Windows Analysis Report
PRODUCT LIST.exe

Overview

General Information

Sample name: PRODUCT LIST.exe
Analysis ID: 1561829
MD5: a9b805862ccee6848ce91ef51a31f71d
SHA1: 4ca749b30f879945324811f5924996765aa7d2e4
SHA256: 9bdef064f9693bbae4a073b09a795c7b27e7486c10b3c7d920019ca3729bb434
Tags: exegeorouuser-NDA0E
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: PRODUCT LIST.exe Avira: detected
Found malware configuration
Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["104.219.234.170:16383"], "Bot Id": "Ammy"}
Multi AV Scanner detection for submitted file
Source: PRODUCT LIST.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: PRODUCT LIST.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PRODUCT LIST.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: PRODUCT LIST.exe, 00000000.00000002.2197239004.0000000000216000.00000040.00000001.01000000.00000003.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49707 -> 104.219.234.170:16383
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49704 -> 104.219.234.170:16383
Source: Network traffic Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 104.219.234.170:16383 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49704 -> 104.219.234.170:16383
Source: Network traffic Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49706 -> 104.219.234.170:16383
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 104.219.234.170:16383
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 16383
Source: unknown Network traffic detected: HTTP traffic on port 16383 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 16383
Source: unknown Network traffic detected: HTTP traffic on port 16383 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 16383
Source: unknown Network traffic detected: HTTP traffic on port 16383 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 16383
Source: unknown Network traffic detected: HTTP traffic on port 16383 -> 49707
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 104.219.234.170:16383
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 104.219.234.170:16383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 104.219.234.170:16383Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 104.219.234.170:16383Content-Length: 20789Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 104.219.234.170:16383Content-Length: 20781Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DATAWAGONUS DATAWAGONUS
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown TCP traffic detected without corresponding DNS query: 104.219.234.170
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: api.ip.sb
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 104.219.234.170:16383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://104.219.234.170:16383
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://104.219.234.170:16383/
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://104.219.234.170:16383t-
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003433000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip
Source: PRODUCT LIST.exe String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE
Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: PRODUCT LIST.exe String found in binary or memory: https://api.ipify.orgcoo
Source: PRODUCT LIST.exe String found in binary or memory: https://api.ipify.orgcookies//setti
Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
PE file contains section with special chars
Source: PRODUCT LIST.exe Static PE information: section name:
Source: PRODUCT LIST.exe Static PE information: section name:
Source: PRODUCT LIST.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Code function: 0_2_0100E7B0 0_2_0100E7B0
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Code function: 0_2_0100DC90 0_2_0100DC90
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Code function: 0_2_064D96D0 0_2_064D96D0
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Code function: 0_2_064D4508 0_2_064D4508
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Code function: 0_2_064DD5C8 0_2_064DD5C8
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Code function: 0_2_064D33C0 0_2_064D33C0
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Code function: 0_2_064DDAD0 0_2_064DDAD0
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Code function: 0_2_064D1210 0_2_064D1210
Sample file is different than original file name gathered from version info
Source: PRODUCT LIST.exe Binary or memory string: OriginalFilename vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefirefox.exe0 vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ${q,\\StringFileInfo\\000004B0\\OriginalFilename vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamechrome.exe< vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ${q,\\StringFileInfo\\040904B0\\OriginalFilename vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXED vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ${q,\\StringFileInfo\\080904B0\\OriginalFilename vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsedge.exe> vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2198304415.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000000.2034884508.0000000000214000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
Source: PRODUCT LIST.exe Binary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
Uses 32bit PE files
Source: PRODUCT LIST.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: PRODUCT LIST.exe Static PE information: Section: ZLIB complexity 1.0006031709558822
Source: PRODUCT LIST.exe Static PE information: Section: .boot ZLIB complexity 0.9948373809878013
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@2/39@1/1
Source: C:\Users\user\Desktop\PRODUCT LIST.exe File created: C:\Users\user\AppData\Local\Yandex Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Mutant created: NULL
Source: C:\Users\user\Desktop\PRODUCT LIST.exe File created: C:\Users\user\AppData\Local\Temp\tmp826A.tmp Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tmp2E4D.tmp.0.dr, tmp82CD.tmp.0.dr, tmp826A.tmp.0.dr, tmp82AB.tmp.0.dr, tmp829B.tmp.0.dr, tmp82BC.tmp.0.dr, tmp2E4C.tmp.0.dr, tmp827B.tmp.0.dr, tmp2E5F.tmp.0.dr, tmp2E70.tmp.0.dr, tmp2E71.tmp.0.dr, tmp2E5E.tmp.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PRODUCT LIST.exe ReversingLabs: Detection: 55%
Source: unknown Process created: C:\Users\user\Desktop\PRODUCT LIST.exe "C:\Users\user\Desktop\PRODUCT LIST.exe"
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Section loaded: uxtheme.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: PRODUCT LIST.exe Static file information: File size 1776640 > 1048576
Source: PRODUCT LIST.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x1a4200
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: PRODUCT LIST.exe, 00000000.00000002.2197239004.0000000000216000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Unpacked PE file: 0.2.PRODUCT LIST.exe.1f0000.0.unpack :ER; :R; :R;.vm_sec:W;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Binary contains a suspicious time stamp
Source: PRODUCT LIST.exe Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains sections with non-standard names
Source: PRODUCT LIST.exe Static PE information: section name:
Source: PRODUCT LIST.exe Static PE information: section name:
Source: PRODUCT LIST.exe Static PE information: section name:
Source: PRODUCT LIST.exe Static PE information: section name: .vm_sec
Source: PRODUCT LIST.exe Static PE information: section name: .themida
Source: PRODUCT LIST.exe Static PE information: section name: .boot
Source: PRODUCT LIST.exe Static PE information: section name: entropy: 7.994326576469916
Source: PRODUCT LIST.exe Static PE information: section name: .boot entropy: 7.95802050682975

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 16383
Source: unknown Network traffic detected: HTTP traffic on port 16383 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 16383
Source: unknown Network traffic detected: HTTP traffic on port 16383 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 16383
Source: unknown Network traffic detected: HTTP traffic on port 16383 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 16383
Source: unknown Network traffic detected: HTTP traffic on port 16383 -> 49707
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Memory allocated: 1000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Memory allocated: 3050000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Memory allocated: 2EA0000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Window / User API: threadDelayed 1477 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Window / User API: threadDelayed 6539 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 432 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 5384 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 6624 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: tmp9E5A.tmp.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp9E5A.tmp.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: tmp9E5A.tmp.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp9E5A.tmp.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp9E5A.tmp.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp9E5A.tmp.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp9E5A.tmp.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: tmp9E5A.tmp.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp9E5A.tmp.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp9E5A.tmp.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp9E5A.tmp.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp9E5A.tmp.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: PRODUCT LIST.exe, 00000000.00000002.2198304415.0000000000F29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp9E5A.tmp.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp9E5A.tmp.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp9E5A.tmp.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp9E5A.tmp.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp9E5A.tmp.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp9E5A.tmp.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp9E5A.tmp.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp9E5A.tmp.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp9E5A.tmp.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp9E5A.tmp.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp9E5A.tmp.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\PRODUCT LIST.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process queried: DebugObjectHandle Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\PRODUCT LIST.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\PRODUCT LIST.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561829 Sample: PRODUCT LIST.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 16 api.ip.sb 2->16 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 12 other signatures 2->26 7 PRODUCT LIST.exe 15 44 2->7         started        signatures3 process4 dnsIp5 18 104.219.234.170, 16383, 49704, 49706 DATAWAGONUS United States 7->18 14 C:\Users\user\...\PRODUCT LIST.exe.log, ASCII 7->14 dropped 28 Query firmware table information (likely to detect VMs) 7->28 30 Tries to harvest and steal browser information (history, passwords, etc) 7->30 32 Hides threads from debuggers 7->32 34 2 other signatures 7->34 12 conhost.exe 7->12         started        file6 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.219.234.170
 unknown United States
27176 DATAWAGONUS true

Contacted Domains

Name IP Active
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
104.219.234.170:16383 true
  • Avira URL Cloud: safe
 unknown
http://104.219.234.170:16383/ true
  • Avira URL Cloud: safe
 unknown