Edit tour
Windows
Analysis Report
3VtKPs7ESr.exe
Overview
General Information
Detection
Eternity Clipper, RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Eternity Clipper
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses TOR for connection hidding
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
May check the online IP address of the machine
.NET source code contains potential unpacker
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to detect virtual machines (STR)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- 3VtKPs7ESr.exe (PID: 584 cmdline:
"C:\Users\ user\Deskt op\3VtKPs7 ESr.exe" MD5: 28121F220582DF68FBE058B6F24B7E81) - 0.exe (PID: 2860 cmdline:
"C:\Users\ user\AppDa ta\Roaming \0.exe" MD5: 12E0F770A0133FDCED521962B0363AA4) - cmd.exe (PID: 6356 cmdline:
C:\Windows \System32\ cmd.exe" / C chcp 650 01 && ping 127.0.0.1 && schtas ks /create /tn "0" / sc MINUTE /tr "C:\Us ers\user\A ppData\Loc al\Service Hub\0.exe" /rl HIGHE ST /f && D EL /F /S / Q /A "C:\U sers\user\ AppData\Ro aming\0.ex e" &&START "" "C:\Us ers\user\A ppData\Loc al\Service Hub\0.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6376 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - chcp.com (PID: 6452 cmdline:
chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9) - PING.EXE (PID: 6468 cmdline:
ping 127.0 .0.1 MD5: 70C24A306F768936563ABDADB9CA9108) - schtasks.exe (PID: 6520 cmdline:
schtasks / create /tn "0" /sc M INUTE /tr "C:\Users\ user\AppDa ta\Local\S erviceHub\ 0.exe" /rl HIGHEST / f MD5: 15FF7D8324231381BAD48A052F85DF04) - 0.exe (PID: 6536 cmdline:
"C:\Users\ user\AppDa ta\Local\S erviceHub\ 0.exe" MD5: 12E0F770A0133FDCED521962B0363AA4) - 1.exe (PID: 6172 cmdline:
"C:\Users\ user\AppDa ta\Roaming \1.exe" MD5: 0FE3AED7C7723105FA1646E3C3077721) - conhost.exe (PID: 6204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- 0.exe (PID: 6552 cmdline:
C:\Users\u ser\AppDat a\Local\Se rviceHub\0 .exe MD5: 12E0F770A0133FDCED521962B0363AA4)
- 0.exe (PID: 6328 cmdline:
C:\Users\u ser\AppDat a\Local\Se rviceHub\0 .exe MD5: 12E0F770A0133FDCED521962B0363AA4)
- cleanup
{"C2 url": ["172.93.144.140:3128"], "Bot Id": "cheat"}
{"C2 url": "http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
Click to see the 29 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
JoeSecurity_EternityClipper | Yara detected Eternity Clipper | Joe Security | ||
Click to see the 35 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.4172.93.144.1404977131282849351 07/22/22-14:04:50.389120 |
SID: | 2849351 |
Source Port: | 49771 |
Destination Port: | 3128 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.4172.93.144.1404977131282849662 07/22/22-14:04:36.578188 |
SID: | 2849662 |
Source Port: | 49771 |
Destination Port: | 3128 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | Metadefender: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Binary string: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS query: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process created: |
Source: | DNS query: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |