Malware analysis Galaxy Swapper v2.exe Malicious activity

Add for printing

File name:	Galaxy Swapper v2.exe
Full analysis:	https://app.any.run/tasks/84f34a05-1179-41ae-970d-66d84f7fb18f
Verdict:	Malicious activity
Threats:	RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 12, 2024, 06:37:20
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	stealer redline
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386, for MS Windows
MD5:	DE662C216C9CBEA5B53AD30D412D606E
SHA1:	0D7D74B5F9B401DFC5C8CD3F34E275E57D042E63
SHA256:	1FD12B4B8AF2ECD380B8FA3CBBD97C1B1B33BE6902EC5D6ECBB3BD536B482BDA
SSDEEP:	12288:+cSXm2+pPeyPodRxQlTztbWLd8GWWVmpugf2tr6d0GHui0TXdKex:+gZGqodRxQlTztbW58GW4tr5Qui0TYc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - runas.exe (PID: 3672)
- REDLINE has been detected (YARA)
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 3612)
  - Galaxy Swapper v2.exe (PID: 3216)
- REDLINE has been detected (SURICATA)
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 3612)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 4008)
- Connects to the CnC server
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 3612)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 4008)
- Actions looks like stealing of personal data
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3612)
- Steals credentials from Web Browsers
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 3612)
  - Galaxy Swapper v2.exe (PID: 4008)
SUSPICIOUS
- Reads the Internet Settings
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - taskmgr.exe (PID: 1404)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3612)
- Reads settings of System Certificates
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3612)
- Searches for installed software
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3612)
- Reads browser cookies
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3612)
- Application launched itself
  - taskmgr.exe (PID: 1404)
INFO
- Checks supported languages
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3612)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 4008)
- Reads the computer name
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 3612)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 4020)
- Reads the machine GUID from the registry
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 3612)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 4008)
- Reads Environment values
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3612)
- Reads the software policy settings
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3612)
- Reads product name
  - Galaxy Swapper v2.exe (PID: 2848)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3216)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3612)
- Manual execution by a user
  - Galaxy Swapper v2.exe (PID: 2320)
  - Galaxy Swapper v2.exe (PID: 4080)
  - taskmgr.exe (PID: 1404)
  - Galaxy Swapper v2.exe (PID: 3492)
  - Galaxy Swapper v2.exe (PID: 908)
  - Galaxy Swapper v2.exe (PID: 2792)
  - Galaxy Swapper v2.exe (PID: 3612)
  - Galaxy Swapper v2.exe (PID: 2928)
  - Galaxy Swapper v2.exe (PID: 4020)
  - Galaxy Swapper v2.exe (PID: 3664)
  - Galaxy Swapper v2.exe (PID: 3700)
  - Galaxy Swapper v2.exe (PID: 4008)
  - Galaxy Swapper v2.exe (PID: 3216)
- Reads security settings of Internet Explorer
  - taskmgr.exe (PID: 1404)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RedLine

(PID) Process(2848) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

(PID) Process(2792) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

(PID) Process(2320) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

(PID) Process(4080) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

(PID) Process(3492) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

(PID) Process(3216) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

(PID) Process(3612) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:02:08 20:01:16+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.38
CodeSize:	72192
InitializedDataSize:	381952
UninitializedDataSize:	-
EntryPoint:	0x44f2
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

908

"C:\Users\admin\Desktop\Galaxy Swapper v2.exe"

C:\Users\admin\Desktop\Galaxy Swapper v2.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\galaxy swapper v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1404

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\taskmgr.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Task Manager

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2320

"C:\Users\admin\Desktop\Galaxy Swapper v2.exe"

C:\Users\admin\Desktop\Galaxy Swapper v2.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\galaxy swapper v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

RedLine

(PID) Process(2320) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

2792

"C:\Users\admin\Desktop\Galaxy Swapper v2.exe"

C:\Users\admin\Desktop\Galaxy Swapper v2.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\galaxy swapper v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

RedLine

(PID) Process(2792) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

2848

"C:\Users\admin\Desktop\Galaxy Swapper v2.exe"

C:\Users\admin\Desktop\Galaxy Swapper v2.exe

runas.exe

User:

Administrator

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\galaxy swapper v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

RedLine

(PID) Process(2848) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

2928

"C:\Users\admin\Desktop\Galaxy Swapper v2.exe"

C:\Users\admin\Desktop\Galaxy Swapper v2.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\galaxy swapper v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3216

"C:\Users\admin\Desktop\Galaxy Swapper v2.exe"

C:\Users\admin\Desktop\Galaxy Swapper v2.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\galaxy swapper v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

RedLine

(PID) Process(3216) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

3492

"C:\Users\admin\Desktop\Galaxy Swapper v2.exe"

C:\Users\admin\Desktop\Galaxy Swapper v2.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\galaxy swapper v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

RedLine

(PID) Process(3492) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

3504

"C:\Windows\system32\taskmgr.exe" /1

C:\Windows\System32\taskmgr.exe

taskmgr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Task Manager

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

3612

"C:\Users\admin\Desktop\Galaxy Swapper v2.exe"

C:\Users\admin\Desktop\Galaxy Swapper v2.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\galaxy swapper v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

RedLine

(PID) Process(3612) Galaxy Swapper v2.exe

C2 (1)45.15.156.167:80

Botnet@mass1vexdd

Options

ErrorMessageClick Close to exit the program. Error code: 1142

Keys

XorRateably

Add for printing

Total events

74 302

Read events

73 947

Write events

278

Delete events

Modification events


(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(2848) Galaxy Swapper v2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Galaxy Swapper v2_RASMANCS
Operation:	write	Name:	ConsoleTracingMask
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

109

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2848	Galaxy Swapper v2.exe	45.15.156.167:80	—	Galaxy LLC	RU	malicious
2848	Galaxy Swapper v2.exe	172.67.75.172:443	api.ip.sb	CLOUDFLARENET	US	unknown
2792	Galaxy Swapper v2.exe	45.15.156.167:80	—	Galaxy LLC	RU	malicious
2792	Galaxy Swapper v2.exe	172.67.75.172:443	api.ip.sb	CLOUDFLARENET	US	unknown
2320	Galaxy Swapper v2.exe	45.15.156.167:80	—	Galaxy LLC	RU	malicious
2320	Galaxy Swapper v2.exe	172.67.75.172:443	api.ip.sb	CLOUDFLARENET	US	unknown
4080	Galaxy Swapper v2.exe	45.15.156.167:80	—	Galaxy LLC	RU	malicious

DNS requests

Domain	IP	Reputation
api.ip.sb	172.67.75.172 104.26.12.31 104.26.13.31	whitelisted

Threats

PID	Process	Class	Message
2848	Galaxy Swapper v2.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
2848	Galaxy Swapper v2.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2848	Galaxy Swapper v2.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
2848	Galaxy Swapper v2.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC - Id1Response
2848	Galaxy Swapper v2.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC - Id1Response
2848	Galaxy Swapper v2.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2848	Galaxy Swapper v2.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2792	Galaxy Swapper v2.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
2792	Galaxy Swapper v2.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2792	Galaxy Swapper v2.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

14 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Galaxy Swapper v2.exe

DE662C216C9CBEA5B53AD30D412D606E

0D7D74B5F9B401DFC5C8CD3F34E275E57D042E63

1FD12B4B8AF2ECD380B8FA3CBBD97C1B1B33BE6902EC5D6ECBB3BD536B482BDA

12288:+cSXm2+pPeyPodRxQlTztbWLd8GWWVmpugf2tr6d0GHui0TXdKex:+gZGqodRxQlTztbW58GW4tr5Qui0TYc

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

REDLINE has been detected (YARA)

REDLINE has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Reads the Internet Settings

Reads settings of System Certificates

Searches for installed software

Reads browser cookies

Application launched itself

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Reads the software policy settings

Reads product name

Manual execution by a user

Reads security settings of Internet Explorer

Malware configuration

RedLine

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

RedLine

Information

Modules

Malware configuration

RedLine

Information

Modules

Malware configuration

RedLine

Information

Modules

Information

Modules

Malware configuration

RedLine

Information

Modules

Malware configuration

RedLine

Information

Modules

Information

Modules

Malware configuration

RedLine

Registry activity

Modification events

Files activity

Dropped files

Network activity