Edit tour

Windows Analysis Report
PIptrFxrxR.exe

Overview

General Information

Sample Name:	PIptrFxrxR.exe
Analysis ID:	715160
MD5:	3570cfa79638c148588f3f22a7ad58c9
SHA1:	205fcd2a3a45d91ee1bdbaf820f49967539e0159
SHA256:	5b82bbf81826faa8e2ff41c468af4632d3151eabec01e5535d9a7c4659528c51
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to steal Crypto Currency Wallets

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Binary contains a suspicious time stamp

Detected potential crypto function

Yara detected Credential Stealer

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

PIptrFxrxR.exe (PID: 3804 cmdline: C:\Users\user\Desktop\PIptrFxrxR.exe MD5: 3570CFA79638C148588F3F22A7AD58C9)

cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["65.108.247.147:37767"], "Authorization Header": "6a82f1fb90afb278c299e83d46279927"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
PIptrFxrxR.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1c68:$pat14: , CommandLine: 0x39a2b:$v2_1: ListOfProcesses 0x397b4:$v4_3: base64str 0x3a8c2:$v4_4: stringKey 0x3729f:$v4_5: BytesToStringConverted 0x362e6:$v4_6: FromBase64 0x37a9b:$v4_8: procName 0x37e38:$v5_1: DownloadAndExecuteUpdate 0x396c4:$v5_2: ITaskProcessor 0x37e26:$v5_3: CommandLineUpdate 0x37e17:$v5_4: DownloadUpdate 0x3853f:$v5_5: FileScanning 0x3761e:$v5_7: RecordHeaderField 0x3700c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PIptrFxrxR.exe PID: 3804	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PIptrFxrxR.exe PID: 3804	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.PIptrFxrxR.exe.990000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1c68:$pat14: , CommandLine: 0x39a2b:$v2_1: ListOfProcesses 0x397b4:$v4_3: base64str 0x3a8c2:$v4_4: stringKey 0x3729f:$v4_5: BytesToStringConverted 0x362e6:$v4_6: FromBase64 0x37a9b:$v4_8: procName 0x37e38:$v5_1: DownloadAndExecuteUpdate 0x396c4:$v5_2: ITaskProcessor 0x37e26:$v5_3: CommandLineUpdate 0x37e17:$v5_4: DownloadUpdate 0x3853f:$v5_5: FileScanning 0x3761e:$v5_7: RecordHeaderField 0x3700c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init - Source IP: 192.168.2.5 - Destination IP: 65.108.247.147

Timestamp:	192.168.2.565.108.247.14749698377672850027 10/03/22-17:33:23.343299
SID:	2850027
Source Port:	49698
Destination Port:	37767
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.5 - Destination IP: 65.108.247.147

Timestamp:	192.168.2.565.108.247.14749698377672850286 10/03/22-17:33:45.506493
SID:	2850286
Source Port:	49698
Destination Port:	37767
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 65.108.247.147 - Destination IP: 192.168.2.5

Timestamp:	65.108.247.147192.168.2.537767496982850353 10/03/22-17:33:24.983524
SID:	2850353
Source Port:	37767
Destination Port:	49698
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PIptrFxrxR.exe	ReversingLabs: Detection: 80%
Source: PIptrFxrxR.exe	Virustotal: Detection: 66%	Perma Link
Source: PIptrFxrxR.exe	Metadefender: Detection: 61%	Perma Link

Machine Learning detection for sample

Source: PIptrFxrxR.exe

Joe Sandbox ML: detected

Source: PIptrFxrxR.exe

Malware Configuration Extractor: RedLine {"C2 url": ["65.108.247.147:37767"], "Authorization Header": "6a82f1fb90afb278c299e83d46279927"}

Source: PIptrFxrxR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PIptrFxrxR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.5:49698 -> 65.108.247.147:37767
Source: Traffic	Snort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49698 -> 65.108.247.147:37767
Source: Traffic	Snort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 65.108.247.147:37767 -> 192.168.2.5:49698

Source: global traffic

TCP traffic: 192.168.2.5:49698 -> 65.108.247.147:37767

Source: Joe Sandbox View

ASN Name: ALABANZA-BALTUS ALABANZA-BALTUS

Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147
Source: unknown	TCP traffic detected without corresponding DNS query: 65.108.247.147

Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: PIptrFxrxR.exe, 00000000.00000002.396395728.000000000151E000.00000004.00000020.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000003.392866445.000000000151C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
PIptrFxrxR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PIptrFxrxR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Windows Analysis Report
PIptrFxrxR.exe