Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UniverseCity.exe

Overview

General Information

Sample Name:UniverseCity.exe
Analysis ID:753417
MD5:2815815f0488b3d2307c3a914ddc1d7a
SHA1:c5845c0c743106ac27622d32689a24e2f52a9ab7
SHA256:14b87b3a9eb96e080373e2a7203b664b63cec8cc163bbd10b028ecf5441f7f67
Tags:185-206-213-32CosmicWayexeFakeGaliXCityRedLineStealerUniverseCity
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to steal Crypto Currency Wallets
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

  • System is w10x64
  • UniverseCity.exe (PID: 3836 cmdline: C:\Users\user\Desktop\UniverseCity.exe MD5: 2815815F0488B3D2307C3A914DDC1D7A)
  • cleanup
{"C2 url": "185.206.213.32:42794", "Bot Id": "110", "Authorization Header": "e47b0f61fb0cc49a8eafd0acb2a1befc"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: UniverseCity.exe PID: 3836JoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: UniverseCity.exe PID: 3836JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          No Sigma rule has matched
          Timestamp:192.168.2.4185.206.213.3249696427942850286 11/24/22-19:43:22.900750
          SID:2850286
          Source Port:49696
          Destination Port:42794
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.4185.206.213.3249696427942850027 11/24/22-19:43:19.130595
          SID:2850027
          Source Port:49696
          Destination Port:42794
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:185.206.213.32192.168.2.442794496962850353 11/24/22-19:43:20.869342
          SID:2850353
          Source Port:42794
          Destination Port:49696
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: UniverseCity.exeJoe Sandbox ML: detected
          Source: 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "185.206.213.32:42794", "Bot Id": "110", "Authorization Header": "e47b0f61fb0cc49a8eafd0acb2a1befc"}
          Source: UniverseCity.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
          Source: Binary string: _.pdb source: UniverseCity.exe, 00000000.00000002.390384903.000000000301C000.00000004.00000800.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.390918451.0000000003200000.00000004.08000000.00040000.00000000.sdmp

          Networking

          barindex
          Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 185.206.213.32:42794 -> 192.168.2.4:49696
          Source: Malware configuration extractorURLs: 185.206.213.32:42794
          Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
          Source: global trafficTCP traffic: 192.168.2.4:49696 -> 185.206.213.32:42794
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: unknownTCP traffic detected without corresponding DNS query: 185.206.213.32
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
          Source: UniverseCity.exe, 00000000.00000003.378699909.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000002.389446590.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp, UniverseCity.exe, 00000000.00000003.378769956.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultx
          Source: UniverseCity.exe, 00000000.00000002.391774735.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
          Source: UniverseCity.exe, 00000000.00000002.392074868.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
          Source: UniverseCity.exe, 00000000.00000002.3920