Windows Analysis Report
h2TTyq9R7h.exe

Overview

General Information

Sample name: h2TTyq9R7h.exe
renamed because original name is a hash value
Original sample name: 9cf3fb267bae4374fc871ac0c7a01cc99cc51e0342692aa8730a4415928de133.exe
Analysis ID: 1571561
MD5: 396b829cf9e2e9ff8dd029a418d1f383
SHA1: a4a555781f284f90fcb2342e2f25bdbf85902b64
SHA256: 9cf3fb267bae4374fc871ac0c7a01cc99cc51e0342692aa8730a4415928de133
Tags: 213-21-220-222exeuser-JAMESWT_MHT
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected potential unwanted application
Injects a PE file into a foreign processes
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables security privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": ["213.21.220.222:8080"], "Bot Id": "FANTOMAS", "Authorization Header": "eedd2d3d70bb441348bd0b41eea2b7df"}
Multi AV Scanner detection for submitted file
Source: h2TTyq9R7h.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: h2TTyq9R7h.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: h2TTyq9R7h.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\XsO773WsaBoO1vF1grgiMyzp2iYTWqeU\Eternal.pdb source: h2TTyq9R7h.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004F56000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb' source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2742974302.0000000005007000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004F56000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2744419969.0000000009232000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 213.21.220.222:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.11:49706 -> 213.21.220.222:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 213.21.220.222 213.21.220.222
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VERSIALV VERSIALV
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.21.220.222
Source: h2TTyq9R7h.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: h2TTyq9R7h.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: h2TTyq9R7h.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: h2TTyq9R7h.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: h2TTyq9R7h.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: h2TTyq9R7h.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: h2TTyq9R7h.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: h2TTyq9R7h.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: h2TTyq9R7h.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: h2TTyq9R7h.exe String found in binary or memory: http://ocsp.thawte.com0
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue1LReq
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue1LReqHa
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue1LReqx
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue1Response
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue2LReq
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue2LReq(
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue2LReqdj
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue2Response
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue3LReq
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue3LReqF
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006D0E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D3F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2743477528.0000000006D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue3Response
Source: h2TTyq9R7h.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: h2TTyq9R7h.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: h2TTyq9R7h.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AppLaunch.exe, 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: h2TTyq9R7h.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.h2TTyq9R7h.exe.8b1000.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.h2TTyq9R7h.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Detected potential unwanted application
Source: h2TTyq9R7h.exe PE Siganture Subject Chain: CN=Valve, O=Valve, L=Bellevue, S=WA, C=US
Detected potential crypto function
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0070770C 0_2_0070770C
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00702D2E 0_2_00702D2E
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0070641F 0_2_0070641F
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007021CB 0_2_007021CB
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00704093 0_2_00704093
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00703738 0_2_00703738
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00701D61 0_2_00701D61
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007021EE 0_2_007021EE
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00703738 0_2_00703738
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0070295A 0_2_0070295A
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007063E8 0_2_007063E8
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0070362A 0_2_0070362A
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00701492 0_2_00701492
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0070295A 0_2_0070295A
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00703D91 0_2_00703D91
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00705DB2 0_2_00705DB2
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00706433 0_2_00706433
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00702B5D 0_2_00702B5D
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00703346 0_2_00703346
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00702757 0_2_00702757
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00703DBE 0_2_00703DBE
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00705367 0_2_00705367
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00702DEC 0_2_00702DEC
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0070143D 0_2_0070143D
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007C3D29 0_2_007C3D29
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00707617 0_2_00707617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 3_2_04ED0848 3_2_04ED0848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 3_2_04ED140F 3_2_04ED140F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 3_2_091D1E18 3_2_091D1E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 3_2_091D1E08 3_2_091D1E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 3_2_091D1458 3_2_091D1458
Enables security privileges
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: String function: 00706262 appears 54 times
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: String function: 007B070F appears 33 times
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: String function: 0070267B appears 61 times
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: String function: 007061B3 appears 47 times
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: String function: 007037E2 appears 62 times
PE / OLE file has an invalid certificate
Source: h2TTyq9R7h.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: h2TTyq9R7h.exe Binary or memory string: OriginalFilename vs h2TTyq9R7h.exe
Source: h2TTyq9R7h.exe, 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBrown.exe" vs h2TTyq9R7h.exe
Uses 32bit PE files
Source: h2TTyq9R7h.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.h2TTyq9R7h.exe.8b1000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.h2TTyq9R7h.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/0@0/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: h2TTyq9R7h.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: h2TTyq9R7h.exe ReversingLabs: Detection: 55%
Source: unknown Process created: C:\Users\user\Desktop\h2TTyq9R7h.exe "C:\Users\user\Desktop\h2TTyq9R7h.exe"
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: h2TTyq9R7h.exe Static file information: File size 2222368 > 1048576
Source: h2TTyq9R7h.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: h2TTyq9R7h.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FC2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\XsO773WsaBoO1vF1grgiMyzp2iYTWqeU\Eternal.pdb source: h2TTyq9R7h.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004F56000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb' source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.2742974302.0000000005007000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004F56000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000003.00000002.2744419969.0000000009232000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, SystemExt.cs .Net Code: RaiseEvent
PE file contains sections with non-standard names
Source: h2TTyq9R7h.exe Static PE information: section name: .dmm
Source: h2TTyq9R7h.exe Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007025F4 push ecx; ret 0_2_0072C433
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_008B6004 push es; ret 0_2_008B605E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 3_2_04ED42C8 push ebx; ret 3_2_04ED42DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 4ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 6C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 8C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 92F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: A2F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: A420000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: B420000 memory reserve | memory write watch Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe API coverage: 4.4 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: AppLaunch.exe, 00000003.00000002.2742974302.0000000004FDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL,
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007069FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007069FB
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0077D14E mov ecx, dword ptr fs:[00000030h] 0_2_0077D14E
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00705867 mov eax, dword ptr fs:[00000030h] 0_2_00705867
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00703913 mov eax, dword ptr fs:[00000030h] 0_2_00703913
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00701D4D mov eax, dword ptr fs:[00000030h] 0_2_00701D4D
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00701A96 mov edi, dword ptr fs:[00000030h] 0_2_00701A96
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00707455 GetProcessHeap, 0_2_00707455
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007069FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007069FB
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0072C61C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0072C61C
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00702874 Concurrency::cancel_current_task,IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00702874
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00702874 Concurrency::cancel_current_task,IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00702874
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00702874 Concurrency::cancel_current_task,IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00702874
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_00706C9E SetUnhandledExceptionFilter, 0_2_00706C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007035E4 CreateProcessW,VirtualAllocEx,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 0_2_007035E4
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 44E000 Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 458000 Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4B86008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0072C161 cpuid 0_2_0072C161
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: GetLocaleInfoW, 0_2_00702EAA
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: GetLocaleInfoW, 0_2_00702EAA
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_0070178A
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00703E6D
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: EnumSystemLocalesW, 0_2_007AFFA6
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_0072C439 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0072C439
Source: C:\Users\user\Desktop\h2TTyq9R7h.exe Code function: 0_2_007C5EE0 GetTimeZoneInformation, 0_2_007C5EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h2TTyq9R7h.exe.8b1000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h2TTyq9R7h.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2742462628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 3628, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.h2TTyq9R7h.exe.8b1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h2TTyq9R7h.exe.8b1000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h2TTyq9R7h.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2742462628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1489243756.00000000008B1000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2743477528.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 3628, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1571561 Sample: h2TTyq9R7h.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 5 other signatures 2->22 6 h2TTyq9R7h.exe 1 2->6         started        process3 signatures4 24 Contains functionality to inject code into remote processes 6->24 26 Writes to foreign memory regions 6->26 28 Allocates memory in foreign processes 6->28 30 Injects a PE file into a foreign processes 6->30 9 AppLaunch.exe 2 6->9         started        12 conhost.exe 6->12         started        process5 dnsIp6 14 213.21.220.222, 49706, 49711, 49712 VERSIALV Latvia 9->14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
213.21.220.222
 unknown Latvia
8285 VERSIALV true

Contacted URLs

Name Malicious Antivirus Detection Reputation
213.21.220.222:8080 true
  • Avira URL Cloud: safe
 unknown