220582df68fbe058b6f24b7e81
SHA1:1c2372fd9555252fd9638fa79c69b4ff988c2554
SHA256:a23855393505a14023834569b263ceebd810a4f041716b4f606f5ba9d25c265a
Tags:exeRedLineStealer
Infos:

Detection

Eternity Clipper, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Eternity Clipper
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses TOR for connection hidding
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
May check the online IP address of the machine
.NET source code contains potential unpacker
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to detect virtual machines (STR)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

  • System is w10x64
  • 3VtKPs7ESr.exe (PID: 584 cmdline: "C:\Users\user\Desktop\3VtKPs7ESr.exe" MD5: 28121F220582DF68FBE058B6F24B7E81)
    • 0.exe (PID: 2860 cmdline: "C:\Users\user\AppData\Roaming\0.exe" MD5: 12E0F770A0133FDCED521962B0363AA4)
      • cmd.exe (PID: 6356 cmdline: C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "0" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Roaming\0.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\0.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chcp.com (PID: 6452 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)
        • PING.EXE (PID: 6468 cmdline: ping 127.0.0.1 MD5: 70C24A306F768936563ABDADB9CA9108)
        • schtasks.exe (PID: 6520 cmdline: schtasks /create /tn "0" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\0.exe" /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
        • 0.exe (PID: 6536 cmdline: "C:\Users\user\AppData\Local\ServiceHub\0.exe" MD5: 12E0F770A0133FDCED521962B0363AA4)
    • 1.exe (PID: 6172 cmdline: "C:\Users\user\AppData\Roaming\1.exe" MD5: 0FE3AED7C7723105FA1646E3C3077721)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 0.exe (PID: 6552 cmdline: C:\Users\user\AppData\Local\ServiceHub\0.exe MD5: 12E0F770A0133FDCED521962B0363AA4)
  • 0.exe (PID: 6328 cmdline: C:\Users\user\AppData\Local\ServiceHub\0.exe MD5: 12E0F770A0133FDCED521962B0363AA4)
  • cleanup
{"C2 url": ["172.93.144.140:3128"], "Bot Id": "cheat"}
{"C2 url": "http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\1.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        C:\Users\user\AppData\Roaming\1.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\1.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            C:\Users\user\AppData\Roaming\1.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1048a:$u7: RunPE
            • 0x13b41:$u8: DownloadAndEx
            • 0x9130:$pat14: , CommandLine:
            • 0x13079:$v2_1: ListOfProcesses
            • 0x1068b:$v2_2: get_ScanVPN
            • 0x1072e:$v2_2: get_ScanFTP
            • 0x1141e:$v2_2: get_ScanDiscord
            • 0x1240c:$v2_2: get_ScanSteam
            • 0x12428:$v2_2: get_ScanTelegram
            • 0x124ce:$v2_2: get_ScanScreen
            • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
            • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
            • 0x13509:$v2_2: get_ScanBrowsers
            • 0x135ca:$v2_2: get_ScannedWallets
            • 0x135f0:$v2_2: get_ScanWallets
            • 0x13610:$v2_3: GetArguments
            • 0x11cd9:$v2_4: VerifyUpdate
            • 0x165ea:$v2_4: VerifyUpdate
            • 0x139ca:$v2_5: VerifyScanRequest
            • 0x130c6:$v2_6: GetUpdates
            • 0x165cb:$v2_6: GetUpdates
            C:\Users\user\AppData\Roaming\0.exeJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
              Click to see the 1 entries
              SourceRuleDescriptionAuthorStrings
              00000015.00000002.534323316.0000000000482000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                0000000D.00000000.328453535.0000000000082000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0000000D.00000000.328453535.0000000000082000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0000001D.00000000.490369432.0000000000E92000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                      00000016.00000000.359163101.0000000000552000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                        Click to see the 29 entries
                        SourceRuleDescriptionAuthorStrings
                        0.2.3VtKPs7ESr.exe.71061cc.4.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                          12.0.0.exe.260000.0.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                            12.2.0.exe.260000.0.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                              21.2.0.exe.480000.0.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security
                                22.0.0.exe.550000.0.unpackJoeSecurity_EternityClipperYara detected Eternity ClipperJoe Security