Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
StZAEFSb2j.exe

Overview

General Information

Sample Name:StZAEFSb2j.exe
Analysis ID:736967
MD5:c71616e2b7cedf9fc8e2ca6f6929abdf
SHA1:896a4c41792c73db51074ccff5ef3f0577f510c5
SHA256:4a9f8a3b847fa9d2e854d3a7235ddee8e4c093d04c3901f006d430be1060fae5
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • StZAEFSb2j.exe (PID: 780 cmdline: C:\Users\user\Desktop\StZAEFSb2j.exe MD5: C71616E2B7CEDF9FC8E2CA6F6929ABDF)
    • aspnet_compiler.exe (PID: 1592 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["194.55.186.201:6008"], "Bot Id": "xxxPROFxxx"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x535ca:$a4: get_ScannedWallets
          • 0x6b1ea:$a4: get_ScannedWallets
          • 0x52428:$a5: get_ScanTelegram
          • 0x6a048:$a5: get_ScanTelegram
          • 0x5324e:$a6: get_ScanGeckoBrowsersPaths
          • 0x6ae6e:$a6: get_ScanGeckoBrowsersPaths
          • 0x5106a:$a7: <Processes>k__BackingField
          • 0x68c8a:$a7: <Processes>k__BackingField
          • 0x4ef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x66b9c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x5099e:$a9: <ScanFTP>k__BackingField
          • 0x685be:$a9: <ScanFTP>k__BackingField
          00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.StZAEFSb2j.exe.42f9000.5.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.StZAEFSb2j.exe.42f9000.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.StZAEFSb2j.exe.42f9000.5.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0xe68a:$u7: RunPE
                  • 0x11d41:$u8: DownloadAndEx
                  • 0x7330:$pat14: , CommandLine:
                  • 0x11279:$v2_1: ListOfProcesses
                  • 0xe88b:$v2_2: get_ScanVPN
                  • 0xe92e:$v2_2: get_ScanFTP
                  • 0xf61e:$v2_2: get_ScanDiscord
                  • 0x1060c:$v2_2: get_ScanSteam
                  • 0x10628:$v2_2: get_ScanTelegram
                  • 0x106ce:$v2_2: get_ScanScreen
                  • 0x11416:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x11709:$v2_2: get_ScanBrowsers
                  • 0x117ca:$v2_2: get_ScannedWallets
                  • 0x117f0:$v2_2: get_ScanWallets
                  • 0x11810:$v2_3: GetArguments
                  • 0xfed9:$v2_4: VerifyUpdate
                  • 0x147f6:$v2_4: VerifyUpdate
                  • 0x11bca:$v2_5: VerifyScanRequest
                  • 0x112c6:$v2_6: GetUpdates
                  • 0x147d7:$v2_6: GetUpdates
                  0.2.StZAEFSb2j.exe.42f9000.5.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x117ca:$a4: get_ScannedWallets
                  • 0x10628:$a5: get_ScanTelegram
                  • 0x1144e:$a6: get_ScanGeckoBrowsersPaths
                  • 0xf26a:$a7: <Processes>k__BackingField
                  • 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0xeb9e:$a9: <ScanFTP>k__BackingField
                  1.0.aspnet_compiler.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.48.8.8.856572532012811 11/03/22-12:44:38.337914
                    SID:2012811
                    Source Port:56572
                    Destination Port:53
                    Protocol:UDP
                    Classtype:Potentially Bad Traffic
                    Timestamp:50.115.174.192192.168.2.4443496952018856 11/03/22-12:44:39.556293
                    SID:2018856
                    Source Port:443
                    Destination Port:49695
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:50.115.174.192192.168.2.4443496962018856 11/03/22-12:44:40.820043
                    SID:2018856
                    Source Port:443
                    Destination Port:49696
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: StZAEFSb2j.exeReversingLabs: Detection: 34%
                    Source: StZAEFSb2j.exeVirustotal: Detection: 25%Perma Link
                    Antivirus detection for URL or domain
                    Source: https://tgc8x.tk/tt/BLACKDEV.txtAvira URL Cloud: Label: phishing
                    Source: https://tgc8x.tk/tt/lamb.txtAvira URL Cloud: Label: phishing
                    Machine Learning detection for sample
                    Source: StZAEFSb2j.exeJoe Sandbox ML: detected
                    Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["194.55.186.201:6008"], "Bot Id": "xxxPROFxxx"}
                    Source: unknownHTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.4:49695 version: TLS 1.2
                    Source: StZAEFSb2j.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: XCBVNDDJD.pdb source: StZAEFSb2j.exe
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_00E442DC
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_00E464DC
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_00E45C60
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_00E44300
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_00E4610C
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_00E44318

                    Networking

                    barindex