File name:

41ece00a8f6eb23dc9b2c4e839264896.exe

Full analysis: https://app.any.run/tasks/9d088beb-bda1-43db-80d8-bb25185ccbc7
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 17:56:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
redline
lefthook
metastealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

41ECE00A8F6EB23DC9B2C4E839264896

SHA1:

019AF05AEDB454D15F193713FEF31524CFAB6E6D

SHA256:

2D8A45F0DE92AEB5FC5495C2DF0072A00E4D2215B0B2C1CCFD1580D752E32F27

SSDEEP:

24576:QgvpwD3vxFWrP/eAM9v8SRbNkw4MiiW3jMwpGIQf20X:QgvpwD3vxFWrP/eAM9v8SRbNkw5iiQjI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REDLINE has been detected (SURICATA)

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • LEFTHOOK has been detected (SURICATA)

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • METASTEALER has been detected (SURICATA)

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • REDLINE has been detected (YARA)

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • Steals credentials from Web Browsers

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • Actions looks like stealing of personal data

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

  • SUSPICIOUS

    • Connects to unusual port

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • Application launched itself

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 5164)

    • Contacting a server suspected of hosting an CnC

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • Multiple wallet extension IDs have been found

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

  • INFO

    • Reads the machine GUID from the registry

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 5164)
      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • Disables trace logs

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)

    • Checks supported languages

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)
      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 5164)

    • Reads the computer name

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 5164)

    • Create files in a temporary directory

      • 41ece00a8f6eb23dc9b2c4e839264896.exe (PID: 6540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(6540) 41ece00a8f6eb23dc9b2c4e839264896.exe
C2 (1)185.222.57.71:55615
Botnetcheat
Keys
Xor
Options
ErrorMessage
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (70.7)
.scr | Windows screen saver (12.6)
.dll | Win32 Dynamic Link Library (generic) (6.3)
.exe | Win32 Executable (generic) (4.3)
.exe | Win16/32 Executable Delphi generic (2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2088:05:17 15:53:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 595968
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0x936a6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Report Manager
FileVersion: 1.0.0.0
InternalName: bAXl.exe
LegalCopyright: Copyright © 2021
LegalTrademarks: -
OriginalFileName: bAXl.exe
ProductName: Report Manager
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 41ece00a8f6eb23dc9b2c4e839264896.exe no specs #REDLINE 41ece00a8f6eb23dc9b2c4e839264896.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4608C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5164"C:\Users\admin\Desktop\41ece00a8f6eb23dc9b2c4e839264896.exe" C:\Users\admin\Desktop\41ece00a8f6eb23dc9b2c4e839264896.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Report Manager
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\41ece00a8f6eb23dc9b2c4e839264896.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe41ece00a8f6eb23dc9b2c4e839264896.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6540"C:\Users\admin\Desktop\41ece00a8f6eb23dc9b2c4e839264896.exe"C:\Users\admin\Desktop\41ece00a8f6eb23dc9b2c4e839264896.exe
41ece00a8f6eb23dc9b2c4e839264896.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Report Manager
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\41ece00a8f6eb23dc9b2c4e839264896.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(6540) 41ece00a8f6eb23dc9b2c4e839264896.exe
C2 (1)185.222.57.71:55615
Botnetcheat
Keys
Xor
Options
ErrorMessage
Total events
8 631
Read events
8 617
Write events
14
Delete events
0

Modification events

(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6540) 41ece00a8f6eb23dc9b2c4e839264896.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\41ece00a8f6eb23dc9b2c4e839264896_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
37
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp22BB.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp22AA.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp2298.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp22BC.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp22F0.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp22A9.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp22DE.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp2302.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp22F1.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
654041ece00a8f6eb23dc9b2c4e839264896.exeC:\Users\admin\AppData\Local\Temp\tmp22EF.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
53
DNS requests
18
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6540
41ece00a8f6eb23dc9b2c4e839264896.exe
POST
200
185.222.57.71:55615
http://185.222.57.71:55615/
unknown
unknown
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
1.35 Kb
whitelisted
POST
400
20.190.160.66:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
5964
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5964
SIHClient.exe
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
POST
400
20.190.160.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
20.197.71.89:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
2104
svchost.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5640
backgroundTaskHost.exe
20.74.47.205:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6540
41ece00a8f6eb23dc9b2c4e839264896.exe
185.222.57.71:55615
RootLayer Web Services Ltd.
NL
malicious
6540
41ece00a8f6eb23dc9b2c4e839264896.exe
172.67.75.172:443
api.ip.sb
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 20.197.71.89
  • 40.113.110.67
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.181
  • 23.48.23.176
  • 23.48.23.177
  • 23.48.23.169
  • 23.48.23.150
  • 23.48.23.159
  • 23.48.23.158
  • 23.48.23.173
  • 23.48.23.193
  • 23.48.23.180
  • 23.48.23.166
  • 23.48.23.194
whitelisted
login.live.com
  • 40.126.31.1
  • 40.126.31.3
  • 40.126.31.2
  • 40.126.31.0
  • 20.190.159.75
  • 40.126.31.128
  • 20.190.159.68
  • 40.126.31.130
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
api.ip.sb
  • 172.67.75.172
  • 104.26.12.31
  • 104.26.13.31
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
6540
41ece00a8f6eb23dc9b2c4e839264896.exe
Malware Command and Control Activity Detected
ET MALWARE RedLine Stealer - CheckConnect Response
6540
41ece00a8f6eb23dc9b2c4e839264896.exe
A Network Trojan was detected
AV TROJAN RedLine Stealer Config Download
6540
41ece00a8f6eb23dc9b2c4e839264896.exe
A Network Trojan was detected
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
6540
41ece00a8f6eb23dc9b2c4e839264896.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
41ece00a8f6eb23dc9b2c4e839264896.exe