Edit tour
Windows
Analysis Report
e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c.exe
Overview
General Information
| Sample Name: | e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c.exe |
| Analysis ID: | 1313298 |
| MD5: | 6bf4c9d2b8dbd206c60ca8cd78c66141 |
| SHA1: | 638da5eaece51d6cf4ac16b8c157d0794b873eb1 |
| SHA256: | e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c880e91bd0b053bbc79a |
| Tags: | exeRedLineStealer |
| Infos: |  |
 | |
Detection
Fabookie, Mystic Stealer, RedLine, SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Yara detected Mystic Stealer
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Fabookie
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Maps a DLL or memory area into another process
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Disable Windows Defender notifications (registry)
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Classification
- System is w10x64
e1c29f91924be94ceb6cbc2aecbd34ccdd9b2761d4b1c.exe (PID: 6488 cmdline: C:\Users\u ser\Deskto p\e1c29f91 924be94ceb 6cbc2aecbd 34ccdd9b27 61d4b1c.ex e MD5: 6BF4C9D2B8DBD206C60CA8CD78C66141) - v0139395.exe (PID: 6504 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\IXP000. TMP\v01393 95.exe MD5: D9F040D855D241E47DE3A1453BA55A1E) - v5523814.exe (PID: 6520 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\IXP001. TMP\v55238 14.exe MD5: 8C88F4E2A9CBD0F50308ECFBF2682492) - v2232713.exe (PID: 6536 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\IXP002. TMP\v22327 13.exe MD5: B632113C967BF119C2FFB113D0EC60C1) 
a3839540.exe (PID: 6552 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\IXP003. TMP\a38395 40.exe MD5: C8A8CEA45E9B40590620ED7BE3A231AA) - b1121980.exe (PID: 6648 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\IXP003. TMP\b11219 80.exe MD5: 4512B6C7E1F51DB836D1540F2C9A75AC) 
conhost.exe (PID: 6656 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - AppLaunch.exe (PID: 6764 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F) 
WerFault.exe (PID: 6836 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 648 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - c5286836.exe (PID: 7136 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\IXP002. TMP\c52868 36.exe MD5: 9B45E6934F5BC977E2A1A36B641EFAD9) - conhost.exe (PID: 7144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - AppLaunch.exe (PID: 6312 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F) - AppLaunch.exe (PID: 2996 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F) 
explorer.exe (PID: 3512 cmdline: C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - 3F93.exe (PID: 4716 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\3F93.ex e MD5: F6FE596CB820A7D48DF6F79A66112644) - x1895805.exe (PID: 4272 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\IXP000. TMP\x18958 05.exe MD5: 38EED433351602811990E57317F5A52E) - WerFault.exe (PID: 3548 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 136 -s 140 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
rundll32.exe (PID: 6612 cmdline: C:\Windows \system32\ rundll32.e xe" C:\Win dows\syste m32\advpac k.dll,DelN odeRunDLL3 2 "C:\User s\user\App Data\Local \Temp\IXP0 00.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
- rundll32.exe (PID: 6744 cmdline:
C:\Windows \system32\ rundll32.e xe" C:\Win dows\syste m32\advpac k.dll,DelN odeRunDLL3 2 "C:\User s\user\App Data\Local \Temp\IXP0 01.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
- svchost.exe (PID: 7080 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6316 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- rundll32.exe (PID: 3808 cmdline:
C:\Windows \system32\ rundll32.e xe" C:\Win dows\syste m32\advpac k.dll,DelN odeRunDLL3 2 "C:\User s\user\App Data\Local \Temp\IXP0 02.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
- svchost.exe (PID: 6640 cmdline:
c:\windows \system32\ svchost.ex e -k netwo rkservice -p -s DoSv c MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6720 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- SgrmBroker.exe (PID: 6792 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
- svchost.exe (PID: 3252 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6804 cmdline:
c:\windows \system32\ svchost.ex e -k unist acksvcgrou p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6652 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7100 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- fahrbrd (PID: 488 cmdline:
C:\Users\u ser\AppDat a\Roaming\ fahrbrd MD5: 4DF5F963C7E18F062E49870D0AFF8F6F)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Fabookie | Fabookie is facebook account info stealer. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://77.91.68.29/fks/", "http://77.91.68.29/fks/"]}{"C2 url": "http://5.42.92.211/"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_Fabookie | Yara detected Fabookie | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MysticStealer_1 | Yara detected Mystic Stealer | Joe Security | ||
| JoeSecurity_MysticStealer_1 | Yara detected Mystic Stealer | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_MysticStealer_1 | Yara detected Mystic Stealer | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_MysticStealer_1 | Yara detected Mystic Stealer | Joe Security | ||
| JoeSecurity_MysticStealer_1 | Yara detected Mystic Stealer | Joe Security | ||
| Click to see the 2 entries | ||||
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_00802F1D | |
| Source: | Code function: | 1_2_009A2F1D | |
| Source: | Code function: | 2_2_00AF2F1D | |
| Source: | Code function: | 3_2_01132F1D | |
| Source: | Code function: | 40_2_00F32F1D | |
| Source: | Code function: | 41_2_00C42F1D | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00802390 | |
| Source: | Code function: | 1_2_009A2390 | |
| Source: | Code function: | 2_2_00AF2390 | |
| Source: | Code function: | 3_2_01132390 | |
| Source: | Code function: | 6_2_00A06FED | |
| Source: | Code function: | 6_2_00A074D1 | |
| Source: | Code function: | 9_2_004087DD | |
| Source: | Code function: | 14_2_003F6FED | |
| Source: | Code function: | 14_2_003F74D1 | |
| Source: | Code function: | 40_2_00F32390 | |
| Source: | Code function: | 41_2_00C42390 | |
Networking | |
|---|
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | HTTP traffic detected: | ||