File name:

Bitcoin Fake Transaction Sender V2.exe

Full analysis: https://app.any.run/tasks/062ba57f-973a-4e26-96b3-325e62e247fb
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Analysis date: December 05, 2022, 19:38:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
redline
trojan
rat
quasar
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

E8830D65E516E08E3AFD73C023CF6796

SHA1:

659A1860792BE0E0D108149E3691F400B49B6278

SHA256:

3968429EA2168FA2752AEA15F42FEFA4AD42B54FF8477845DFD259DA5D4568B1

SSDEEP:

12288:9hqMVWe6Atr/M6Q5qr5KstrwtrFXCcBh365D:WMVWe6Atr/85bstkZBY5D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • Bitcoin Fake Transaction Sender V2.exe (PID: 2436)
    • Application was dropped or rewritten from another process

      • Redline.exe (PID: 3596)
    • REDLINE detected by memory dumps

      • Redline.exe (PID: 3596)
  • SUSPICIOUS

    • Reads the Internet Settings

      • Bitcoin Fake Transaction Sender V2.exe (PID: 2436)
      • Redline.exe (PID: 3596)
    • Reads settings of System Certificates

      • Bitcoin Fake Transaction Sender V2.exe (PID: 2436)
    • Detected use of alternative data streams (AltDS)

      • Bitcoin Fake Transaction Sender V2.exe (PID: 2436)
    • Executable content was dropped or overwritten

      • Bitcoin Fake Transaction Sender V2.exe (PID: 2436)
    • Connects to unusual port

      • Redline.exe (PID: 3596)
  • INFO

    • Reads the computer name

      • Bitcoin Fake Transaction Sender V2.exe (PID: 2436)
      • Redline.exe (PID: 3596)
      • InstallUtil.exe (PID: 3784)
    • Reads Environment values

      • Bitcoin Fake Transaction Sender V2.exe (PID: 2436)
      • Redline.exe (PID: 3596)
    • Checks supported languages

      • Bitcoin Fake Transaction Sender V2.exe (PID: 2436)
      • Redline.exe (PID: 3596)
      • InstallUtil.exe (PID: 3784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(3596) Redline.exe
US (153)
Environment
UNKNOWN
.
1
cmyredmyit_cmyardmys
my
as21
\
Local State
LocalPrefs.json
Host
Port
:
User
Pass
MANGO
%USEWanaLifeRPROFILE%\AppDaWanaLifeta\LWanaLifeocal
WanaLife
Def
Win
String.Replace
String.Remove
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
BCrypt.BCryptImportKey() failed with status code:{0}
BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
BCrypt.BCryptGetProperty() failed with status code:{0}
-
http://
/
|
Yandex\YaAddon
185.241.208.98:39172
rxgod
,
asf
*wallet*
Armory
\Armory
*.wallet
Atomic
\atomic
*
ibnejdfjmmkpcnlpebklmnkoeoihofec
Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid
NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn
Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc
MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase
fhbohimaelbohpjbbldcngcnapndodjp
BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl
BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
GuardaWallet
blnieiiffboillknjnepogjhkgnoapac
EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne
JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
UnknownExtension
_
Local Extension Settings
Coinomi
\Coinomi
Profile_
Tel
egram.exe
\Telegram Desktop\tdata
-*.lo--g
1*.1l1d1b
String
Replace
System.UI
File.IO
*.json
string.Replace
Guarda
\Guarda
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPstring.ReplaceROFILE%\Apstring.ReplacepData\Locastring.Replacel
ToString
(
UNIQUE
"
Width
Height
CopyFromScreen
kernel32
user32.dll
GetConsoleWindow
ShowWindow
SELECT * FROM Win32_Processor
Name
NumberOfCores
root\CIMV2
SELECT * FROM Win32_VideoController
AdapterRAM
ROWindowsServiceOT\SecurityCenteWindowsServicer2
ROWindowsServiceOT\SecurWindowsServiceityCenter
AntqueiresivirusProdqueiresuct
AntqueiresiSpyqueiresWareProdqueiresuct
FiqueiresrewallProqueiresduct
WindowsService
SELECT * FROM
queires
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELECT * FROM Win32_DiskDrive
SerialNumber
'
ExecutablePath
[
]
0 Mb or 0
SELECT * FROM Win32_OperatingSystem
TotalVisibleMemorySize
{0} MB or {1}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
Botnetrxgod
C2 (1)185.241.208.98:39172
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1997-Jul-01 10:23:51
Comments:
CompanyName:
FileDescription: Infinity2K
FileVersion: 1.0.0.0
InternalName: Infinity2K.exe
LegalCopyright: Copyright © 2022 By Infinity2K
LegalTrademarks:
OriginalFilename: Infinity2K.exe
ProductName: Infinity2K
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 1997-Jul-01 10:23:51
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
877268
877568
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.59163
.rsrc
892928
72109
72192
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.26493
.reloc
966656
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.2666
840
UNKNOWN
UNKNOWN
RT_VERSION
50
5.11793
67624
UNKNOWN
UNKNOWN
RT_ICON
32512
2.16096
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
4.98865
3321
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start bitcoin fake transaction sender v2.exe #REDLINE redline.exe installutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Users\admin\AppData\Local\Temp\Bitcoin Fake Transaction Sender V2.exe" C:\Users\admin\AppData\Local\Temp\Bitcoin Fake Transaction Sender V2.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Infinity2K
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\users\admin\appdata\local\temp\bitcoin fake transaction sender v2.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3596"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Redline.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Redline.exe
Bitcoin Fake Transaction Sender V2.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\redline.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
RedLine
(PID) Process(3596) Redline.exe
US (153)
Environment
UNKNOWN
.
1
cmyredmyit_cmyardmys
my
as21
\
Local State
LocalPrefs.json
Host
Port
:
User
Pass
MANGO
%USEWanaLifeRPROFILE%\AppDaWanaLifeta\LWanaLifeocal
WanaLife
Def
Win
String.Replace
String.Remove
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
BCrypt.BCryptImportKey() failed with status code:{0}
BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
BCrypt.BCryptGetProperty() failed with status code:{0}
-
http://
/
|
Yandex\YaAddon
185.241.208.98:39172
rxgod
,
asf
*wallet*
Armory
\Armory
*.wallet
Atomic
\atomic
*
ibnejdfjmmkpcnlpebklmnkoeoihofec
Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid
NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn
Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc
MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase
fhbohimaelbohpjbbldcngcnapndodjp
BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl
BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
GuardaWallet
blnieiiffboillknjnepogjhkgnoapac
EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne
JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
UnknownExtension
_
Local Extension Settings
Coinomi
\Coinomi
Profile_
Tel
egram.exe
\Telegram Desktop\tdata
-*.lo--g
1*.1l1d1b
String
Replace
System.UI
File.IO
*.json
string.Replace
Guarda
\Guarda
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPstring.ReplaceROFILE%\Apstring.ReplacepData\Locastring.Replacel
ToString
(
UNIQUE
"
Width
Height
CopyFromScreen
kernel32
user32.dll
GetConsoleWindow
ShowWindow
SELECT * FROM Win32_Processor
Name
NumberOfCores
root\CIMV2
SELECT * FROM Win32_VideoController
AdapterRAM
ROWindowsServiceOT\SecurityCenteWindowsServicer2
ROWindowsServiceOT\SecurWindowsServiceityCenter
AntqueiresivirusProdqueiresuct
AntqueiresiSpyqueiresWareProdqueiresuct
FiqueiresrewallProqueiresduct
WindowsService
SELECT * FROM
queires
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELECT * FROM Win32_DiskDrive
SerialNumber
'
ExecutablePath
[
]
0 Mb or 0
SELECT * FROM Win32_OperatingSystem
TotalVisibleMemorySize
{0} MB or {1}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
Botnetrxgod
C2 (1)185.241.208.98:39172
3784"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeBitcoin Fake Transaction Sender V2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
4 282
Read events
4 236
Write events
46
Delete events
0

Modification events

(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2436) Bitcoin Fake Transaction Sender V2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Bitcoin Fake Transaction Sender V2_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2436Bitcoin Fake Transaction Sender V2.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Redline.exeexecutable
MD5:C81C150FB2FAF796443878CA6AF0A745
SHA256:AD326E47D5B9174EB47E892DC3EDFD5E39F9ECE91F63A1B556FBAE41A8B56439
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
12
DNS requests
2
Threats
8

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2436
Bitcoin Fake Transaction Sender V2.exe
142.250.185.68:443
www.google.com
GOOGLE
US
whitelisted
3596
Redline.exe
185.241.208.98:39172
Meverywhere sp. z o.o.
NL
malicious

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.185.68
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO External IP Lookup Domain (freegeiop .net in DNS lookup)
A Network Trojan was detected
ET TROJAN W32/Quasar 1.3/Venom RAT Connectivity Check 3
A Network Trojan was detected
ET TROJAN W32/Quasar 1.3/Venom RAT Connectivity Check 2
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
A Network Trojan was detected
ET TROJAN Common RAT Connectivity Check Observed
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2 ETPRO signatures available at the full report
No debug info