Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe
Overview
General Information
Detection
MicroClip, RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected MicroClip
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found API chain indicative of debugger detection
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites Mozilla Firefox settings
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.Siggen29.53958.6245.21630.exe (PID: 6172 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Sig gen29.5395 8.6245.216 30.exe" MD5: D0CCE7870080BD889DBA1F4CFD2B3B26) - svchost.exe (PID: 412 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - explorer.exe (PID: 1028 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - {B268D441C1ED2974164258}.exe (PID: 4696 cmdline:
"C:\Users\ user\AppDa ta\Roaming \{B268D441 C1ED297416 4258}\{B26 8D441C1ED2 974164258} .exe" MD5: D0CCE7870080BD889DBA1F4CFD2B3B26) - svchost.exe (PID: 6760 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - 5BB2.tmp.x.exe (PID: 5400 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\5BB2.t mp.x.exe" MD5: 97EB7BAA28471EC31E5373FCD7B8C880) - {B268D441C1ED2974164258}.exe (PID: 1628 cmdline:
"C:\Users\ user\AppDa ta\Roaming \{B268D441 C1ED297416 4258}\{B26 8D441C1ED2 974164258} .exe" MD5: D0CCE7870080BD889DBA1F4CFD2B3B26) - svchost.exe (PID: 3876 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - 7DF0.tmp.zx.exe (PID: 1400 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\7DF0.t mp.zx.exe" MD5: 0D41D77BB6AD83D6FC53FCB753AABBAC) - 7DF0.tmp.zx.exe (PID: 3836 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\7DF0.t mp.zx.exe" MD5: 0D41D77BB6AD83D6FC53FCB753AABBAC) - {B268D441C1ED2974164258}.exe (PID: 6464 cmdline:
"C:\Users\ user\AppDa ta\Roaming \{B268D441 C1ED297416 4258}\{B26 8D441C1ED2 974164258} .exe" MD5: D0CCE7870080BD889DBA1F4CFD2B3B26) - svchost.exe (PID: 4284 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
{"C2 url": ["176.111.174.140:1912"], "Bot Id": "Diamotrix", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_ReflectiveLoader | detects Reflective DLL injection artifacts | ditekSHen |
| |
INDICATOR_SUSPICIOUS_ReflectiveLoader | detects Reflective DLL injection artifacts | ditekSHen |
| |
INDICATOR_SUSPICIOUS_ReflectiveLoader | detects Reflective DLL injection artifacts | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_ReflectiveLoader | detects Reflective DLL injection artifacts | ditekSHen |
| |
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_ReflectiveLoader | detects Reflective DLL injection artifacts | ditekSHen |
| |
INDICATOR_SUSPICIOUS_ReflectiveLoader | detects Reflective DLL injection artifacts | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_ReflectiveLoader | detects Reflective DLL injection artifacts | ditekSHen |
| |
INDICATOR_SUSPICIOUS_ReflectiveLoader | detects Reflective DLL injection artifacts | ditekSHen |
| |
Click to see the 6 entries |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: vburov: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-19T14:03:38.855330+0200 | 2043234 | 1 | A Network Trojan was detected | 176.111.174.140 | 1912 | 192.168.2.5 | 49786 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-19T14:03:38.568396+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:43.915169+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:44.331449+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:44.706079+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:45.808776+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:46.123076+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:46.398603+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:46.700435+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:47.010418+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:47.356648+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:47.915904+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:48.188837+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:48.667356+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:48.986355+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:49.265053+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:50.254764+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:50.539709+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:50.856333+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:51.141186+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:51.612413+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:51.943706+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:52.208176+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
2024-10-19T14:03:52.527097+0200 | 2043231 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-19T14:03:44.189029+0200 | 2046056 | 1 | A Network Trojan was detected | 176.111.174.140 | 1912 | 192.168.2.5 | 49786 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-19T14:03:20.400966+0200 | 2018581 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 176.111.174.140 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-19T14:03:20.400966+0200 | 2019714 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49709 | 176.111.174.140 | 80 | TCP |
2024-10-19T14:03:23.277190+0200 | 2019714 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49710 | 176.111.174.140 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-19T14:03:38.568396+0200 | 2046045 | 1 | A Network Trojan was detected | 192.168.2.5 | 49786 | 176.111.174.140 | 1912 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-19T14:03:09.666527+0200 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49704 | 176.111.174.140 | 80 | TCP |
2024-10-19T14:03:14.528036+0200 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49705 | 176.111.174.140 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00007FF6CF9466F0 | |
Source: | Code function: | 3_2_11056AE0 | |
Source: | Code function: | 4_2_00007FF6BCCA66F0 | |
Source: | Code function: | 5_2_00007FF78FA666F0 | |
Source: | Code function: | 9_2_00007FF7A34B66F0 | |
Source: | Code function: | 10_2_00007FF779E979B0 | |
Source: | Code function: | 10_2_00007FF779E985A0 | |
Source: | Code function: | 10_2_00007FF779EB0B84 | |
Source: | Code function: | 12_2_00007FF779E985A0 | |
Source: | Code function: | 12_2_00007FF779E979B0 | |
Source: | Code function: | 12_2_00007FF779EB0B84 | |
Source: | Code function: | 12_2_00007FF8B8342DFC | |
Source: | Code function: | 12_2_00007FF8B836EFEC | |
Source: | Code function: | 13_2_00007FF67F5566F0 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | Network Connect: | Jump to behavior |
Source: | URLs: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |