Windows
Analysis Report
BaGkRDSifo.exe
Overview
General Information
Sample name: | BaGkRDSifo.exerenamed because original name is a hash value |
Original sample name: | 3b8f605388479cd9296e0be1ea9d1f60.exe |
Analysis ID: | 1448043 |
MD5: | 3b8f605388479cd9296e0be1ea9d1f60 |
SHA1: | 4608fd9d55cae50eaa9379b02373afea15572eae |
SHA256: | d550397a71e1fc77be3460d1742f1df63d43ba74487a10ec96befc1c768768bc |
Tags: | 32exeRedLineStealer |
Infos: | |
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
BaGkRDSifo.exe (PID: 180 cmdline:
"C:\Users\ user\Deskt op\BaGkRDS ifo.exe" MD5: 3B8F605388479CD9296E0BE1EA9D1F60)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Click to see the 3 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |