37.0.0 Beryl
IR
829686
CloudBasic
21:07:04
18/03/2023
Gta_5_Mod_Menu.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
35be3beaaba232f6fde781242b9c5c4b
ce27166d42e8126a10330f5cb3d71f578f6b7ef5
1b9192644f1912431596a1c145b7ef462d241551ff9d6782ab1f34def2f373af
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Gta_5_Mod_Menu.e_9a3653fd351b6f67b678151a3e6c91e5fc7_e9b9f6a7_1416ff49\Report.wer
false
14BAFDB24431A9E6A6E5B01B0C0AB874
476CF6A5F3EFE366D7ABFAF69A887583D59C1EA5
F1FD1E8515EDB62121A6FD74CBD8D2D5A8997B4AACCF77517665313ED7DA2EA9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF111.tmp.dmp
false
60F33FDB80F7869D87D818CFF6623A20
A266BB367029FA2ED5271500F90B7AA3D187BF82
209EECCD923262FB0079FA01FF80B135F0E63E4591A5625FDB288441DDCD4F02
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF269.tmp.WERInternalMetadata.xml
false
CF45C898B5D086A5808CC687BD543A81
972BF1A9FF72593FA46838FE088B7BE65CBD2DDC
CBE552C3105BE3870201AD191D58A90C10B1E07987A6B48B2433E9DD435C1F07
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2D8.tmp.xml
false
A9046676DF97E0420E3660EDAED9A7AE
C908E89CB2C4CF1299052B36E10B6E206C80F27A
601E2BBB1DA03F3020264A49E372F1D8FFFE277305674465F132EBBAAF30A692
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
false
DCF12DDFCA2FD2701AE5EA0012964E90
AB37B70FB4E34C888BEFFFF54BA5AE34373C816B
3B28B517A00543FA53ADC147DB9996DF6FF59D002FF65823D5625B44B2D1A406
C:\Windows\appcompat\Programs\Amcache.hve
false
5329154E8AA80CB491DA57667FA0A0A9
E63DE714CC83CE5E4CEF69DAEE4E1A20D2DE280C
35130EC6461CAC33A3A2081535B79C13DDC2BD2CAF16DB72C8F2DDB0F2BB19E9
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
false
3DDA0D5A6056346F936AE9802CF4DAAA
4BCE21D5649FC72B4CD79D9710FBCC91C284F4FD
7E7B3E64B4B4504A91F3D3F5EA0517393547564128C36277951A5212487E3E24
82.115.223.46
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
false
unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
false
unknown
https://duckduckgo.com/chrome_newtab
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
false
unknown
https://duckduckgo.com/ac/?q=
false
unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
false
unknown
http://tempuri.org/Entity/Id19Responseon
true
unknown
http://tempuri.org/Entity/Id12Response
false
unknown
http://tempuri.org/
false
unknown
http://tempuri.org/Entity/Id2Response
false
unknown
http://ns.adobe.c/g
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
false
unknown
http://tempuri.org/Entity/Id21Response
false
unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
false
unknown
http://tempuri.org/Entity/Id9
false
unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
false
unknown
http://tempuri.org/Entity/Id8
false
unknown
http://tempuri.org/Entity/Id5
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
false
unknown
http://tempuri.org/Entity/Id7
false
unknown
http://tempuri.org/Entity/Id6
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
false
unknown
http://tempuri.org/Entity/Id19Response
false
unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat
false
unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
false
unknown
http://tempuri.org/Entity/Id15Response
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
false
unknown
http://tempuri.org/Entity/Id6Response
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
false
unknown
https://api.ip.sb/ip
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/sc
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
false
unknown
http://tempuri.org/Entity/Id9Response
false
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
false
unknown
http://tempuri.org/Entity/Id20
false
unknown
http://tempuri.org/Entity/Id21
false
unknown
http://tempuri.org/Entity/Id22
false
unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
false
unknown
http://tempuri.org/Entity/Id1Response
false
unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
false
unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
false
unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/trust
false
unknown
http://tempuri.org/Entity/Id10
false
unknown
http://tempuri.org/Entity/Id11
false
unknown
http://tempuri.org/Entity/Id12
false
unknown
http://tempuri.org/Entity/Id16Response
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
false
unknown
http://tempuri.org/Entity/Id13
false
unknown
http://tempuri.org/Entity/Id14
false
unknown
http://tempuri.org/Entity/Id15
false
unknown
http://tempuri.org/Entity/Id16
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
false
unknown
http://tempuri.org/Entity/Id17
false
unknown
http://tempuri.org/Entity/Id18
false
unknown
http://tempuri.org/Entity/Id5Response
false
unknown
http://tempuri.org/Entity/Id19
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
false
unknown
http://tempuri.org/Entity/Id10Response
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
false
unknown
https://code.visualstudio.com/0
false
unknown
http://tempuri.org/Entity/Id8Response
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
false
unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
false
unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
false
unknown
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
false
unknown
http://schemas.xmlsoap.org/soap/envelope/
false
unknown
https://search.yahoo.com?fr=crmas_sfpf
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
false
unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
false
unknown
http://schemas.xmlsoap.org/ws/2004/06/addressingex
false
unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor
false
unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
false
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
false
unknown
http://tempuri.org/Entity/Id17Response
false
unknown
Yara detected RedLine Stealer
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Snort IDS alert for network traffic