Edit tour

Windows Analysis Report
o6B2U4HjCJ.exe

Overview

General Information

Sample Name:	o6B2U4HjCJ.exe
Original Sample Name:	dcb518ed1ed68c30a11cb79d50a0fe69.exe
Analysis ID:	829694
MD5:	dcb518ed1ed68c30a11cb79d50a0fe69
SHA1:	c770b74ee42bba7f1699341e8b03923b93a60789
SHA256:	38f88f2119c82d04462c902771d27d1ec546b3d556081a6103d844add1a9af09
Tags:	32exetrojan
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

o6B2U4HjCJ.exe (PID: 5604 cmdline: C:\Users\user\Desktop\o6B2U4HjCJ.exe MD5: DCB518ED1ED68C30A11CB79D50A0FE69)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.11.61.125:22344", "Bot Id": "@chicago", "Message": "Error", "Authorization Header": "21f863e0cbd09d0681058e068d0d1d7f"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.295675318.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x282c4:$pat14: , CommandLine: 0x1c8c4:$v2_1: ListOfProcesses 0x1c09f:$v4_3: base64str 0x1c06c:$v4_4: stringKey 0x1c0a9:$v4_5: BytesToStringConverted 0x1c094:$v4_6: FromBase64 0x1c578:$v4_8: procName 0x1a09f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000000.00000002.295096246.0000000004955000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.295520420.0000000004C40000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x291ac:$pat14: , CommandLine: 0x1d7ac:$v2_1: ListOfProcesses 0x1cf87:$v4_3: base64str 0x1cf54:$v4_4: stringKey 0x1cf91:$v4_5: BytesToStringConverted 0x1cf7c:$v4_6: FromBase64 0x1d460:$v4_8: procName 0x1af87:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.294617353.0000000002ED8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x15a0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.238934056.0000000002E10000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000000.00000002.293546962.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.293546962.0000000000400000.00000040.00000001.01000000.00000003.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000000.00000002.294046050.0000000002C80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.294046050.0000000002C80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: o6B2U4HjCJ.exe PID: 5604	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.o6B2U4HjCJ.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0.2.o6B2U4HjCJ.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.o6B2U4HjCJ.exe.2c80e67.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.2c80e67.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.3.o6B2U4HjCJ.exe.2e10000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.o6B2U4HjCJ.exe.2e10000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 43 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.o6B2U4HjCJ.exe.4c40ee8.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.4c40ee8.5.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x282c4:$pat14: , CommandLine: 0x1c8c4:$v2_1: ListOfProcesses 0x1c09f:$v4_3: base64str 0x1c06c:$v4_4: stringKey 0x1c0a9:$v4_5: BytesToStringConverted 0x1c094:$v4_6: FromBase64 0x1c578:$v4_8: procName 0x1a09f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.4c40000.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.4c40000.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x291ac:$pat14: , CommandLine: 0x1d7ac:$v2_1: ListOfProcesses 0x1cf87:$v4_3: base64str 0x1cf54:$v4_4: stringKey 0x1cf91:$v4_5: BytesToStringConverted 0x1cf7c:$v4_6: FromBase64 0x1d460:$v4_8: procName 0x1af87:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.49956f6.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.49956f6.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x273ac:$pat14: , CommandLine: 0x1b9ac:$v2_1: ListOfProcesses 0x1b187:$v4_3: base64str 0x1b154:$v4_4: stringKey 0x1b191:$v4_5: BytesToStringConverted 0x1b17c:$v4_6: FromBase64 0x1b660:$v4_8: procName 0x19187:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.49956f6.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.49956f6.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x291ac:$pat14: , CommandLine: 0x1d7ac:$v2_1: ListOfProcesses 0x1cf87:$v4_3: base64str 0x1cf54:$v4_4: stringKey 0x1cf91:$v4_5: BytesToStringConverted 0x1cf7c:$v4_6: FromBase64 0x1d460:$v4_8: procName 0x1af87:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.4c40000.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.4c40000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x273ac:$pat14: , CommandLine: 0x1b9ac:$v2_1: ListOfProcesses 0x1b187:$v4_3: base64str 0x1b154:$v4_4: stringKey 0x1b191:$v4_5: BytesToStringConverted 0x1b17c:$v4_6: FromBase64 0x1b660:$v4_8: procName 0x19187:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.4dd0000.6.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.4dd0000.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x282c4:$pat14: , CommandLine: 0x1c8c4:$v2_1: ListOfProcesses 0x1c09f:$v4_3: base64str 0x1c06c:$v4_4: stringKey 0x1c0a9:$v4_5: BytesToStringConverted 0x1c094:$v4_6: FromBase64 0x1c578:$v4_8: procName 0x1a09f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.49965de.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.49965de.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x282c4:$pat14: , CommandLine: 0x1c8c4:$v2_1: ListOfProcesses 0x1c09f:$v4_3: base64str 0x1c06c:$v4_4: stringKey 0x1c0a9:$v4_5: BytesToStringConverted 0x1c094:$v4_6: FromBase64 0x1c578:$v4_8: procName 0x1a09f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.4c40ee8.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.4c40ee8.5.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x264c4:$pat14: , CommandLine: 0x1aac4:$v2_1: ListOfProcesses 0x1a29f:$v4_3: base64str 0x1a26c:$v4_4: stringKey 0x1a2a9:$v4_5: BytesToStringConverted 0x1a294:$v4_6: FromBase64 0x1a778:$v4_8: procName 0x1829f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.49965de.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.49965de.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x264c4:$pat14: , CommandLine: 0x1aac4:$v2_1: ListOfProcesses 0x1a29f:$v4_3: base64str 0x1a26c:$v4_4: stringKey 0x1a2a9:$v4_5: BytesToStringConverted 0x1a294:$v4_6: FromBase64 0x1a778:$v4_8: procName 0x1829f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.o6B2U4HjCJ.exe.4dd0000.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.o6B2U4HjCJ.exe.4dd0000.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x264c4:$pat14: , CommandLine: 0x1aac4:$v2_1: ListOfProcesses 0x1a29f:$v4_3: base64str 0x1a26c:$v4_4: stringKey 0x1a2a9:$v4_5: BytesToStringConverted 0x1a294:$v4_6: FromBase64 0x1a778:$v4_8: procName 0x1829f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 23 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN RedLine Stealer TCP CnC net.tcp Init - Source IP: 192.168.2.3 - Destination IP: 185.11.61.125

Timestamp:	192.168.2.3185.11.61.12549701223442043233 03/18/23-22:06:06.966690
SID:	2043233
Source Port:	49701
Destination Port:	22344
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: o6B2U4HjCJ.exe	ReversingLabs: Detection: 38%
Source: o6B2U4HjCJ.exe	Virustotal: Detection: 39%			Perma Link

Machine Learning detection for sample

Source: o6B2U4HjCJ.exe

Joe Sandbox ML: detected

Source: 00000000.00000003.239241764.0000000002F47000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "185.11.61.125:22344", "Bot Id": "@chicago", "Message": "Error", "Authorization Header": "21f863e0cbd09d0681058e068d0d1d7f"}

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\o6B2U4HjCJ.exe

Unpacked PE file: 0.2.o6B2U4HjCJ.exe.400000.0.unpack

Source: o6B2U4HjCJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\o6B2U4HjCJ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
o6B2U4HjCJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report o6B2U4HjCJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Windows Analysis Report
o6B2U4HjCJ.exe