Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Installer.exe

Overview

General Information

Sample Name:Installer.exe
Analysis ID:791291
MD5:f62872fe4592273abda6f704fb27b3ec
SHA1:c9f193458f5b59a81b3fcb6fed90112d6d0dd48f
SHA256:8f136c424f604be973a76795d1de0dca7281ca25e543e264565d753e2dea404c
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Installer.exe (PID: 1228 cmdline: C:\Users\user\Desktop\Installer.exe MD5: F62872FE4592273ABDA6F704FB27B3EC)
    • conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AppLaunch.exe (PID: 996 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["82.115.223.46:57672"], "Authorization Header": "7352deef2adb5a71ae170f48b8b9de21"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.304751719.0000000001432000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.306753398.00000000013D5000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.370528626.00000000041C2000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.Installer.exe.13d4614.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.Installer.exe.13d4614.1.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x11c91:$v2_1: ListOfProcesses
                  • 0x11a70:$v4_3: base64str
                  • 0x125d6:$v4_4: stringKey
                  • 0x1038b:$v4_5: BytesToStringConverted
                  • 0xf59e:$v4_6: FromBase64
                  • 0x108b4:$v4_8: procName
                  • 0x11012:$v5_5: FileScanning
                  • 0x10594:$v5_7: RecordHeaderField
                  • 0x1025c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.3.Installer.exe.1430000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.3.Installer.exe.1430000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0xd00:$pat14: , CommandLine:
                    • 0x13a91:$v2_1: ListOfProcesses
                    • 0x13870:$v4_3: base64str
                    • 0x143d6:$v4_4: stringKey
                    • 0x1218b:$v4_5: BytesToStringConverted
                    • 0x1139e:$v4_6: FromBase64
                    • 0x126b4:$v4_8: procName
                    • 0x12e12:$v5_5: FileScanning
                    • 0x12394:$v5_7: RecordHeaderField
                    • 0x1205c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                    2.2.AppLaunch.exe.41c0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:82.115.223.46192.168.2.457672496972043234 01/25/23-09:37:20.266410
                      SID:2043234
                      Source Port:57672
                      Destination Port:49697
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.482.115.223.4649697576722043233 01/25/23-09:37:15.679519
                      SID:2043233
                      Source Port:49697
                      Destination Port:57672
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.482.115.223.4649697576722043231 01/25/23-09:37:33.121439
                      SID:2043231
                      Source Port:49697
                      Destination Port:57672
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: Installer.exeVirustotal: Detection: 38%Perma Link
                      Antivirus detection for URL or domain
                      Source: http://tempuri.org/Entity/Id19ResponseonURL Reputation: Label: phishing
                      Machine Learning detection for sample
                      Source: Installer.exeJoe Sandbox ML: detected
                      Source: 0.2.Installer.exe.13d4614.1.unpackAvira: Label: TR/ATRAPS.Gen5
                      Source: 0.3.Installer.exe.1430000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["82.115.223.46:57672"], "Authorization Header": "7352deef2adb5a71ae170f48b8b9de21"}
                      Source: Installer.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09BA243Ah2_2_09BA2018
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09BA28BAh2_2_09BA2018
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09BA5A18h2_2_09BA5538
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09BA1435h2_2_09BA1414

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49697 -> 82.115.223.46:57672
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49697 -> 82.115.223.46:57672
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 82.115.223.46:57672 -> 192.168.2.4:49697
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 82.115.223.46:57672
                      Source: Joe Sandbox ViewASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
                      Source: Joe Sandbox ViewIP Address: 82.115.223.46 82.115.223.46
                      Source: global trafficTCP traffic: 192.168.2.4:49697 -> 82.115.223.46:57672
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401