Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
workalone.exe

Overview

General Information

Sample Name:workalone.exe
Analysis ID:756291
MD5:68f42f485ece93306bef1e4084d3052e
SHA1:c63f1a56d12a0acbf5e9a354d8a66c6e17af2309
SHA256:5d526be000146cf9cf94f7ef6f4e86929d508e17ca483b03d4ecbd2d52e071c9
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Tries to steal Crypto Currency Wallets
Connects to many ports of the same IP (likely port scanning)
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with benign system names
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • workalone.exe (PID: 5836 cmdline: C:\Users\user\Desktop\workalone.exe MD5: 68F42F485ECE93306BEF1E4084D3052E)
    • workalone.exe (PID: 5956 cmdline: C:\Users\user\Desktop\workalone.exe MD5: 68F42F485ECE93306BEF1E4084D3052E)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5972 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6040 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6108 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 6080 cmdline: cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"C2 url": ["saleshor12.duckdns.org:46539"], "Bot Id": "cheat"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 8 entries
              SourceRuleDescriptionAuthorStrings
              1.0.workalone.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                1.0.workalone.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.0.workalone.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1048a:$u7: RunPE
                  • 0x13b41:$u8: DownloadAndEx
                  • 0x9130:$pat14: , CommandLine:
                  • 0x13079:$v2_1: ListOfProcesses
                  • 0x1068b:$v2_2: get_ScanVPN
                  • 0x1072e:$v2_2: get_ScanFTP
                  • 0x1141e:$v2_2: get_ScanDiscord
                  • 0x1240c:$v2_2: get_ScanSteam
                  • 0x12428:$v2_2: get_ScanTelegram
                  • 0x124ce:$v2_2: get_ScanScreen
                  • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13509:$v2_2: get_ScanBrowsers
                  • 0x135ca:$v2_2: get_ScannedWallets
                  • 0x135f0:$v2_2: get_ScanWallets
                  • 0x13610:$v2_3: GetArguments
                  • 0x11cd9:$v2_4: VerifyUpdate
                  • 0x165fe:$v2_4: VerifyUpdate
                  • 0x139ca:$v2_5: VerifyScanRequest
                  • 0x130c6:$v2_6: GetUpdates
                  • 0x165df:$v2_6: GetUpdates
                  1.0.workalone.exe.400000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x135ca:$a4: get_ScannedWallets
                  • 0x12428:$a5: get_ScanTelegram
                  • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x1106a:$a7: <Processes>k__BackingField
                  • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1099e:$a9: <ScanFTP>k__BackingField
                  0.2.workalone.exe.3a29170.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 15 entries

                    Persistence and Installation Behavior

                    barindex
                    Source: Process startedAuthor: Joe Security: Data: Command: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\workalone.exe, ParentImage: C:\Users\user\Desktop\workalone.exe, ParentProcessId: 5836, ParentProcessName: workalone.exe, Proces