Windows Analysis Report
bac4j0DRRb.exe

Overview

General Information

Sample name: bac4j0DRRb.exe
renamed because original name is a hash value
Original sample name: AD9E28142AB51F364542C7DAC2D73A8C.exe
Analysis ID: 1538231
MD5: ad9e28142ab51f364542c7dac2d73a8c
SHA1: 8bd52e4e93b44a347d05c3c94c397354894088ae
SHA256: a9ec84d22acda7f438810bae0831bc151e6784f2005c896d687ab295ef4a7fd5
Tags: exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: bac4j0DRRb.exe Avira: detected
Found malware configuration
Source: bac4j0DRRb.exe Malware Configuration Extractor: RedLine {"C2 url": ["ierinapu.xyz:80"], "Bot Id": "@apexbeatsjuggin"}
Multi AV Scanner detection for submitted file
Source: bac4j0DRRb.exe ReversingLabs: Detection: 81%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: bac4j0DRRb.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: bac4j0DRRb.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: bac4j0DRRb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.0000000000942000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49704 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49707 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49706 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49708 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49713 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49705 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49742 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49752 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49727 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49775 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49763 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49787 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49823 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49811 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49834 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49797 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49847 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49860 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49872 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49897 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49883 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49912 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49923 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49938 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49961 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49999 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50007 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49950 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49974 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49987 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50011 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50016 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50017 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50020 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50010 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50021 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50012 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50018 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50009 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50022 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50023 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50019 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50014 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50024 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50015 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50008 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50013 -> 18.141.10.107:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ierinapu.xyz:80
Performs DNS queries to domains with low reputation
Source: DNS query: ierinapu.xyz
Yara detected Generic Downloader
Source: Yara match File source: bac4j0DRRb.exe, type: SAMPLE
Source: Yara match File source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 18.141.10.107 18.141.10.107
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.5:49708
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.5:49708
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: ierinapu.xyz
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ierinapu.xyz
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ierinapu.xyz/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ierinapu.xyz:80/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000294C000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000299D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000298D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000291E000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000293F000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultH
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000294C000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000299D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000298D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000291E000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000293F000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0t
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsLRjq
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsT
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLRjq
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestLRjq(
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLRjq
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: bac4j0DRRb.exe String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: bac4j0DRRb.exe String found in binary or memory: https://api.ipify.org
Source: bac4j0DRRb.exe String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: bac4j0DRRb.exe String found in binary or memory: https://ipinfo.io/ip%appdata%

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: bac4j0DRRb.exe, type: SAMPLE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: bac4j0DRRb.exe, type: SAMPLE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Code function: 0_2_026CDDE8 0_2_026CDDE8
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Code function: 0_2_026CD4F0 0_2_026CD4F0
Sample file is different than original file name gathered from version info
Source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000090E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs bac4j0DRRb.exe
Source: bac4j0DRRb.exe, 00000000.00000000.2027386663.000000000046A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHetaerist.exe4 vs bac4j0DRRb.exe
Source: bac4j0DRRb.exe Binary or memory string: OriginalFilenameHetaerist.exe4 vs bac4j0DRRb.exe
Uses 32bit PE files
Source: bac4j0DRRb.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: bac4j0DRRb.exe, type: SAMPLE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: bac4j0DRRb.exe, type: SAMPLE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Mutant created: NULL
Source: bac4j0DRRb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bac4j0DRRb.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: bac4j0DRRb.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: bac4j0DRRb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: bac4j0DRRb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: bac4j0DRRb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.0000000000942000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: bac4j0DRRb.exe Static PE information: 0xB7C91059 [Fri Sep 16 14:04:09 2067 UTC]
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Memory allocated: 26C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Memory allocated: 2870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Memory allocated: 4870000 memory reserve | memory write watch Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\bac4j0DRRb.exe TID: 3716 Thread sleep count: 46 > 30 Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe TID: 3716 Thread sleep time: -46000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Last function: Thread delayed
Source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Queries volume information: C:\Users\user\Desktop\bac4j0DRRb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: bac4j0DRRb.exe, type: SAMPLE
Source: Yara match File source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: bac4j0DRRb.exe, type: SAMPLE
Source: Yara match File source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: bac4j0DRRb.exe, type: SAMPLE
Source: Yara match File source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538231 Sample: bac4j0DRRb.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 9 ierinapu.xyz 2->9 13 Suricata IDS alerts for network traffic 2->13 15 Found malware configuration 2->15 17 Malicious sample detected (through community Yara rule) 2->17 21 7 other signatures 2->21 6 bac4j0DRRb.exe 15 2 2->6         started        signatures3 19 Performs DNS queries to domains with low reputation 9->19 process4 dnsIp5 11 ierinapu.xyz 18.141.10.107, 49704, 49705, 49706 AMAZON-02US United States 6->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
18.141.10.107
 ierinapu.xyz United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
ierinapu.xyz 18.141.10.107 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
ierinapu.xyz:80 true
    		unknown
    http://ierinapu.xyz/ true
      		unknown