Edit tour

Windows Analysis Report
Gta_5_Mod_Menu.exe

Overview

General Information

Sample Name:	Gta_5_Mod_Menu.exe
Analysis ID:	829686
MD5:	35be3beaaba232f6fde781242b9c5c4b
SHA1:	ce27166d42e8126a10330f5cb3d71f578f6b7ef5
SHA256:	1b9192644f1912431596a1c145b7ef462d241551ff9d6782ab1f34def2f373af
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Contains functionality to inject code into remote processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Gta_5_Mod_Menu.exe (PID: 5924 cmdline: C:\Users\user\Desktop\Gta_5_Mod_Menu.exe MD5: 35BE3BEAABA232F6FDE781242B9C5C4B)

conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 3308 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

WerFault.exe (PID: 5196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 132 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["82.115.223.46:57672"], "Authorization Header": "6ae56e1e5992d446c979c837ad9696f5"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.306737777.0000000000B50000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.295387303.0000000000A52000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.388076605.0000000000402000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AppLaunch.exe PID: 3308	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AppLaunch.exe PID: 3308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.AppLaunch.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xd00:$pat14: , CommandLine: 0x13a96:$v2_1: ListOfProcesses 0x13875:$v4_3: base64str 0x143d2:$v4_4: stringKey 0x1218b:$v4_5: BytesToStringConverted 0x1139e:$v4_6: FromBase64 0x126b4:$v4_8: procName 0x12e10:$v5_5: FileScanning 0x12394:$v5_7: RecordHeaderField 0x1205c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.Gta_5_Mod_Menu.exe.a50000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.Gta_5_Mod_Menu.exe.a50000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xd00:$pat14: , CommandLine: 0x13a96:$v2_1: ListOfProcesses 0x13875:$v4_3: base64str 0x143d2:$v4_4: stringKey 0x1218b:$v4_5: BytesToStringConverted 0x1139e:$v4_6: FromBase64 0x126b4:$v4_8: procName 0x12e10:$v5_5: FileScanning 0x12394:$v5_7: RecordHeaderField 0x1205c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.Gta_5_Mod_Menu.exe.b40000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.Gta_5_Mod_Menu.exe.b40000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xdad4:$s5: delete[] 0xc908:$s6: constructor or from DllMain. 0xf908:$pat14: , CommandLine: 0x2269e:$v2_1: ListOfProcesses 0x2247d:$v4_3: base64str 0x22fda:$v4_4: stringKey 0x20d93:$v4_5: BytesToStringConverted 0x1ffa6:$v4_6: FromBase64 0x212bc:$v4_8: procName 0x21a18:$v5_5: FileScanning 0x20f9c:$v5_7: RecordHeaderField 0x20c64:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.5 - Destination IP: 82.115.223.46

Timestamp:	192.168.2.582.115.223.4649702576722043231 03/18/23-21:08:36.493481
SID:	2043231
Source Port:	49702
Destination Port:	57672
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RedLine Stealer TCP CnC net.tcp Init - Source IP: 192.168.2.5 - Destination IP: 82.115.223.46

Timestamp:	192.168.2.582.115.223.4649702576722043233 03/18/23-21:08:10.800408
SID:	2043233
Source Port:	49702
Destination Port:	57672
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 82.115.223.46 - Destination IP: 192.168.2.5

Timestamp:	82.115.223.46192.168.2.557672497022043234 03/18/23-21:08:17.271452
SID:	2043234
Source Port:	57672
Destination Port:	49702
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Gta_5_Mod_Menu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gta_5_Mod_Menu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Windows Analysis Report
Gta_5_Mod_Menu.exe