Create Interactive Tour

Windows Analysis Report
[Cracked By Grizzly] BLTools.exe

Overview

General Information

Sample Name:	[Cracked By Grizzly] BLTools.exe
Analysis ID:	622381
MD5:	efc205935046e1dd720c7097cb04a82f
SHA1:	804e239dd03a7b1e3e8d48778216babb55c9bd41
SHA256:	7771e7efe0e4b1b778b221c23befeffdc20e77883a4782298fed407a2c7e9c06
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Connects to many ports of the same IP (likely port scanning)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

[Cracked By Grizzly] BLTools.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe" MD5: EFC205935046E1DD720C7097CB04A82F)

conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

cleanup

Malware Configuration

Threatname: RedLine

{
  "C2 url": [
    "91.243.59.21:20856"
  ],
  "Bot Id": "",
  "Authorization Header": "f47b457ee61b83e72f234a2e9551f786"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.501756193.0000000000402000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.240798566.0000000003962000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.241142845.00000000000C0000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: [Cracked By Grizzly] BLTools.exe PID: 6344	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AppLaunch.exe PID: 6452	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1280f:$v2_1: ListOfProcesses 0x125cf:$v4_3: base64str 0x1321e:$v4_4: stringKey 0x10d81:$v4_5: BytesToStringConverted 0xfd6f:$v4_6: FromBase64 0x11307:$v4_8: procName 0x11630:$v5_1: DownloadAndExecuteUpdate 0x124bd:$v5_2: ITaskProcessor 0x1161e:$v5_3: CommandLineUpdate 0x1160f:$v5_4: DownloadUpdate 0x119e1:$v5_5: FileScanning 0x10fb8:$v5_7: RecordHeaderField 0x10c05:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.[Cracked By Grizzly] BLTools.exe.3960000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.[Cracked By Grizzly] BLTools.exe.3960000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d58:$pat14: , CommandLine: 0x1460f:$v2_1: ListOfProcesses 0x143cf:$v4_3: base64str 0x1501e:$v4_4: stringKey 0x12b81:$v4_5: BytesToStringConverted 0x11b6f:$v4_6: FromBase64 0x13107:$v4_8: procName 0x13430:$v5_1: DownloadAndExecuteUpdate 0x142bd:$v5_2: ITaskProcessor 0x1341e:$v5_3: CommandLineUpdate 0x1340f:$v5_4: DownloadUpdate 0x137e1:$v5_5: FileScanning 0x12db8:$v5_7: RecordHeaderField 0x12a05:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d58:$pat14: , CommandLine: 0x1460f:$v2_1: ListOfProcesses 0x143cf:$v4_3: base64str 0x1501e:$v4_4: stringKey 0x12b81:$v4_5: BytesToStringConverted 0x11b6f:$v4_6: FromBase64 0x13107:$v4_8: procName 0x13430:$v5_1: DownloadAndExecuteUpdate 0x142bd:$v5_2: ITaskProcessor 0x1341e:$v5_3: CommandLineUpdate 0x1340f:$v5_4: DownloadUpdate 0x137e1:$v5_5: FileScanning 0x12db8:$v5_7: RecordHeaderField 0x12a05:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
2.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.AppLaunch.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d58:$pat14: , CommandLine: 0x1460f:$v2_1: ListOfProcesses 0x143cf:$v4_3: base64str 0x1501e:$v4_4: stringKey 0x12b81:$v4_5: BytesToStringConverted 0x11b6f:$v4_6: FromBase64 0x13107:$v4_8: procName 0x13430:$v5_1: DownloadAndExecuteUpdate 0x142bd:$v5_2: ITaskProcessor 0x1341e:$v5_3: CommandLineUpdate 0x1340f:$v5_4: DownloadUpdate 0x137e1:$v5_5: FileScanning 0x12db8:$v5_7: RecordHeaderField 0x12a05:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 2 entries

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.AppLaunch.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["91.243.59.21:20856"], "Bot Id": "", "Authorization Header": "f47b457ee61b83e72f234a2e9551f786"}

Multi AV Scanner detection for submitted file

Source: [Cracked By Grizzly] BLTools.exe	Virustotal: Detection: 35%	Perma Link
Source: [Cracked By Grizzly] BLTools.exe	Metadefender: Detection: 37%	Perma Link
Source: [Cracked By Grizzly] BLTools.exe	ReversingLabs: Detection: 80%

Source: [Cracked By Grizzly] BLTools.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: AppLaunch.exe, 00000002.00000002.503149347.0000000005004000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32> source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbH source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000002.00000002.503149347.0000000005004000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.243.59.21 ports 20856,0,2,5,6,8

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 91.243.59.21:20856

Source: Joe Sandbox View

ASN Name: MATTEOGB MATTEOGB

Source: Joe Sandbox View

IP Address: 91.243.59.21 91.243.59.21

Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21
Source: unknown	TCP traffic detected without corresponding DNS query: 91.243.59.21

Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: [Cracked By Grizzly] BLTools.exe, 00000000.00000003.240798566.0000000003962000.00000040.00001000.00020000.00000000.sdmp, [Cracked By Grizzly] BLTools.exe, 00000000.00000002.241142845.00000000000C0000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.501756193.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: https://pidgin.im0
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: [Cracked By Grizzly] BLTools.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.[Cracked By Grizzly] BLTools.exe.3960000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

PE file has nameless sections

Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:

Source: [Cracked By Grizzly] BLTools.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.[Cracked By Grizzly] BLTools.exe.3960000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: [Cracked By Grizzly] BLTools.exe, 00000000.00000003.240859574.000000000397C000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaveats.exe4 vs [Cracked By Grizzly] BLTools.exe
Source: [Cracked By Grizzly] BLTools.exe, 00000000.00000002.244302159.0000000002711000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs [Cracked By Grizzly] BLTools.exe
Source: [Cracked By Grizzly] BLTools.exe, 00000000.00000002.244302159.0000000002711000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSV vs [Cracked By Grizzly] BLTools.exe
Source: [Cracked By Grizzly] BLTools.exe, 00000000.00000002.241142845.00000000000C0000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaveats.exe4 vs [Cracked By Grizzly] BLTools.exe
Source: [Cracked By Grizzly] BLTools.exe, 00000000.00000003.234247337.00000000026B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs [Cracked By Grizzly] BLTools.exe
Source: [Cracked By Grizzly] BLTools.exe, 00000000.00000003.234247337.00000000026B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSV vs [Cracked By Grizzly] BLTools.exe

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC597	0_3_028DC597
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC5AC	0_3_028DC5AC
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC5C5	0_3_028DC5C5
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC5D4	0_3_028DC5D4
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC5E4	0_3_028DC5E4
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC537	0_3_028DC537
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC546	0_3_028DC546
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC559	0_3_028DC559
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC56F	0_3_028DC56F
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC560	0_3_028DC560

Source: [Cracked By Grizzly] BLTools.exe

Static PE information: invalid certificate

Source: [Cracked By Grizzly] BLTools.exe

Static PE information: Number of sections : 13 > 10

Source: [Cracked By Grizzly] BLTools.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: [Cracked By Grizzly] BLTools.exe	Static PE information: Section: ZLIB complexity 1.00043247768
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: Section: ZLIB complexity 1.000390625
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: Section: ZLIB complexity 1.021484375

Source: [Cracked By Grizzly] BLTools.exe	Virustotal: Detection: 35%
Source: [Cracked By Grizzly] BLTools.exe	Metadefender: Detection: 37%
Source: [Cracked By Grizzly] BLTools.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe "C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe"
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_01

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@0/1

Source: [Cracked By Grizzly] BLTools.exe

Static file information: File size 4876592 > 1048576

Source: [Cracked By Grizzly] BLTools.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0x42b800

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: AppLaunch.exe, 00000002.00000002.503149347.0000000005004000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32> source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbH source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: AppLaunch.exe, 00000002.00000002.503149347.0000000005004000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: AppLaunch.exe, 00000002.00000002.502913370.0000000004F93000.00000004.00000020.00020000.00000000.sdmp

Source: [Cracked By Grizzly] BLTools.exe

Static PE information: real checksum: 0x49afec should be: 0x4ae1d2

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028E46C7 push ebx; iretd	0_3_028E46C8
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028E2EDD push ss; retf	0_3_028E2ED0
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028E1E09 push edx; ret	0_3_028E1E15
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DEA2C push ecx; iretd	0_3_028DEA3B
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DCA4B push cs; retf	0_3_028DCA53
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028E2F27 push ss; retf	0_3_028E2ED0
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DC9D9 push edi; iretd	0_3_028DC9DB
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028E41F8 push ecx; retf	0_3_028E41F9
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028E0D10 push ebp; ret	0_3_028E0D18
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Code function: 0_3_028DE527 pushfd ; ret	0_3_028DE551

Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name:
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name: .DsUAVmJ
Source: [Cracked By Grizzly] BLTools.exe	Static PE information: section name: .adata

Source: initial sample	Static PE information: section name: entropy: 7.99710013899
Source: initial sample	Static PE information: section name: entropy: 7.99835334737
Source: initial sample	Static PE information: section name: entropy: 7.48219156794
Source: initial sample	Static PE information: section name: .DsUAVmJ entropy: 7.91809204966

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 29F0005 value: E9 FB BF 9C 74	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 773BC000 value: E9 0A 40 63 8B	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 2AA0008 value: E9 AB E0 95 74	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 773FE0B0 value: E9 60 1F 6A 8B	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 2C10005 value: E9 CB 5A FA 72	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 75BB5AD0 value: E9 3A A5 05 8D	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 2CC0005 value: E9 5B B0 F1 72	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 75BDB060 value: E9 AA 4F 0E 8D	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 3940005 value: E9 DB F8 5A 73	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 76EEF8E0 value: E9 2A 07 A5 8C	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 3950005 value: E9 FB 42 5C 73	Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: PID: 6344 base: 76F14300 value: E9 0A BD A3 8C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe

RDTSC instruction interceptor: First address: 00000000004D3AE7 second address: 00000000004D3AED instructions: 0x00000000 rdtsc 0x00000002 mov al, cl 0x00000004 popfd 0x00000005 pop ebx 0x00000006 rdtsc

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe

Process information queried: ProcessInformation

Jump to behavior

Source: AppLaunch.exe, 00000002.00000002.503149347.0000000005004000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 9A2008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 0.3.[Cracked By Grizzly] BLTools.exe.3960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.501756193.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.240798566.0000000003962000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241142845.00000000000C0000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: [Cracked By Grizzly] BLTools.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6452, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 0.3.[Cracked By Grizzly] BLTools.exe.3960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.[Cracked By Grizzly] BLTools.exe.c32dc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.501756193.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.240798566.0000000003962000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241142845.00000000000C0000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: [Cracked By Grizzly] BLTools.exe PID: 6344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 6452, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	311 Process Injection	1 Disable or Modify Tools	1 Credential API Hooking	11 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Software Packing	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	112 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
[Cracked By Grizzly] BLTools.exe	36%	Virustotal		Browse
[Cracked By Grizzly] BLTools.exe	37%	Metadefender		Browse
[Cracked By Grizzly] BLTools.exe	81%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.AppLaunch.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1247441		Download File
0.3.[Cracked By Grizzly] BLTools.exe.3960000.0.unpack	100%	Avira	HEUR/AGEN.1247441		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
https://pidgin.im0	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18Response	0%	URL Reputation	safe
http://tempuri.org/Entity/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14Response	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/Entity/Id10Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	[Cracked By Grizzly] BLTools.exe	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	[Cracked By Grizzly] BLTools.exe	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id17Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id20Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	[Cracked By Grizzly] BLTools.exe, 00000000.00000003.240798566.0000000003962000.00000040.00001000.00020000.00000000.sdmp, [Cracked By Grizzly] BLTools.exe, 00000000.00000002.241142845.00000000000C0000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.501756193.0000000000402000.00000020.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	[Cracked By Grizzly] BLTools.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id7Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id11Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id20	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	[Cracked By Grizzly] BLTools.exe	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pidgin.im0	[Cracked By Grizzly] BLTools.exe	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id3	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id3Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id14Response	AppLaunch.exe, 00000002.00000002.503418851.0000000006B01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.243.59.21	unknown	Russian Federation		206233	MATTEOGB	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	622381
Start date and time: 09/05/202203:25:18	2022-05-09 03:25:18 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	[Cracked By Grizzly] BLTools.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 100%) Quality average: 84% Quality standard deviation: 16%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target [Cracked By Grizzly] BLTools.exe, PID 6344 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Link
91.243.59.21	95452262.exe	Get hash	malicious	Browse
	47419588.exe	Get hash	malicious	Browse
	50010871.exe	Get hash	malicious	Browse
	33895278.exe	Get hash	malicious	Browse
	36053707.exe	Get hash	malicious	Browse
	99233144.exe	Get hash	malicious	Browse
	93800576.exe	Get hash	malicious	Browse
	31489078.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.48421112.31829.exe	Get hash	malicious	Browse
	0jzlH8piEC.exe	Get hash	malicious	Browse
	vegas190.exe	Get hash	malicious	Browse
	ADOBE PREMIERE PRO.exe	Get hash	malicious	Browse
	0RnrrZOSzv.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MATTEOGB	4sEgS3BBbZ.exe	Get hash	malicious	Browse	91.243.59.24
	p8pt2tWWQ5.exe	Get hash	malicious	Browse	91.243.59.61
	nplv4.exe	Get hash	malicious	Browse	91.243.59.6
	jUes01JMMh.exe	Get hash	malicious	Browse	91.243.32.156
	vXx3qaOTj8.exe	Get hash	malicious	Browse	91.243.59.43
	EGlHNjp8LR.exe	Get hash	malicious	Browse	91.243.32.68
	61bc908f5b92e57bbce7d94430b2d76a9cc1076291059.exe	Get hash	malicious	Browse	91.243.59.6
	S4b1t5zPE3.exe	Get hash	malicious	Browse	91.243.59.108
	NJzC8967VW.exe	Get hash	malicious	Browse	91.243.32.216
	sqQAd1WFZx.exe	Get hash	malicious	Browse	91.243.32.216
	#3Y6OLSbuild.exe	Get hash	malicious	Browse	91.243.32.216
	setup.exe	Get hash	malicious	Browse	91.243.59.131
	Setup.exe	Get hash	malicious	Browse	91.243.59.131
	8M6GxOELu4.exe	Get hash	malicious	Browse	91.243.32.114
	Elsify v2.exe	Get hash	malicious	Browse	91.243.32.184
	AbletonLive11.exe	Get hash	malicious	Browse	91.243.32.184
	ANTIBAN.exe	Get hash	malicious	Browse	91.243.32.216
	40o3KE0O0Q.exe	Get hash	malicious	Browse	91.243.32.38
	FYdKFJ3iex.exe	Get hash	malicious	Browse	91.243.32.184
	96705614.exe	Get hash	malicious	Browse	91.243.59.131

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.999160092890352
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	[Cracked By Grizzly] BLTools.exe
File size:	4876592
MD5:	efc205935046e1dd720c7097cb04a82f
SHA1:	804e239dd03a7b1e3e8d48778216babb55c9bd41
SHA256:	7771e7efe0e4b1b778b221c23befeffdc20e77883a4782298fed407a2c7e9c06
SHA512:	7ccf33eb459121597db18db3f007a0353b9b38109c86670ca5fed12e41092881024ad03a2a1e81a1a7c74f433a0cc88a076233e15735f0adf8e2f208782fc877
SSDEEP:	98304:Jgxg/wWg/aachUdgXw5YMcBklkksfbONQgQGTx4nTifOwRP/7Yy9:X/w1/fc+dgg5CBkiksfiNd4nTifOUP/z
TLSH:	313633ADD22A7615CA1B37707125BB9F76E122A639E8DC27372CE0E447016B1BF7502C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.............................p............@...........................w.......I....................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x417000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x6214D0E9 [Tue Feb 22 12:02:49 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fddc083fa31a17c938d0a17ec7cd3025

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	3/22/2021 1:00:00 AM 3/22/2024 12:59:59 AM
Subject Chain	CN=Gary Kramlich, O=Gary Kramlich, STREET=2653 N 54TH ST, L=MILWAUKEE, S=Wisconsin, PostalCode=53210, C=US
Version:	3
Thumbprint MD5:	394B591BC2CE78B7CF207BF4082E62F4
Thumbprint SHA-1:	ADFA744AA074FB5DC57EE6445A3E18D606C7BF96
Thumbprint SHA-256:	AE7DB8B64E8ABD9D36876F049B9770D90C0868D7FE1A2D37CF327DF69FA2DBFE
Serial:	00F6AD45188E5566AA317BE23B4B8B2C2F

Entrypoint Preview

Instruction
push 00B32001h
call 00007F7F4CD4BDC6h
ret
ret
dec edi
outsd
fld tbyte ptr [eax+0FFB4123h]
aad 03h
xchg byte ptr [EE9C3DE2h], al
scasd
sub eax, 433B7F75h
in eax, 2Ch
cwde
pop edx
push ss
lds ecx, esp
sbb bh, byte ptr [edi+ecx*8]
pop ebx
dec esp
loop 00007F7F4CD4BDF4h
xchg eax, edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x732c7c	0x114	.DsUAVmJ
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x731000	0x7a7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4a2000	0x4930
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x100000

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x153f4	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x17000	0x24000	0x11800	False	1.00043247768	data	7.99710013899	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x3b000	0xf922	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x4b000	0x1cf0	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x4d000	0x23c8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x50000	0x1a000	0x19a00	False	1.000390625	data	7.99835334737	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x6a000	0x23a3	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x6d000	0x26b3ac	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x2d9000	0x1000	0x200	False	1.021484375	data	7.48219156794	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x2da000	0x457000	0x42b800	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x731000	0x1000	0x800	False	0.36181640625	data	4.96051792344	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.DsUAVmJ	0x732000	0x4b000	0x4a800	False	0.987475094379	data	7.91809204966	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.adata	0x77d000	0x1000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MESSAGETABLE	0x7310a0	0x34	data
RT_MANIFEST	0x7310d4	0x6d3	XML 1.0 document, ASCII text, with CRLF line terminators

Imports

DLL	Import
kernel32.dll	GetProcAddress, GetModuleHandleA, LoadLibraryA
user32.dll	GetSysColorBrush
user32.dll	CharUpperBuffW
oleaut32.dll	VariantChangeTypeEx
kernel32.dll	RaiseException

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 9, 2022 03:26:41.313715935 CEST	49763	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:26:44.416555882 CEST	49763	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:26:50.479495049 CEST	49763	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:27:07.776370049 CEST	49772	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:27:10.778114080 CEST	49772	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:27:16.778640032 CEST	49772	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:27:33.800961971 CEST	49814	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:27:36.811605930 CEST	49814	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:27:42.859014988 CEST	49814	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:27:59.881500006 CEST	49853	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:28:02.892211914 CEST	49853	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:28:08.924154997 CEST	49853	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:28:25.960792065 CEST	49858	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:28:28.972507954 CEST	49858	20856	192.168.2.4	91.243.59.21
May 9, 2022 03:28:34.988593102 CEST	49858	20856	192.168.2.4	91.243.59.21

Statistics

Click to jump to process

Memory Usage

• [Cracked By Grizzly] BLTools.exe
• conhost.exe
• AppLaunch.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• [Cracked By Grizzly] BLTools.exe
• conhost.exe
• AppLaunch.exe

Click to jump to process

Target ID:	0
Start time:	03:26:19
Start date:	09/05/2022
Path:	C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\[Cracked By Grizzly] BLTools.exe"
Imagebase:	0x400000
File size:	4876592 bytes
MD5 hash:	EFC205935046E1DD720C7097CB04A82F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.240798566.0000000003962000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.241142845.00000000000C0000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	03:26:20
Start date:	09/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	03:26:24
Start date:	09/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0xa90000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.501756193.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Function 028DC537 Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: ecefb17d5bfcd6bd2f93e6bd7b8e335289646e6f1aa24f099978999cc7076d28
Instruction ID: 45ba58b01714590eea17f1a6cd80bc0445dee76e93208d175741918a1d218267
Opcode Fuzzy Hash: ecefb17d5bfcd6bd2f93e6bd7b8e335289646e6f1aa24f099978999cc7076d28
Instruction Fuzzy Hash: 7C41447F518209DF8248C938DD808AB7BA6EBC5278B58CB2FF013CA1E9D734D54AC645

Uniqueness

Uniqueness Score: -1.00%

Function 028DC546 Relevance: 3.9, Strings: 3, Instructions: 149COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: 635fbe85012d6e8e6b8560de81709f2a0d06412565953d7b6b40cea0800aa47e
Instruction ID: 53c0229de25192d17fdcfe4c14f2a6b7328e14ce472a361330a7fc8409f58aff
Opcode Fuzzy Hash: 635fbe85012d6e8e6b8560de81709f2a0d06412565953d7b6b40cea0800aa47e
Instruction Fuzzy Hash: 6A41467F518109DB4248C938DD8087B7BA6EBD9278B58CB2FF413CA1E9D730D54AC645

Uniqueness

Uniqueness Score: -1.00%

Function 028DC559 Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: 6c6851a965e43631fbe97cb902f8d78c421bfea797aaa71187e139d92a25a307
Instruction ID: 3fdbfef6f26b1423b8009c78e08d0c54e37d1e8813c639e2ba220d2d25fd5942
Opcode Fuzzy Hash: 6c6851a965e43631fbe97cb902f8d78c421bfea797aaa71187e139d92a25a307
Instruction Fuzzy Hash: 2341587F518109DB8248C934DD8087B7BA6EBD9278B58CB2FF413CA1A9D730D54AC645

Uniqueness

Uniqueness Score: -1.00%

Function 028DC560 Relevance: 3.9, Strings: 3, Instructions: 140COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: 77609fa63fd9ce96cca0038557752bbe26fb43fd28fe501425fd160bb20b00f2
Instruction ID: b721240fb2afa4b7a193d663b500642e298afb94c958c22aec63e3eb029c953b
Opcode Fuzzy Hash: 77609fa63fd9ce96cca0038557752bbe26fb43fd28fe501425fd160bb20b00f2
Instruction Fuzzy Hash: A041487F618109DF8248CD34DD808AB7BA6EBD9278B58CB2FF443CA1A9D730D54AC645

Uniqueness

Uniqueness Score: -1.00%

Function 028DC56F Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: 0fe8d24a127855f6aa1839698240bd759d68be425f4dee73f66681e52654dec9
Instruction ID: 3641d080d79e2aef485b8675720d5dc1582c4aab6574e9a0006aeca52b4d15c6
Opcode Fuzzy Hash: 0fe8d24a127855f6aa1839698240bd759d68be425f4dee73f66681e52654dec9
Instruction Fuzzy Hash: AE41377F218109DB4248CD34DD808AB7BA6ABD9278B58CB2FF443CA1A9D730D54AC645

Uniqueness

Uniqueness Score: -1.00%

Function 028DC597 Relevance: 3.9, Strings: 3, Instructions: 125COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: a92894088b107ab49866067542a9095f8767af55c2fa78828a7457494aa0a585
Instruction ID: ee64fc2ee5fd8777fd888fd13eacfb27695aab93c33f65fd1f75a6caead5bea1
Opcode Fuzzy Hash: a92894088b107ab49866067542a9095f8767af55c2fa78828a7457494aa0a585
Instruction Fuzzy Hash: 37313A7F218109DB5248C934DD8086B7BA6E7C9278B58CB2FF047CA199D730D54AC645

Uniqueness

Uniqueness Score: -1.00%

Function 028DC5AC Relevance: 3.9, Strings: 3, Instructions: 120COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: dca083e4c54bc1d895935cf8e032ac5119c32c6c402de80eda3470e73d085662
Instruction ID: 0a4476b36f21fa584b511e7a9ce10dfe8eee4222929df6611cfce57acac6b5cf
Opcode Fuzzy Hash: dca083e4c54bc1d895935cf8e032ac5119c32c6c402de80eda3470e73d085662
Instruction Fuzzy Hash: 9D314A7F21C109DB4248C934ED808AB7BA6E7C9378B59CB2FE047CB1A9D734954AC645

Uniqueness

Uniqueness Score: -1.00%

Function 028DC5C5 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: da90f05abbe26e508f21599d37d508fbc53bc6d0e90393ffab5869c4803e2b42
Instruction ID: 492189084e8e9c317fd9a0473408b92fbd6bb0f80f5a2fb55f3a464bbc15d59c
Opcode Fuzzy Hash: da90f05abbe26e508f21599d37d508fbc53bc6d0e90393ffab5869c4803e2b42
Instruction Fuzzy Hash: 63315A7F208109DB8348CD34ED808AB7BA6EBC9278B55DB2FE047CA1A9D734954AC645

Uniqueness

Uniqueness Score: -1.00%

Function 028DC5D4 Relevance: 3.9, Strings: 3, Instructions: 109COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: 81d477a00ce4460cf9f4711f216dc5d3d8e4414dd64ac95ef8bd759bee74f23a
Instruction ID: 612dc2cdb08e860ee8f27d4fd67a67b1c83b7b92aecbea7cb3c818d11b38a8b0
Opcode Fuzzy Hash: 81d477a00ce4460cf9f4711f216dc5d3d8e4414dd64ac95ef8bd759bee74f23a
Instruction Fuzzy Hash: 16318D7F20C109DB4248C934ED808BB7BA6D7C9278B55CB3FF007CA1A9D734944AC649

Uniqueness

Uniqueness Score: -1.00%

Function 028DC5E4 Relevance: 3.9, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

>D, xrefs: 028DC6EB
|mE, xrefs: 028DC6CB
"R@, xrefs: 028DC689

Memory Dump Source

Source File: 00000000.00000003.235163742.00000000028DC000.00000004.00001000.00020000.00000000.sdmp, Offset: 028DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_28dc000_[Cracked By Grizzly] BLTools.jbxd

Similarity

API ID:
String ID: "R@$|mE$>D
API String ID: 0-1509467082
Opcode ID: 510ced9700cf18e3ff7cec95e1fa8197ddbdd6c9f6bc39f1cb734fcaf652fb18
Instruction ID: 5cc728fbe71aadeee243335d1cbf191a689f327c21f0d3ee94ee950b4f8ba1d5
Opcode Fuzzy Hash: 510ced9700cf18e3ff7cec95e1fa8197ddbdd6c9f6bc39f1cb734fcaf652fb18
Instruction Fuzzy Hash: 2631697F20C109DB8248C934ED808BB7B9AD7C9278759D73FE007CA1A9D734944AC649

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report [Cracked By Grizzly] BLTools.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
[Cracked By Grizzly] BLTools.exe