| File name: | 777.exe |
| Full analysis: | https://app.any.run/tasks/f773bf42-037c-4565-9085-20f5358829e8 |
| Verdict: | Malicious activity |
| Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
| Analysis date: | December 05, 2022, 19:53:30 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 2CC6354FB80ABA5B598E03ACD73B8A58 |
| SHA1: | 0285E5F32A8241F668E2BFDF6FBB50B5FE85425A |
| SHA256: | 38A4AA886E31B053DA14946BDA69BFFCDBC9278C95D943D5F8B16BDF5A3E3915 |
| SSDEEP: | 12288:ErkSnXEju456VTVAXfWjMfYhA4RePTkIQg84cuGBwhv9:ErkSnXYuE6VTW9fYy4aoI8YGBC9 |
MALICIOUS
Application was dropped or rewritten from another process
- or.exe (PID: 3452)
REDLINE was detected
- or.exe (PID: 3452)
- InstallUtil.exe (PID: 2928)
Connects to the CnC server
- or.exe (PID: 3452)
REDLINE detected by memory dumps
- or.exe (PID: 3452)
SUSPICIOUS
Connects to unusual port
- or.exe (PID: 3452)
Connects to SMTP port
- or.exe (PID: 3452)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RedLine
(PID) Process(3452) or.exe
US (153)
LEnvironmentogiEnvironmentn DatEnvironmenta
Environment
WSystem.Texteb DatSystem.Texta
System.Text
CoCryptographyokieCryptographys
Cryptography
ExtGenericension CooGenerickies
Generic
OFileInfopeFileInfora GFileInfoX StabFileInfole
FileInfo
OpLinqera GLinqX
Linq
ApGenericpDaGenericta\RGenericoamiGenericng\
Network
Extension
UNKNOWN
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
Host
Port
:
User
Pass
cookies.sqlite
GetDirectories
Entity12
EnumerateDirectories
String.Replace
String.Remove
bcrFileStream.IOypt.dFileStream.IOll
FileStream.IO
BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder
string.Empty
BCruintyptCloseAlgorituinthmProvuintider
uint
BCrUnmanagedTypeyptDecrUnmanagedTypeypt
UnmanagedType
BCrhKeyyptDeshKeytroyKhKeyey
hKey
BCpszPropertyryptGepszPropertytPropepszPropertyrty
pszProperty
BCEncodingryptSEncodingetPrEncodingoperEncodingty
Encoding
BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey
bMasterKey
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
-
{0}
net.tcp://
/
localhost
60894ac4c1d4d6c9ffb36078809b8c34
Authorization
ns1
HiAwGT4DCSQ4DwZHJQQaDSsbHVkgBxNWLjNUUw==
MDwvERYEKGMuNFxP
Stearin
Yandex\YaAddon
asf
*wallet*
ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu...
_
T
e
l
gr
am
.
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
1
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
(
UNIQUE
"
Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Tajikistan
Uzbekistan
Ukraine
Russia
|
https://api.ip.sb/ip
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
Name
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
System.Text.RegularExpressions
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
Network\
String
Replace
80
81
0.0.0.0
Auth_value60894ac4c1d4d6c9ffb36078809b8c34
Err_msg
Botnetprivate
C2 (1)151.80.89.227:45878
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 1998-Jul-04 07:12:23 |
| Comments: | 9=JC:2HEC75<:JA5C |
| CompanyName: | >AI=9I9J:@=4G48;@@E;D |
| FileDescription: | E><5<7>@IA:D44JA |
| FileVersion: | 7.10.13.17 |
| InternalName: | 666.exe |
| LegalCopyright: | Copyright © 2010 >AI=9I9J:@=4G48;@@E;D |
| OriginalFilename: | 666.exe |
| ProductName: | E><5<7>@IA:D44JA |
| ProductVersion: | 7.10.13.17 |
| Assembly Version: | 1.0.0.0 |
DOS Header
| e_magic: | MZ |
| e_cblp: | 144 |
| e_cp: | 3 |
| e_crlc: | 0 |
| e_cparhdr: | 4 |
| e_minalloc: | 0 |
| e_maxalloc: | 65535 |
| e_ss: | 0 |
| e_sp: | 184 |
| e_csum: | 0 |
| e_ip: | 0 |
| e_cs: | 0 |
| e_ovno: | 0 |
| e_oemid: | 0 |
| e_oeminfo: | 0 |
| e_lfanew: | 128 |
PE Headers
| Signature: | PE |
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 3 |
| TimeDateStamp: | 1998-Jul-04 07:12:23 |
| PointerToSymbolTable: | 0 |
| NumberOfSymbols: | 0 |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 8192 | 1122692 | 1122816 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.53738 |
.rsrc | 1138688 | 4373 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.98596 |
.reloc | 1146880 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 3.58491 | 892 | Latin 1 / Western European | UNKNOWN | RT_VERSION |
1 (#2) | 4.98865 | 3321 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
Imports
mscoree.dll |
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1328 | "C:\Users\admin\AppData\Local\Temp\777.exe" | C:\Users\admin\AppData\Local\Temp\777.exe | Explorer.EXE | ||||||||||||
User: admin Company: >AI=9I9J:@=4G48;@@E;D Integrity Level: MEDIUM Description: E><5<7>@IA:D44JA Exit code: 0 Version: 7.10.13.17 Modules
| |||||||||||||||
| 3452 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\or.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\or.exe | 777.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Microsoft Visual Studio Version: 15.9.28307.1440 Modules
RedLine(PID) Process(3452) or.exe US (153) LEnvironmentogiEnvironmentn DatEnvironmenta Environment WSystem.Texteb DatSystem.Texta System.Text CoCryptographyokieCryptographys Cryptography ExtGenericension CooGenerickies Generic OFileInfopeFileInfora GFileInfoX StabFileInfole FileInfo OpLinqera GLinqX Linq ApGenericpDaGenericta\RGenericoamiGenericng\ Network Extension UNKNOWN cFileStreamredFileStreamit_cFileStreamardFileStreams FileStream \ Host Port : User Pass cookies.sqlite GetDirectories Entity12 EnumerateDirectories String.Replace String.Remove bcrFileStream.IOypt.dFileStream.IOll FileStream.IO BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder string.Empty BCruintyptCloseAlgorituinthmProvuintider uint BCrUnmanagedTypeyptDecrUnmanagedTypeypt UnmanagedType BCrhKeyyptDeshKeytroyKhKeyey hKey BCpszPropertyryptGepszPropertytPropepszPropertyrty pszProperty BCEncodingryptSEncodingetPrEncodingoperEncodingty Encoding BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey bMasterKey windows-1251 AES Microsoft Primitive Provider ChainingModeGCM AuthTagLength ChainingMode ObjectLength KeyDataBlob - {0} net.tcp:// / localhost 60894ac4c1d4d6c9ffb36078809b8c34 Authorization ns1 HiAwGT4DCSQ4DwZHJQQaDSsbHVkgBxNWLjNUUw== MDwvERYEKGMuNFxP Stearin Yandex\YaAddon asf *wallet* ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu... _ T e l gr am . ex \TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata 1 string.Replace %USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng File.Write Handler npvo* %USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl serviceInterface.Extension ProldCharotonVoldCharPN oldChar nSystem.CollectionspvoSystem.Collections* System.Collections ( UNIQUE " Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Moldova Tajikistan Uzbekistan Ukraine Russia | https://api.ip.sb/ip SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor System.Windows.Forms roSystem.Linqot\CISystem.LinqMV2 System.Linq SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller AdapterRAM Name SOFTWARE\WOW6432Node\Clients\StartMenuInternet SOFTWARE\Clients\StartMenuInternet shell\open\command Unknown Version SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente System.Management SerialNumber SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId=' System.Text.RegularExpressions ' FileSystem SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId=' System. ExecutablePath [ ] Concat0 MConcatb oConcatr Concat0 Concat SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem Memory {0}{1}{2} x32 x64 x86 SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName CSDVersion Unknown _[ Network\ String Replace 80 81 0.0.0.0 Auth_value60894ac4c1d4d6c9ffb36078809b8c34 Err_msg Botnetprivate C2 (1)151.80.89.227:45878 | |||||||||||||||
| 2928 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | 777.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Framework installation utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
Total events
4 363
Read events
4 329
Write events
34
Delete events
0
Modification events
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASMANCS |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASMANCS |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1328 | 777.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\or.exe | executable | |
MD5:84133F05486EDB29F9AEB9FBA88F1DB8 | SHA256:07283E05C15A739215C1E2C46007F82EFF2B3DB5A7019855E9195B8FEA953913 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
16
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1328 | 777.exe | 142.250.186.164:443 | www.google.com | GOOGLE | US | whitelisted |
3452 | or.exe | 151.80.89.227:45878 | — | OVH SAS | FR | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.google.com |
| whitelisted |
dns.msftncsi.com |
| shared |
Threats
16 ETPRO signatures available at the full report