=
flash

16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe

Status: finished
Submission Time: 18.12.2021 13:18:10
Malicious
Trojan
Spyware
Evader
GuLoader RedLine SmokeLoader

Comments

Tags

  • exe
  • RedLineStealer

Details

  • Analysis ID:
    541989
  • API (Web) ID:
    909515
  • Analysis Started:
    18.12.2021 13:18:10
  • Analysis Finished:
    18.12.2021 13:31:12
  • MD5:
    8205d65f76fa63e73b7685faf647a048
  • SHA1:
    79ea7b6dda9d45f021150d57ce90f340cef35940
  • SHA256:
    16c6a61f609b7ef5cd13fc587805018efad3be42545912f4281adde004cf928b
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
27/67

malicious
31/43

malicious

IPs

IP Country Detection
45.9.20.240
Russian Federation
91.139.196.113
Bulgaria
185.112.83.8
Russian Federation
Click to see the 6 hidden entries
50.62.140.96
United States
41.41.255.235
Egypt
162.159.130.233
United States
211.171.233.127
Korea Republic of
211.119.84.112
Korea Republic of
190.166.156.200
Dominican Republic

Domains

Name IP Detection
bastinscustomfab.com
50.62.140.96
rcacademy.at
91.139.196.113
www.bastinscustomfab.com
0.0.0.0
Click to see the 1 hidden entries
cdn.discordapp.com
162.159.130.233

URLs

Name Detection
http://witra.ru/upload/
http://rcacademy.at/upload/
http://45.9.20.240:7769/Igno.exe
Click to see the 97 hidden entries
http://e-lanpengeonline.com/upload/
http://185.112.83.8/InjectHollowing.bin
http://185.112.83.8/install3.exe
http://galala.ru/upload/
http://tempuri.org/Entity/Id1Response
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
http://schemas.xmlsoap.org/ws/2004/08/addressing
https://support.google.com/chrome/?p=plugin_shockwave
http://forms.rea
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
https://www.bastinscustomfab.com/veldolore/scc.exe
http://schemas.xmlsoap.org/ws/2004/04/trust
http://tempuri.org/Entity/Id10
http://tempuri.org/Entity/Id11
http://tempuri.org/Entity/Id12
http://tempuri.org/Entity/Id16Response
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
http://tempuri.org/Entity/Id13
http://tempuri.org/Entity/Id14
http://tempuri.org/Entity/Id15
http://tempuri.org/Entity/Id16
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
http://tempuri.org/Entity/Id17
http://tempuri.org/Entity/Id18
http://tempuri.org/Entity/Id5Response
http://tempuri.org/Entity/Id19
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://tempuri.org/Entity/Id10Response
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
https://duckduckgo.com/chrome_newtab
http://service.r
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
https://duckduckgo.com/ac/?q=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
http://tempuri.org/Entity/Id12Response
http://tempuri.org/
http://tempuri.org/Entity/Id2Response
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://tempuri.org/Entity/Id21Response
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://tempuri.org/Entity/Id9
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://tempuri.org/Entity/Id8
http://tempuri.org/Entity/Id5
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
http://tempuri.org/Entity/Id4
http://tempuri.org/Entity/Id7
http://tempuri.org/Entity/Id6
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
https://support.google.com/chrome/?p=plugin_real
http://tempuri.org/Entity/Id19Response
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
http://www.interoperabilitybridges.com/wmp-extension-for-chrome
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
https://support.google.com/chrome/?p=plugin_pdf
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
http://tempuri.org/Entity/Id15Response
https://bastinscustomfab.com/veldolore/scc.exe
https://cdn.discordapp.com/attachments/921473641538027521/921473810035793960/Vorticism.exe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://forms.real.com/real/realone/download.html?type=rpsp_us
http://support.a
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
http://tempuri.org/Entity/Id6Response
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
https://api.ip.sb/ip
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
https://support.google.com/chrome/?p=plugin_quicktime
http://schemas.xmlsoap.org/ws/2004/04/sc
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
http://tempuri.org/Entity/Id9Response
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://tempuri.org/Entity/Id20
http://tempuri.org/Entity/Id21
http://tempuri.org/Entity/Id22
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
http://tempuri.org/Entity/Id23
http://nsis.sf.net/NSIS_ErrorError
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
http://tempuri.org/Entity/Id24
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
http://tempuri.org/Entity/Id24Response

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\72E0.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\2923.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\495E.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
Click to see the 10 hidden entries
C:\Users\user\AppData\Local\Temp\72E0.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\hrsafib
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\hrsafib:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_60bf1a1728929f938e749327f53c25cfc2e1c9_85207d7d_0c54a73a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER427.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEA8.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\WEREE3C.tmp.WERDataCollectionStatus.txt
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\Wamozart6.dat
DOS executable (COM)
#
C:\Users\user\AppData\Local\Temp\a.txt
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\nsz84C.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#