Malware analysis Tool.exe Malicious activity | ANY.RUN

Add for printing

File name:	Tool.exe
Full analysis:	https://app.any.run/tasks/eb1197b7-a2c8-465a-b9de-8ae36ac6a315
Verdict:	Malicious activity
Threats:	MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 26, 2024, 15:39:04
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer redline metastealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	D48F62048D05FE25AE38BEA06EC96E95
SHA1:	D21C8D35EE8ABBA7D456542EBB1EA8D1F2AD6BFA
SHA256:	3110A13A098E03CA4EBADF301969F5957D760FD85DF25B71401BEDCFCD91BF67
SSDEEP:	98304:QwzlOn6DnYYJ/Lv8zUfLhs1b3eu+OhnNc39t8:MI/QzJU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Connects to the CnC server
  - AddInProcess32.exe (PID: 2824)
- METASTEALER has been detected (SURICATA)
  - AddInProcess32.exe (PID: 2824)
- Actions looks like stealing of personal data
  - AddInProcess32.exe (PID: 2824)
- REDLINE has been detected (YARA)
  - AddInProcess32.exe (PID: 2824)
- Steals credentials from Web Browsers
  - AddInProcess32.exe (PID: 2824)
- Stealers network behavior
  - AddInProcess32.exe (PID: 2824)
- REDLINE has been detected (SURICATA)
  - AddInProcess32.exe (PID: 2824)
SUSPICIOUS
- Drops the executable file immediately after the start
  - Tool.exe (PID: 5096)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 2520)
- Adds/modifies Windows certificates
  - AddInProcess32.exe (PID: 2824)
- Connects to unusual port
  - AddInProcess32.exe (PID: 2824)
- Executes application which crashes
  - Tool.exe (PID: 6784)
- Searches for installed software
  - AddInProcess32.exe (PID: 2824)
INFO
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4552)
- Creates files or folders in the user directory
  - explorer.exe (PID: 4552)
  - WerFault.exe (PID: 1436)
  - AddInProcess32.exe (PID: 2824)
- Reads Microsoft Office registry keys
  - explorer.exe (PID: 4552)
- Reads the software policy settings
  - explorer.exe (PID: 4552)
  - WerFault.exe (PID: 1436)
- Dropped object may contain TOR URL's
  - WinRAR.exe (PID: 2520)
- Checks proxy server information
  - WerFault.exe (PID: 1436)
  - explorer.exe (PID: 4552)
- Checks supported languages
  - Tool.exe (PID: 3164)
  - AddInProcess32.exe (PID: 2824)
  - Tool.exe (PID: 6784)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2520)
- Reads the computer name
  - AddInProcess32.exe (PID: 2824)
  - Tool.exe (PID: 3164)
- Reads the machine GUID from the registry
  - AddInProcess32.exe (PID: 2824)
- Reads Environment values
  - AddInProcess32.exe (PID: 2824)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RedLine

(PID) Process(2824) AddInProcess32.exe

C2 (1)51.195.206.227:38719

Botnettgsetupfudvero

Options

ErrorMessage

Keys

XorGarishness

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2010:11:30 04:32:56+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.35
CodeSize:	2539520
InitializedDataSize:	2059264
UninitializedDataSize:	-
EntryPoint:	0x24eeac
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	30.0.2.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	OBS
FileDescription:	OBS Studio
FileVersion:	30.0.2
InternalName:	obs
OriginalFileName:	obs
ProductName:	OBS Studio
ProductVersion:	30.0.2
Comments:	Free and open source software for video recording and live streaming
LegalCopyright:	(C) Lain Bailey

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

127

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1436

C:\WINDOWS\system32\WerFault.exe -u -p 6784 -s 168

C:\Windows\System32\WerFault.exe

Tool.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll

2520

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Tool.zip" C:\Users\admin\Desktop\Tool\

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2824

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Tool.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

AddInProcess.exe

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

RedLine

(PID) Process(2824) AddInProcess32.exe

C2 (1)51.195.206.227:38719

Botnettgsetupfudvero

Options

ErrorMessage

Keys

XorGarishness

3164

"C:\Users\admin\Desktop\Tool\Tool\Tool.exe"

C:\Users\admin\Desktop\Tool\Tool\Tool.exe

explorer.exe

User:

admin

Company:

OBS

Integrity Level:

HIGH

Description:

OBS Studio

Exit code:

Version:

30.0.2

Modules

Images
c:\users\admin\desktop\tool\tool\tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\users\admin\desktop\tool\tool\libcurl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

4552

C:\WINDOWS\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\aepic.dll
c:\windows\system32\oleaut32.dll

5096

"C:\Users\admin\Desktop\Tool.exe"

C:\Users\admin\Desktop\Tool.exe

—

explorer.exe

User:

admin

Company:

OBS

Integrity Level:

MEDIUM

Description:

OBS Studio

Exit code:

3221225781

Version:

30.0.2

Modules

Images
c:\users\admin\desktop\tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

6376

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

—

Tool.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AddInProcess.exe

Version:

4.8.9037.0 built by: NET481REL1

6784

"C:\Users\admin\Desktop\Tool\Tool\Tool.exe"

C:\Users\admin\Desktop\Tool\Tool\Tool.exe

explorer.exe

User:

admin

Company:

OBS

Integrity Level:

MEDIUM

Description:

OBS Studio

Exit code:

3221226505

Version:

30.0.2

Modules

Images
c:\users\admin\desktop\tool\tool\tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

6916

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

Add for printing

Total events

48 087

Read events

47 842

Write events

221

Delete events

Modification events


(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000503A8
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000503A8
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:	write	Name:	TraySearchBoxVisible
Value: 1
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:	write	Name:	TraySearchBoxVisibleOnAnyMonitor
Value: 1
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000603A8
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000603A8
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000703A8
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000703A8
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000803A8
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000803A8
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

182

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2520	WinRAR.exe	C:\Users\admin\Desktop\Tool\Tool\avcodec-60.dll		—
		MD5:—	SHA256:—
4552	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
4552	explorer.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D104FE37139B161AD494CEA02ACEDE26		binary
		MD5:4D7EBCE95A63854608A80828559EBC40	SHA256:8495A9E5639654CAB2917004FB7397C4472B05CB641F6D6B02AFB6A24871A039
4552	explorer.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:D9F6C0A5C2562CC629C015F0B2C8868A	SHA256:C5EA99A90F6BCE9BE6EAC9A823ED96F63CD8420406DF5965DABD1377012A7A21
2520	WinRAR.exe	C:\Users\admin\Desktop\Tool\Tool\files\8.0.5\cs\ReachFramework.resources.dll		executable
		MD5:88447037EBB5BBF71D95F8616904F2A5	SHA256:246A12C9899E35D741FCD4E808D4C67AF6425D13513E7DA48CCC664BA2DBD0A9
2520	WinRAR.exe	C:\Users\admin\Desktop\Tool\Tool\files\8.0.5\cs\System.Windows.Forms.Primitives.resources.dll		executable
		MD5:B64BF161DE9BD03A810D3C8FF559C57A	SHA256:2635006E8A4B7675DE45C6F5D32794B1E7D7F0804D9A435F5B17BCB93E7D2600
2520	WinRAR.exe	C:\Users\admin\Desktop\Tool\Tool\datachannel.dll		executable
		MD5:1C7F360AA9F252FE7E3AF37AFB614BC5	SHA256:26465AFB08FC2FFBFB87941332FB716F53ACA1517970C5F0B2153A1F40DAB5B4
2520	WinRAR.exe	C:\Users\admin\Desktop\Tool\Tool\files\8.0.5\cs\UIAutomationClient.resources.dll		executable
		MD5:76D95A4D989D51CEA5EE6F6E6C8ACBE8	SHA256:E5C2F654AED5187D8958279EB77989532BAA0968BCB223CB2930D7F4A030B8A5
2520	WinRAR.exe	C:\Users\admin\Desktop\Tool\Tool\files\8.0.5\cs\System.Windows.Controls.Ribbon.resources.dll		executable
		MD5:7072D626904DD41A7F631371D60B035F	SHA256:53328E00F87DB6942BAFFCC25E64B4D1AF01CDAB59FB1D06E55D75788C868755
2520	WinRAR.exe	C:\Users\admin\Desktop\Tool\Tool\avfilter-9.dll		executable
		MD5:2F37E5CED7FC8482F659224EF38809CF	SHA256:BAEC3B2076C482707400A0061B23CC14271BAE715BED0C28C10CE73D771AC86C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2028	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4552	explorer.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAbUGmZpIVP%2Fvl3v6HOt%2F2o%3D	unknown	—	—	whitelisted
4552	explorer.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
2584	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2584	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4552	explorer.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
—	—	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2028	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2028	svchost.exe	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6192	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2584	SIHClient.exe	20.114.59.183:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.186.46	whitelisted
login.live.com	40.126.32.76 40.126.32.72 40.126.32.133 40.126.32.134 20.190.160.20 20.190.160.14 20.190.160.22 40.126.32.68 20.190.159.71 40.126.31.67 40.126.31.71 20.190.159.23 20.190.159.64 40.126.31.69 20.190.159.68 20.190.159.73	whitelisted
client.wns.windows.com	40.115.3.253 40.113.110.67	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
watson.events.data.microsoft.com	20.189.173.22	whitelisted

Threats

PID	Process	Class	Message
2824	AddInProcess32.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC - Id1Response
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
2824	AddInProcess32.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity

Add for printing

No debug info

General Info

Tool.exe

D48F62048D05FE25AE38BEA06EC96E95

D21C8D35EE8ABBA7D456542EBB1EA8D1F2AD6BFA

3110A13A098E03CA4EBADF301969F5957D760FD85DF25B71401BEDCFCD91BF67

98304:QwzlOn6DnYYJ/Lv8zUfLhs1b3eu+OhnNc39t8:MI/QzJU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

METASTEALER has been detected (SURICATA)

Actions looks like stealing of personal data

REDLINE has been detected (YARA)

Steals credentials from Web Browsers

Stealers network behavior

REDLINE has been detected (SURICATA)

SUSPICIOUS

Drops the executable file immediately after the start

Process drops legitimate windows executable

Adds/modifies Windows certificates

Connects to unusual port

Executes application which crashes

Searches for installed software

INFO

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Reads the software policy settings

Dropped object may contain TOR URL's

Checks proxy server information

Checks supported languages

Executable content was dropped or overwritten

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Malware configuration

RedLine

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

RedLine

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings