Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PIptrFxrxR.exe

Overview

General Information

Sample Name:PIptrFxrxR.exe
Analysis ID:715160
MD5:3570cfa79638c148588f3f22a7ad58c9
SHA1:205fcd2a3a45d91ee1bdbaf820f49967539e0159
SHA256:5b82bbf81826faa8e2ff41c468af4632d3151eabec01e5535d9a7c4659528c51
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to steal Crypto Currency Wallets
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Binary contains a suspicious time stamp
Detected potential crypto function
Yara detected Credential Stealer
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • PIptrFxrxR.exe (PID: 3804 cmdline: C:\Users\user\Desktop\PIptrFxrxR.exe MD5: 3570CFA79638C148588F3F22A7AD58C9)
  • cleanup
{"C2 url": ["65.108.247.147:37767"], "Authorization Header": "6a82f1fb90afb278c299e83d46279927"}
SourceRuleDescriptionAuthorStrings
PIptrFxrxR.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1c68:$pat14: , CommandLine:
  • 0x39a2b:$v2_1: ListOfProcesses
  • 0x397b4:$v4_3: base64str
  • 0x3a8c2:$v4_4: stringKey
  • 0x3729f:$v4_5: BytesToStringConverted
  • 0x362e6:$v4_6: FromBase64
  • 0x37a9b:$v4_8: procName
  • 0x37e38:$v5_1: DownloadAndExecuteUpdate
  • 0x396c4:$v5_2: ITaskProcessor
  • 0x37e26:$v5_3: CommandLineUpdate
  • 0x37e17:$v5_4: DownloadUpdate
  • 0x3853f:$v5_5: FileScanning
  • 0x3761e:$v5_7: RecordHeaderField
  • 0x3700c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: PIptrFxrxR.exe PID: 3804JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Process Memory Space: PIptrFxrxR.exe PID: 3804JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              SourceRuleDescriptionAuthorStrings
              0.0.PIptrFxrxR.exe.990000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1c68:$pat14: , CommandLine:
              • 0x39a2b:$v2_1: ListOfProcesses
              • 0x397b4:$v4_3: base64str
              • 0x3a8c2:$v4_4: stringKey
              • 0x3729f:$v4_5: BytesToStringConverted
              • 0x362e6:$v4_6: FromBase64
              • 0x37a9b:$v4_8: procName
              • 0x37e38:$v5_1: DownloadAndExecuteUpdate
              • 0x396c4:$v5_2: ITaskProcessor
              • 0x37e26:$v5_3: CommandLineUpdate
              • 0x37e17:$v5_4: DownloadUpdate
              • 0x3853f:$v5_5: FileScanning
              • 0x3761e:$v5_7: RecordHeaderField
              • 0x3700c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
              No Sigma rule has matched
              Timestamp:192.168.2.565.108.247.14749698377672850027 10/03/22-17:33:23.343299
              SID:2850027
              Source Port:49698
              Destination Port:37767
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.565.108.247.14749698377672850286 10/03/22-17:33:45.506493
              SID:2850286
              Source Port:49698
              Destination Port:37767
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:65.108.247.147192.168.2.537767496982850353 10/03/22-17:33:24.983524
              SID:2850353
              Source Port:37767
              Destination Port:49698
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: PIptrFxrxR.exeReversingLabs: Detection: 80%
              Source: PIptrFxrxR.exeVirustotal: Detection: 66%Perma Link
              Source: PIptrFxrxR.exeMetadefender: Detection: 61%Perma Link
              Source: PIptrFxrxR.exeJoe Sandbox ML: detected
              Source: PIptrFxrxR.exeMalware Configuration Extractor: RedLine {"C2 url": ["65.108.247.147:37767"], "Authorization Header": "6a82f1fb90afb278c299e83d46279927"}
              Source: PIptrFxrxR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PIptrFxrxR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.5:49698 -> 65.108.247.147:37767
              Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49698 -> 65.108.247.147:37767
              Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 65.108.247.147:37767 -> 192.168.2.5:49698
              Source: global trafficTCP traffic: 192.168.2.5:49698 -> 65.108.247.147:37767
              Source: Joe Sandbox ViewASN Name: ALABANZA-BALTUS ALABANZA-BALTUS
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasi