Windows Analysis Report
lNf8XY8HLb.exe

Overview

General Information

Sample name: lNf8XY8HLb.exe
renamed because original name is a hash value
Original sample name: 7637c65d7d91f91e0507ed92ca67d011.exe
Analysis ID: 1545097
MD5: 7637c65d7d91f91e0507ed92ca67d011
SHA1: 7421f4ec388c0596be5df2cd07873b52fe94fe03
SHA256: d3d22f35f4571d498c8d6cb177cc260301652b9dd030ca431bd6bf2a4626f0c4
Tags: 32exetrojan
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: lNf8XY8HLb.exe Avira: detected
Found malware configuration
Source: 2.2.InstallUtil.exe.700000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": "194.48.251.46/93.123.109.157"}
Multi AV Scanner detection for submitted file
Source: lNf8XY8HLb.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: lNf8XY8HLb.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: lNf8XY8HLb.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: lNf8XY8HLb.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbl|` source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: HP<oHC:\Windows\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374351564.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3378140779.0000000005221000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 194.48.251.46/93.123.109.157
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: panel.o7lab.me1337 replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: panel.o7lab.me1337
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://panel.o7lab.me1337
Source: InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://panel.o7lab.me1337/
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/
Source: InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_024968F8 0_2_024968F8
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_024951A0 0_2_024951A0
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_02491A00 0_2_02491A00
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_024968E9 0_2_024968E9
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_0249EE18 0_2_0249EE18
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_02495190 0_2_02495190
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_05A6ECF0 0_2_05A6ECF0
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_05A50007 0_2_05A50007
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_05A6E008 0_2_05A6E008
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_05A50040 0_2_05A50040
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Code function: 0_2_05A6E3F0 0_2_05A6E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00A6E7B0 2_2_00A6E7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00A6DC90 2_2_00A6DC90
Sample file is different than original file name gathered from version info
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000026B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000000.2121997026.00000000003BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameredline.exe0 vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2131028362.00000000007BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2148514302.0000000004D70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameZzmvrlsj.dll" vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs lNf8XY8HLb.exe
Source: lNf8XY8HLb.exe Binary or memory string: OriginalFilenameredline.exe0 vs lNf8XY8HLb.exe
Uses 32bit PE files
Source: lNf8XY8HLb.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: lNf8XY8HLb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/0@25/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: lNf8XY8HLb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lNf8XY8HLb.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: lNf8XY8HLb.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\lNf8XY8HLb.exe "C:\Users\user\Desktop\lNf8XY8HLb.exe"
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: lNf8XY8HLb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: lNf8XY8HLb.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: lNf8XY8HLb.exe Static file information: File size 1077248 > 1048576
Source: lNf8XY8HLb.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106600
Source: lNf8XY8HLb.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbl|` source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: HP<oHC:\Windows\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374351564.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3378140779.0000000005221000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: lNf8XY8HLb.exe, ConfigDescriptorListener.cs .Net Code: QueryAlgo System.Reflection.Assembly.Load(byte[])
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.5150000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2149289785.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
Source: lNf8XY8HLb.exe Static PE information: section name: .text entropy: 7.918696279398938
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Memory allocated: 2490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Memory allocated: 26B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Memory allocated: 46B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 27C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 24E0000 memory reserve | memory write watch Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3756 Thread sleep time: -110000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000002.00000002.3378140779.0000000005200000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, NativeMethods.cs Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, ResourceReferenceValue.cs Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, NativeHelper.cs Reference to suspicious API methods: GetProcAddress(hModule, "GetConsoleWindow")
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Queries volume information: C:\Users\user\Desktop\lNf8XY8HLb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lNf8XY8HLb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumRule
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxxLibertyAfihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusRule
Source: lNf8XY8HLb.exe, 00000000.00000002.2148514302.0000000004D70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Yara detected Credential Stealer
Source: Yara match File source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545097 Sample: lNf8XY8HLb.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 15 panel.o7lab.me1337 2->15 17 Found malware configuration 2->17 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 9 other signatures 2->23 8 lNf8XY8HLb.exe 2 2->8         started        signatures3 process4 signatures5 25 Found many strings related to Crypto-Wallets (likely being stolen) 8->25 27 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->27 11 InstallUtil.exe 15 3 8->11         started        process6 process7 13 conhost.exe 11->13         started       
No contacted IP infos

Contacted Domains

Name IP Active
panel.o7lab.me1337 unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
194.48.251.46/93.123.109.157 true
    		unknown