File name:

TJUCA_random.exe

Full analysis: https://app.any.run/tasks/01da35db-fb56-412f-a8c6-e46858b6d50c
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: January 31, 2025, 18:26:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
themida
redline
stealer
lefthook
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 7 sections
MD5:

F662CB18E04CC62863751B672570BD7D

SHA1:

1630D460C4CA5061D1D10ECDFD9A3C7D85B30896

SHA256:

1E9FF1FC659F304A408CFF60895EF815D0A9D669A3D462E0046F55C8C6FEAFC2

SSDEEP:

98304:fHSjoRFYkVA5Kx9v4VDSMmy1wbEJf/5Fx3OqeMNMChm3eF76aDMpu2NHXipJzLaH:AEG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REDLINE has been detected (SURICATA)

      • TJUCA_random.exe (PID: 6424)

    • REDLINE has been detected (YARA)

      • TJUCA_random.exe (PID: 6424)

    • Actions looks like stealing of personal data

      • TJUCA_random.exe (PID: 6424)

    • LEFTHOOK has been detected (SURICATA)

      • TJUCA_random.exe (PID: 6424)

    • Steals credentials from Web Browsers

      • TJUCA_random.exe (PID: 6424)

  • SUSPICIOUS

    • Connects to unusual port

      • TJUCA_random.exe (PID: 6424)

    • Reads the BIOS version

      • TJUCA_random.exe (PID: 6424)

    • Contacting a server suspected of hosting an CnC

      • TJUCA_random.exe (PID: 6424)

  • INFO

    • Checks supported languages

      • TJUCA_random.exe (PID: 6424)

    • Themida protector has been detected

      • TJUCA_random.exe (PID: 6424)

    • Reads the software policy settings

      • TJUCA_random.exe (PID: 6424)

    • Reads the machine GUID from the registry

      • TJUCA_random.exe (PID: 6424)

    • Create files in a temporary directory

      • TJUCA_random.exe (PID: 6424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(6424) TJUCA_random.exe
C2 (1)103.84.89.222:33791
Botnetcheat
Keys
Xor
Options
ErrorMessage
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2097:08:14 23:34:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 95232
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x474000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: Implosions.exe
LegalCopyright:
OriginalFileName: Implosions.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REDLINE tjuca_random.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6424"C:\Users\admin\Desktop\TJUCA_random.exe" C:\Users\admin\Desktop\TJUCA_random.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\tjuca_random.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
RedLine
(PID) Process(6424) TJUCA_random.exe
C2 (1)103.84.89.222:33791
Botnetcheat
Keys
Xor
Options
ErrorMessage
6432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeTJUCA_random.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 847
Read events
3 847
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
42
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB598.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB588.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB5AB.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB5AA.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB5BD.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB5DF.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB622.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB5BC.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB5DE.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6424TJUCA_random.exeC:\Users\admin\AppData\Local\Temp\tmpB600.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
21
DNS requests
7
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4504
svchost.exe
GET
200
95.101.78.40:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.78.40:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4504
svchost.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6424
TJUCA_random.exe
POST
200
103.84.89.222:33791
http://103.84.89.222:33791/
unknown
malicious
6424
TJUCA_random.exe
POST
200
103.84.89.222:33791
http://103.84.89.222:33791/
unknown
malicious
6424
TJUCA_random.exe
POST
200
103.84.89.222:33791
http://103.84.89.222:33791/
unknown
malicious
6424
TJUCA_random.exe
POST
200
103.84.89.222:33791
http://103.84.89.222:33791/
unknown
malicious
GET
200
104.26.12.31:443
https://api.ip.sb/geoip
unknown
binary
367 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4504
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.78.40:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4504
svchost.exe
95.101.78.40:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4504
svchost.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6424
TJUCA_random.exe
103.84.89.222:33791
HK AISI CLOUD COMPUTING LIMITED
HK
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 95.101.78.40
  • 95.101.78.42
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
api.ip.sb
  • 104.26.13.31
  • 172.67.75.172
  • 104.26.12.31
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

PID
Process
Class
Message
6424
TJUCA_random.exe
Malware Command and Control Activity Detected
ET MALWARE RedLine Stealer - CheckConnect Response
6424
TJUCA_random.exe
A Network Trojan was detected
AV TROJAN RedLine Stealer Config Download
6424
TJUCA_random.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
Process
Message
TJUCA_random.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TJUCA_random.exe