Edit tour

Windows Analysis Report
ChromeFIX_errorMEM.exe

Overview

General Information

Sample Name:	ChromeFIX_errorMEM.exe
Analysis ID:	829699
MD5:	74b6b35627f6453d787f1c7ea3b9ec33
SHA1:	a9282e204443fed6e0be28e8e2dfe7c927706428
SHA256:	51921d13908bd84b1c8fbdd77e6e29d4359ce0fc40857f6f0ad15b1b6ee74730
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Contains functionality to inject code into remote processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Enables debug privileges

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ChromeFIX_errorMEM.exe (PID: 5764 cmdline: C:\Users\user\Desktop\ChromeFIX_errorMEM.exe MD5: 74B6B35627F6453D787F1C7EA3B9EC33)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 5828 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

WerFault.exe (PID: 5884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["135.181.173.163:4323"], "Authorization Header": "a909e2aaecf96137978fea4f86400b9b"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AppLaunch.exe PID: 5828	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AppLaunch.exe PID: 5828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.AppLaunch.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a434:$pat14: , CommandLine: 0x134a2:$v2_1: ListOfProcesses 0x13281:$v4_3: base64str 0x13e05:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12814:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a434:$pat14: , CommandLine: 0x134a2:$v2_1: ListOfProcesses 0x13281:$v4_3: base64str 0x13e05:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12814:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xdad4:$s5: delete[] 0xc908:$s6: constructor or from DllMain. 0x2903c:$pat14: , CommandLine: 0x220aa:$v2_1: ListOfProcesses 0x21e89:$v4_3: base64str 0x22a0d:$v4_4: stringKey 0x2076b:$v4_5: BytesToStringConverted 0x1f97e:$v4_6: FromBase64 0x20ca0:$v4_8: procName 0x2141c:$v5_5: FileScanning 0x20974:$v5_7: RecordHeaderField 0x2063c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN RedLine Stealer TCP CnC net.tcp Init - Source IP: 192.168.2.3 - Destination IP: 135.181.173.163

Timestamp:	192.168.2.3135.181.173.1634968543232043233 03/19/23-00:27:09.983730
SID:	2043233
Source Port:	49685
Destination Port:	4323
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 135.181.173.163 - Destination IP: 192.168.2.3

Timestamp:	135.181.173.163192.168.2.34323496852043234 03/19/23-00:27:12.062612
SID:	2043234
Source Port:	4323
Destination Port:	49685
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.3 - Destination IP: 135.181.173.163

Timestamp:	192.168.2.3135.181.173.1634968543232043231 03/19/23-00:27:21.986883
SID:	2043231
Source Port:	49685
Destination Port:	4323
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ChromeFIX_errorMEM.exe	ReversingLabs: Detection: 38%
Source: ChromeFIX_errorMEM.exe	Virustotal: Detection: 48%			Perma Link

Machine Learning detection for sample

Source: ChromeFIX_errorMEM.exe

Joe Sandbox ML: detected

Source: 2.2.AppLaunch.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["135.181.173.163:4323"], "Authorization Header": "a909e2aaecf96137978fea4f86400b9b"}

Source: ChromeFIX_errorMEM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ChromeFIX_errorMEM.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
ChromeFIX_errorMEM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ChromeFIX_errorMEM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Windows Analysis Report
ChromeFIX_errorMEM.exe