Windows
Analysis Report
file.exe
Overview
General Information
Detection
PureLog Stealer, RedLine, Xmrig
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list
C2 URLs / IPs found in malware configuration
Disables Windows Defender (via service or powershell)
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Excessive usage of taskkill to terminate processes
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
file.exe (PID: 6472 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: FDB35993F43FB0C0B3FADB2AEF70B0BE) 123.exe (PID: 2072 cmdline:
"C:\users\ 123.exe" MD5: 4A24AAD5274BE7E1FD5E3EF95EA20F8F) cmd.exe (PID: 5384 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\prog ramdata\Mi crosoftSys tem\run.ba t" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 5480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) Wmiic.exe (PID: 4708 cmdline:
"C:\progra mdata\Micr osoftSyste m\wmiic.ex e" install Microsoft ESS svchos l.exe MD5: A18BFE142F059FDB5C041A310339D4FD) conhost.exe (PID: 5628 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) timeout.exe (PID: 4476 cmdline:
TIMEOUT /T 1 /NOBREA K MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) Wmiic.exe (PID: 4440 cmdline:
"C:\progra mdata\Micr osoftSyste m\wmiic" s tart Micro softESS MD5: A18BFE142F059FDB5C041A310339D4FD) conhost.exe (PID: 6980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) timeout.exe (PID: 2508 cmdline:
TIMEOUT /T 2 /NOBREA K MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) mig.exe (PID: 6220 cmdline:
"C:\users\ mig.exe" MD5: A2059CA7715450DC171F7608325744DA) powershell.exe (PID: 5712 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Di sableRealt imeMonitor ing $True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) conhost.exe (PID: 4984 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 5260 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Set-MpPref erence -Ex clusionPat h c:\ MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) conhost.exe (PID: 2696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 4720 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EncodedCo mmand bgBl AHQAIABzAH QAbwBwACAA dwBtAHMAZQ ByAHYAaQBj AGUACgB0AG EAcwBrAGsA aQBsAGwAIA AvAGYAIAAv AGkAbQAgAG 0AaQBnAHIA YQB0AGUALg BlAHgAZQAK AHQAYQBzAG sAawBpAGwA bAAgAC8AZg AgAC8AaQBt ACAASQBuAH QAZQBsAEMA bwBuAGYAaQ BnAFMAZQBy AHYAaQBjAG UALgBlAHgA ZQAKAHQAYQ BzAGsAawBp AGwAbAAgAC 8AZgAgAC8A aQBtACAATQ BTAFQAYQBz AGsALgBlAH gAZQAKAHQA YQBzAGsAaw BpAGwAbAAg AC8AZgAgAC 8AaQBtACAA UwB1AHAAZQ ByAGYAZQB0 AGMAaAAuAG UAeABlAAoA dABhAHMAaw BrAGkAbABs ACAALwBmAC AALwBpAG0A IABXAG0AaQ BpAGMALgBl AHgAZQAKAH QAYQBzAGsA awBpAGwAbA AgAC8AZgAg AC8AaQBtAC AAVwByAGEA cAAuAGUAeA BlAAoAYwBt AGQAIAAvAG MAIAB0AGEA awBlAG8Adw BuACAALwBG ACAAIgBjAD oAXAB3AGkA bgBkAG8Adw BzAFwAdABh AHMAawBzAC IACgBzAGMA aAB0AGEAcw BrAHMAIAAv AGQAZQBsAG UAdABlACAA LwB0AG4AIA AiAFcAaQBu AGQAbwB3AH MAVQBwAGQA YQB0AGUAIg AgAC8ARgAK AGMAbQBkAC AALwBjACAA dABhAGsAZQ BvAHcAbgAg AC8ARgAgAC IAQwA6AFwA UAByAG8AZw ByAGEAbQBE AGEAdABhAF wAbQBpAGcA cgBhAHQAZQ AuAGUAeABl ACIACgBjAG 0AZAAgAC8A YwAgAGQAZQ BsACAALwBG ACAALwBRAC AAIgBDADoA XABQAHIAbw BnAHIAYQBt AEQAYQB0AG EAXABtAGkA ZwByAGEAdA BlAC4AZQB4 AGUAIgAKAA oA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) conhost.exe (PID: 5348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) net.exe (PID: 6856 cmdline:
"C:\Window s\system32 \net.exe" stop wmser vice MD5: 31890A7DE89936F922D44D677F681A7F) net1.exe (PID: 7072 cmdline:
C:\Windows \system32\ net1 stop wmservice MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) taskkill.exe (PID: 2804 cmdline:
"C:\Window s\system32 \taskkill. exe" /f /i m migrate. exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) taskkill.exe (PID: 4852 cmdline:
"C:\Window s\system32 \taskkill. exe" /f /i m IntelCon figService .exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) taskkill.exe (PID: 6308 cmdline:
"C:\Window s\system32 \taskkill. exe" /f /i m MSTask.e xe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) taskkill.exe (PID: 1472 cmdline:
"C:\Window s\system32 \taskkill. exe" /f /i m Superfet ch.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) taskkill.exe (PID: 5020 cmdline:
"C:\Window s\system32 \taskkill. exe" /f /i m Wmiic.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) taskkill.exe (PID: 6172 cmdline:
"C:\Window s\system32 \taskkill. exe" /f /i m Wrap.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) cmd.exe (PID: 5372 cmdline:
"C:\Window s\system32 \cmd.exe" /c takeown /F c:\win dows\tasks MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) takeown.exe (PID: 5384 cmdline:
takeown /F c:\window s\tasks MD5: A9AB2877AE82A53F5A387B045BF326A4) schtasks.exe (PID: 6056 cmdline:
"C:\Window s\system32 \schtasks. exe" /dele te /tn Win dowsUpdate /F MD5: 48C2FE20575769DE916F48EF0676A965) cmd.exe (PID: 5588 cmdline:
"C:\Window s\system32 \cmd.exe" /c takeown /F C:\Pro gramData\m igrate.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) takeown.exe (PID: 5672 cmdline:
takeown /F C:\Progra mData\migr ate.exe MD5: A9AB2877AE82A53F5A387B045BF326A4) cmd.exe (PID: 5612 cmdline:
"C:\Window s\system32 \cmd.exe" /c del /F /Q C:\Prog ramData\mi grate.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) cmd.exe (PID: 1536 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\prog ramdata\ru .bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 4400 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 3180 cmdline:
C:\Windows \system32\ cmd.exe /K "c:\progr amdata\st. bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 1896 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) chcp.com (PID: 2928 cmdline:
chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF) tasklist.exe (PID: 6304 cmdline:
tasklist / FI "IMAGEN AME eq Sup erfetch.ex e" MD5: 0A4448B31CE7F83CB7691A2657F330F1) find.exe (PID: 1480 cmdline:
find /I /N "Superfet ch.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0) takeown.exe (PID: 6492 cmdline:
takeown /f c:\window s\tasks MD5: A9AB2877AE82A53F5A387B045BF326A4) timeout.exe (PID: 1708 cmdline:
TIMEOUT /T 3 /NOBREA K MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) powershell.exe (PID: 6132 cmdline:
powershell Set-MpPre ference -D isableReal timeMonito ring $True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 892 cmdline:
powershell Set-MpPre ference -E xclusionPa th c:\ MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) icacls.exe (PID: 5428 cmdline:
icacls "C: \Windows\T asks" /inh eritance:e /grant "* S-1-1-0:(R ,REA,RA,RD )" "*S-1-5 -7:(R,REA, RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E) icacls.exe (PID: 5760 cmdline:
icacls "C: \Windows\T asks" /inh eritance:e /grant "S YSTEM:(R,R EA,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E) icacls.exe (PID: 2812 cmdline:
icacls "C: \Windows\T asks" /inh eritance:e /grant "A dministrat ors:(R,REA ,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E) icacls.exe (PID: 7044 cmdline:
icacls "C: \Windows\T asks" /inh eritance:e /grant "U sers:(R,RE A,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E) icacls.exe (PID: 3836 cmdline:
icacls "C: \Windows\T asks" /inh eritance:e /grant "u ser:(R,REA ,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E) icacls.exe (PID: 6324 cmdline:
icacls "C: \Windows\T asks" /inh eritance:e /grant "u ser:(R,REA ,RA,RD)" MD5: 2E49585E4E08565F52090B144062F97E) icacls.exe (PID: 6120 cmdline:
icacls "C: \Windows\T asks" /inh eritance:e /grant "E VERYONE:(R ,REA,RA,RD )" MD5: 2E49585E4E08565F52090B144062F97E)
Wmiic.exe (PID: 3836 cmdline:
C:\program data\Micro softSystem \Wmiic.exe MD5: A18BFE142F059FDB5C041A310339D4FD) conhost.exe (PID: 6696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) svchosl.exe (PID: 6512 cmdline:
"svchosl.e xe" MD5: 9F478308A636906DB8C36E77CE68B4C2) conhost.exe (PID: 6188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) svchosl.exe (PID: 3144 cmdline:
"svchosl.e xe" MD5: 9F478308A636906DB8C36E77CE68B4C2) cmd.exe (PID: 5560 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 1576 cmdline:
taskkill / f /im rdp_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 1984 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v2. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 6056 cmdline:
taskkill / f /im rdp_ modul_v2.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5612 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v3. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 4824 cmdline:
taskkill / f /im rdp_ modul_v3.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 6096 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 2700 cmdline:
taskkill / f /im wrm_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5532 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v2. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 4476 cmdline:
taskkill / f /im wrm_ modul_v2.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 1308 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v3. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 4208 cmdline:
taskkill / f /im wrm_ modul_v3.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5908 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im ape _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 6980 cmdline:
taskkill / f /im ape_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 4440 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im ful l_rdp_modu l_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 572 cmdline:
taskkill / f /im full _rdp_modul _v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 3920 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp .exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 6448 cmdline:
taskkill / f /im rdp. exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 6456 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v4. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5388 cmdline:
taskkill / f /im wrm_ modul_v4.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5672 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im nl. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 4320 cmdline:
taskkill / f /im nl.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 3116 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im Wer Fault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 6444 cmdline:
taskkill / f /im WerF ault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 6696 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3648 cmdline:
taskkill / f /im rdp_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 4852 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v2. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 1200 cmdline:
taskkill / f /im rdp_ modul_v2.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 2924 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v3. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 2848 cmdline:
taskkill / f /im rdp_ modul_v3.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 1576 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3652 cmdline:
taskkill / f /im wrm_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5540 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v2. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5384 cmdline:
taskkill / f /im wrm_ modul_v2.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 6976 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v3. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5560 cmdline:
taskkill / f /im wrm_ modul_v3.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5628 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im ape _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5284 cmdline:
taskkill / f /im ape_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 6772 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im ful l_rdp_modu l_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5416 cmdline:
taskkill / f /im full _rdp_modul _v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5452 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp .exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3528 cmdline:
taskkill / f /im rdp. exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 3148 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v4. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 1656 cmdline:
taskkill / f /im wrm_ modul_v4.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 3192 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im nl. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3772 cmdline:
taskkill / f /im nl.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 6516 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im Wer Fault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3868 cmdline:
taskkill / f /im WerF ault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5908 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 6980 cmdline:
taskkill / f /im rdp_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 4440 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v2. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3304 cmdline:
taskkill / f /im rdp_ modul_v2.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 6324 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v3. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5004 cmdline:
taskkill / f /im rdp_ modul_v3.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 4536 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 4456 cmdline:
taskkill / f /im wrm_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 4676 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v2. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 6456 cmdline:
taskkill / f /im wrm_ modul_v2.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5612 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v3. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5672 cmdline:
taskkill / f /im wrm_ modul_v3.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 1984 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im ape _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5952 cmdline:
taskkill / f /im ape_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5528 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im ful l_rdp_modu l_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5568 cmdline:
taskkill / f /im full _rdp_modul _v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 3032 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp .exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3040 cmdline:
taskkill / f /im rdp. exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 1656 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v4. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3148 cmdline:
taskkill / f /im wrm_ modul_v4.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 3772 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im nl. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3192 cmdline:
taskkill / f /im nl.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 3868 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im Wer Fault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 6516 cmdline:
taskkill / f /im WerF ault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 1984 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 5420 cmdline:
taskkill / f /im rdp_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5528 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v2. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 1080 cmdline:
taskkill / f /im rdp_ modul_v2.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5856 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp _modul_v3. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 748 cmdline:
taskkill / f /im rdp_ modul_v3.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 2568 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 828 cmdline:
taskkill / f /im wrm_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 3192 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v2. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3772 cmdline:
taskkill / f /im wrm_ modul_v2.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 652 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v3. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 7040 cmdline:
taskkill / f /im wrm_ modul_v3.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 5308 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im ape _modul_v1. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3376 cmdline:
taskkill / f /im ape_ modul_v1.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 348 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im ful l_rdp_modu l_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 6480 cmdline:
taskkill / f /im full _rdp_modul _v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 2884 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im rdp .exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 4760 cmdline:
taskkill / f /im rdp. exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 6844 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im wrm _modul_v4. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 3572 cmdline:
taskkill / f /im wrm_ modul_v4.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 712 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im nl. exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 2676 cmdline:
taskkill / f /im nl.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) cmd.exe (PID: 1272 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /f /im Wer Fault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) taskkill.exe (PID: 1340 cmdline:
taskkill / f /im WerF ault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) Conhost.exe (PID: 5540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
svchost.exe (PID: 7080 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
{"C2 url": "147.45.78.229:43674", "Authorization Header": "6a4b05ef943a0dd801fd01dfbb9eb717"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
Click to see the 19 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: frack113: |