Source: setup.exe |
Malware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:40960"], "Bot Id": "newbuild", "Authorization Header": "e4460bd99c868950f0858f084a0e3d16"} |
Source: setup.exe |
ReversingLabs: Detection: 76% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: setup.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\setup.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log |
Jump to behavior |
Source: unknown |
HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: setup.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Traffic |
Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 185.215.113.67:40960 |
Source: Traffic |
Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49704 -> 185.215.113.67:40960 |
Source: Traffic |
Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 185.215.113.67:40960 -> 192.168.2.5:49704 |
Source: Traffic |
Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 185.215.113.67:40960 -> 192.168.2.5:49704 |
Source: Malware configuration extractor |
URLs: 185.215.113.67:40960 |
Source: global traffic |
TCP traffic: 192.168.2.5:49704 -> 185.215.113.67:40960 |
Source: global traffic |
HTTP traffic detected: GET /tanosx/clockbrix/downloads/prxtag.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive |
Source: Joe Sandbox View |
IP Address: 104.192.141.1 104.192.141.1 |
Source: Joe Sandbox View |
IP Address: 104.192.141.1 104.192.141.1 |
Source: Joe Sandbox View |
IP Address: 185.215.113.67 185.215.113.67 |
Source: Joe Sandbox View |
IP Address: 185.215.113.67 185.215.113.67 |
Source: Joe Sandbox View |
ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.215.113.67 |
Source: global traffic |
HTTP traffic detected: GET /tanosx/clockbrix/downloads/prxtag.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive |
Source: global traffic |
DNS traffic detected: DNS query: bitbucket.org |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 404 Not Foundserver: envoyx-usage-quota-remaining: 997480.961vary: Accept-Language, Origin, Accept-Encodingx-usage-request-cost: 2563.47Cache-Control: max-age=900Content-Type: text/html; charset=utf-8x-b3-traceid: 608c14562ee70ef5x-usage-output-ops: 0x-used-mesh: Falsex-dc-location: Micros-3content-security-policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/ 'nonce-nncdEFU6YhB4lFDn4Mogow=='; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-websiteStrict-Tran |