Windows Analysis Report
Implosions.exe

Overview

General Information

Sample name: Implosions.exe
Analysis ID: 1505369
MD5: aeed85e8a5b1d2013ea6fa0348e954d7
SHA1: 899fc5632fce363d0dd1f05bb388f0f3f27240c2
SHA256: 5b1d458a558dbe702742407f213b8a38241555bbded345b0f7c46529b938b3a3
Tags: exeredlinestealer
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Implosions.exe Avira: detected
Found malware configuration
Source: 0.2.Implosions.exe.34c6458.7.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["109.234.38.212:6677"], "Bot Id": "russianhack"}
Multi AV Scanner detection for submitted file
Source: Implosions.exe ReversingLabs: Detection: 71%
Source: Implosions.exe Virustotal: Detection: 53% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Implosions.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Implosions.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Implosions.exe, 00000000.00000002.2909439586.000000000074B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2911841113.0000000005BB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nHC:\Windows\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2909012790.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: o.pdbService source: Implosions.exe, 00000000.00000002.2909012790.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: _.pdb source: Implosions.exe, 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, Implosions.exe, 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbys source: Implosions.exe, 00000000.00000002.2911841113.0000000005BB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2909439586.0000000000705000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2911841113.0000000005BB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2909439586.000000000077D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdbUN source: Implosions.exe, 00000000.00000002.2911841113.0000000005BD2000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49743 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49742 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49732 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49731 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49739 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49730 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49748 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49741 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49746 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49750 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49745 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49752 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49749 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49753 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49754 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49747 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49740 -> 109.234.38.212:6677
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49751 -> 109.234.38.212:6677
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 109.234.38.212:6677
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 6677
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 109.234.38.212:6677
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VDSINA-ASRU VDSINA-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown TCP traffic detected without corresponding DNS query: 109.234.38.212
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 109.234.38.212:6677Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: Implosions.exe, 00000000.00000002.2910742497.000000000255A000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://109.234.38.212:6677
Source: Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://109.234.38.212:6677/
Source: Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Implosions.exe, 00000000.00000002.2910742497.000000000256E000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Implosions.exe, 00000000.00000002.2910742497.000000000255A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Implosions.exe, 00000000.00000002.2910742497.000000000256E000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: Implosions.exe, 00000000.00000002.2910742497.000000000256E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/
Source: Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: Implosions.exe, 00000000.00000002.2910742497.000000000255A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
Source: Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: Implosions.exe, 00000000.00000002.2910742497.000000000268C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910742497.00000000025A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: Implosions.exe, 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, Implosions.exe, 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, Implosions.exe, 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: Implosions.exe, 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, Implosions.exe, 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, Implosions.exe, 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: Implosions.exe, 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, Implosions.exe, 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, Implosions.exe, 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Implosions.exe, type: SAMPLE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.Implosions.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.34e0190.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.34e0190.6.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.2280f6e.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.2280f6e.2.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.2280086.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.2280086.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.50a0000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.50a0000.8.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.2480ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.2480ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.2480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.2480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.2480ee8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.2480ee8.4.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.2280086.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.2280086.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.2480000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.2480000.3.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.34c6458.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.34c6458.7.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.Implosions.exe.71b718.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.3.Implosions.exe.71b718.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.34e0190.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.50a0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.2280f6e.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.34c6458.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.2280f6e.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.34c6458.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.50a0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.34e0190.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.Implosions.exe.71b718.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.3.Implosions.exe.71b718.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.34c5570.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.34c5570.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Implosions.exe.34c5570.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Implosions.exe.34c5570.5.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: Implosions.exe PID: 7544, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00408C60 0_2_00408C60
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_0040DC11 0_2_0040DC11
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00407C3F 0_2_00407C3F
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00418CCC 0_2_00418CCC
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00406CA0 0_2_00406CA0
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004028B0 0_2_004028B0
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_0041A4BE 0_2_0041A4BE
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00408C60 0_2_00408C60
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00418244 0_2_00418244
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00401650 0_2_00401650
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00402F20 0_2_00402F20
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004193C4 0_2_004193C4
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00418788 0_2_00418788
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00402F89 0_2_00402F89
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00402B90 0_2_00402B90
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004073A0 0_2_004073A0
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BEB70 0_2_021BEB70
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BE4EF 0_2_021BE4EF
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CACD00 0_2_05CACD00
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CA2D38 0_2_05CA2D38
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CA1288 0_2_05CA1288
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CA3270 0_2_05CA3270
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CA7F88 0_2_05CA7F88
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CA0810 0_2_05CA0810
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CA35A1 0_2_05CA35A1
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CEA448 0_2_05CEA448
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE5968 0_2_05CE5968
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE8788 0_2_05CE8788
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE8798 0_2_05CE8798
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05D67D70 0_2_05D67D70
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05D626D0 0_2_05D626D0
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05D64ED0 0_2_05D64ED0
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05DEC53F 0_2_05DEC53F
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05DECCF0 0_2_05DECCF0
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05DE0040 0_2_05DE0040
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05DE0033 0_2_05DE0033
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Implosions.exe Code function: String function: 0040E1D8 appears 43 times
Sample file is different than original file name gathered from version info
Source: Implosions.exe, 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs Implosions.exe
Source: Implosions.exe, 00000000.00000003.1668313464.000000000077E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs Implosions.exe
Source: Implosions.exe, 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs Implosions.exe
Source: Implosions.exe, 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs Implosions.exe
Source: Implosions.exe, 00000000.00000002.2911841113.0000000005BA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Implosions.exe
Source: Implosions.exe, 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs Implosions.exe
Uses 32bit PE files
Source: Implosions.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: Implosions.exe, type: SAMPLE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.Implosions.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.34e0190.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.34e0190.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.2280f6e.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.2280f6e.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.2280086.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.2280086.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.50a0000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.50a0000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.2480ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.2480ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.2480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.2480000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.2480ee8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.2480ee8.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.2280086.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.2280086.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.2480000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.2480000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.34c6458.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.34c6458.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.Implosions.exe.71b718.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.3.Implosions.exe.71b718.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.34e0190.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.50a0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.2280f6e.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.34c6458.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.2280f6e.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.34c6458.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.50a0000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.34e0190.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.Implosions.exe.71b718.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.3.Implosions.exe.71b718.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.34c5570.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.34c5570.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Implosions.exe.34c5570.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Implosions.exe.34c5570.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: Implosions.exe PID: 7544, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.winEXE@2/0@0/1
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\Implosions.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Users\user\Desktop\Implosions.exe Command line argument: 08A 0_2_00413780
Source: Implosions.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Implosions.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Implosions.exe ReversingLabs: Detection: 71%
Source: Implosions.exe Virustotal: Detection: 53%
Source: unknown Process created: C:\Users\user\Desktop\Implosions.exe "C:\Users\user\Desktop\Implosions.exe"
Source: C:\Users\user\Desktop\Implosions.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Implosions.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Implosions.exe, 00000000.00000002.2909439586.000000000074B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2911841113.0000000005BB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nHC:\Windows\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2909012790.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: o.pdbService source: Implosions.exe, 00000000.00000002.2909012790.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: _.pdb source: Implosions.exe, 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, Implosions.exe, 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbys source: Implosions.exe, 00000000.00000002.2911841113.0000000005BB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2909439586.0000000000705000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2911841113.0000000005BB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2909439586.000000000077D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdbUN source: Implosions.exe, 00000000.00000002.2911841113.0000000005BD2000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
PE file contains an invalid checksum
Source: Implosions.exe Static PE information: real checksum: 0x23bfb should be: 0x2dee8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_0040E21D push ecx; ret 0_2_0040E230
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd 0_2_0040BBA3
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC3F7 pushfd ; retf 0_2_021BC44E
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC3F7 pushad ; retf 0_2_021BC46A
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC408 pushad ; retf 0_2_021BC412
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC420 push esp; retf 0_2_021BC45A
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC450 pushad ; retf 0_2_021BC412
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC450 push esp; retf 0_2_021BC45A
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC444 push esp; retf 0_2_021BC406
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC444 pushfd ; retf 0_2_021BC44E
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC47C pushfd ; retf 0_2_021BC4BA
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC49C pushad ; retf 0_2_021BC46A
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC4AC pushfd ; retf 0_2_021BC4BA
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_021BC4F0 pushfd ; retf 0_2_021BC4BA
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE73E0 push esp; iretd 0_2_05CE759A
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE73D3 push ebx; iretd 0_2_05CE73DA
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE73D1 push esp; iretd 0_2_05CE73D2
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE83F1 pushad ; iretd 0_2_05CE83F2
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE6DA3 push eax; iretd 0_2_05CE6DAA
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE6DA1 push eax; iretd 0_2_05CE6DA2
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE4CC0 pushfd ; iretd 0_2_05CE4CC1
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE6EF3 push ecx; iretd 0_2_05CE6EFA
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE6EF1 push edx; iretd 0_2_05CE6EF2
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE6E36 push eax; iretd 0_2_05CE6E3A
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE7903 push ebp; iretd 0_2_05CE790A
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05CE7900 push ebp; iretd 0_2_05CE7902
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05D68DA2 push eax; ret 0_2_05D68DB9
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_05DEB8E9 push 3005D34Ch; iretd 0_2_05DEB8F5

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 6677
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 6677
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Implosions.exe Memory allocated: 2170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Memory allocated: 24C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Memory allocated: 44C0000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Implosions.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Implosions.exe TID: 7548 Thread sleep time: -75000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Implosions.exe, 00000000.00000002.2911841113.0000000005BB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: C:\Users\user\Desktop\Implosions.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree, 0_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\Implosions.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040E61C
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00416F6A
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_004123F1 SetUnhandledExceptionFilter, 0_2_004123F1
Source: C:\Users\user\Desktop\Implosions.exe Memory allocated: page read and write | page guard Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Implosions.exe Code function: GetLocaleInfoA, 0_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Implosions.exe Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00412A15
Source: C:\Users\user\Desktop\Implosions.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.Implosions.exe.34e0190.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280f6e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280086.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.50a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280086.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c6458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.50a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Implosions.exe.71b718.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34e0190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c6458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Implosions.exe.71b718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280f6e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c5570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Implosions.exe PID: 7544, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Implosions.exe.34e0190.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280f6e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280086.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.50a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280086.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c6458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.50a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Implosions.exe.71b718.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34e0190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c6458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Implosions.exe.71b718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280f6e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c5570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Implosions.exe PID: 7544, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.Implosions.exe.34e0190.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280f6e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280086.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.50a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280086.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c6458.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.50a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Implosions.exe.71b718.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34e0190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c6458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Implosions.exe.71b718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.2280f6e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Implosions.exe.34c5570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2911359259.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2910650053.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2911153997.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2910554766.0000000002240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1668569005.000000000071B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Implosions.exe PID: 7544, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1505369 Sample: Implosions.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 13 Suricata IDS alerts for network traffic 2->13 15 Found malware configuration 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 7 other signatures 2->19 6 Implosions.exe 15 3 2->6         started        process3 dnsIp4 11 109.234.38.212, 49730, 49731, 49732 VDSINA-ASRU Russian Federation 6->11 9 conhost.exe 6->9         started        process5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.234.38.212
 unknown Russian Federation
48282 VDSINA-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://109.234.38.212:6677/ true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
109.234.38.212:6677 true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown