=
flash

q6JYc6gWld.exe

Status: finished
Submission Time: 18.12.2021 18:38:11
Malicious
Trojan
Spyware
Evader
GuLoader RedLine SmokeLoader

Comments

Tags

  • exe
  • RedLineStealer

Details

  • Analysis ID:
    542098
  • API (Web) ID:
    909625
  • Analysis Started:
    18.12.2021 18:38:12
  • Analysis Finished:
    18.12.2021 18:53:01
  • MD5:
    a22e5f73f08a009eacf5d5eb3d6a5792
  • SHA1:
    a40938c9ffaae8d23a56dc163b4b84d88256ea19
  • SHA256:
    bc23463a2be659f023c2752e8fc2749ddb0a79cdd90690e6aadfbaf7878fd1e3
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
20/68

malicious
15/34

malicious
27/45

malicious

IPs

IP Country Detection
186.74.208.84
Panama
45.9.20.240
Russian Federation
185.112.83.8
Russian Federation
Click to see the 7 hidden entries
50.62.140.96
United States
211.169.6.249
Korea Republic of
176.44.122.100
Saudi Arabia
187.156.124.76
Mexico
86.107.197.138
Romania
162.159.133.233
United States
110.14.121.125
Korea Republic of

Domains

Name IP Detection
bastinscustomfab.com
50.62.140.96
rcacademy.at
186.74.208.84
www.bastinscustomfab.com
0.0.0.0
Click to see the 1 hidden entries
cdn.discordapp.com
162.159.133.233

URLs

Name Detection
http://rcacademy.at/upload/
http://45.9.20.240:7769/Igno.exe
http://e-lanpengeonline.com/upload/
Click to see the 97 hidden entries
http://185.112.83.8/InjectHollowing.bin
http://185.112.83.8/install3.exe
http://galala.ru/upload/
http://witra.ru/upload/
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
https://www.bastinscustomfab.com/veldolore/scc.exe
http://schemas.xmlsoap.org/ws/2004/04/trust
http://tempuri.org/Entity/Id10
http://tempuri.org/Entity/Id11
http://tempuri.org/Entity/Id12
http://tempuri.org/Entity/Id16Response
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
http://tempuri.org/Entity/Id13
http://tempuri.org/Entity/Id14
http://tempuri.org/Entity/Id15
http://tempuri.org/Entity/Id16
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
http://tempuri.org/Entity/Id17
http://tempuri.org/Entity/Id18
http://tempuri.org/Entity/Id5Response
http://tempuri.org/Entity/Id19
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
https://duckduckgo.com/chrome_newtab
http://service.r
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
https://duckduckgo.com/ac/?q=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
http://tempuri.org/Entity/Id12Response
http://tempuri.org/
http://tempuri.org/Entity/Id2Response
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
http://tempuri.org/Entity/Id21Response
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
http://tempuri.org/Entity/Id9
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
http://tempuri.org/Entity/Id8
http://tempuri.org/Entity/Id5
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
http://tempuri.org/Entity/Id4
http://tempuri.org/Entity/Id7
http://tempuri.org/Entity/Id6
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
https://support.google.com/chrome/?p=plugin_real
http://tempuri.org/Entity/Id19Response
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
http://www.interoperabilitybridges.com/wmp-extension-for-chrome
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
https://support.google.com/chrome/?p=plugin_pdf
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
http://schemas.xmlsoap.org/ws/2004/10/wsat
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
http://tempuri.org/Entity/Id15Response
https://bastinscustomfab.com/veldolore/scc.exe
https://cdn.discordapp.com/attachments/921473641538027521/921473810035793960/Vorticism.exe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://forms.real.com/real/realone/download.html?type=rpsp_us
http://support.a
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
http://tempuri.org/Entity/Id6Response
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
https://api.ip.sb/ip
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
https://support.google.com/chrome/?p=plugin_quicktime
http://schemas.xmlsoap.org/ws/2004/04/sc
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
http://tempuri.org/Entity/Id9Response
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://tempuri.org/Entity/Id20
http://tempuri.org/Entity/Id21
http://tempuri.org/Entity/Id22
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
http://tempuri.org/Entity/Id23
http://nsis.sf.net/NSIS_ErrorError
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
http://tempuri.org/Entity/Id24
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
http://tempuri.org/Entity/Id24Response
http://tempuri.org/Entity/Id1Response
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
http://schemas.xmlsoap.org/ws/2004/08/addressing
https://support.google.com/chrome/?p=plugin_shockwave
http://forms.rea
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\75A.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\62E8.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\75A.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 6 hidden entries
C:\Users\user\AppData\Local\Temp\92C3.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Users\user\AppData\Roaming\vffcvih
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\vffcvih:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\Wamozart6.dat
DOS executable (COM)
#
C:\Users\user\AppData\Local\Temp\a.txt
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\nsc46B7.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#