| File name: | BFFar.rar |
| Full analysis: | https://app.any.run/tasks/87ba69ca-c998-4569-ba73-a58ba215325d |
| Verdict: | Malicious activity |
| Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
| Analysis date: | November 14, 2023, 11:40:00 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 4B6BFDCD9C51B9BB19E2DB2BDA1B829D |
| SHA1: | 621882D6C5C0B9B82187983D3A29861F6DA5CC51 |
| SHA256: | 3BF638FA2262C346F27DD74281A581A188FD227C0874FD24C2173EC6F67B19C4 |
| SSDEEP: | 98304:l1YXlyRyJCTpGqYRkQAtu0YKwafRDdo8J2o1iARDqlP0DIRq1d8Q6YLu7fsPxn0V:zRTEFuyvkOcb97peYsSZSs9Vb6 |
MALICIOUS
Drops the executable file immediately after the start
- BFruits Script.exe (PID: 3572)
- cmd.exe (PID: 3812)
- Refers.pif (PID: 3928)
- BFruits Script.exe (PID: 4080)
- cmd.exe (PID: 2116)
- Refers.pif (PID: 3808)
REDLINE has been detected (SURICATA)
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
REDLINE has been detected (YARA)
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
Steals credentials from Web Browsers
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
Connects to the CnC server
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
POVERTYSTEALER has been detected (SURICATA)
- loader.exe (PID: 2484)
Actions looks like stealing of personal data
- jsc.exe (PID: 2312)
- loader.exe (PID: 2484)
- loader.exe (PID: 2864)
- loader.exe (PID: 2964)
- jsc.exe (PID: 4040)
SUSPICIOUS
Starts CMD.EXE for commands execution
- BFruits Script.exe (PID: 3572)
- cmd.exe (PID: 3576)
- cmd.exe (PID: 3424)
- BFruits Script.exe (PID: 4080)
- cmd.exe (PID: 4052)
- cmd.exe (PID: 4036)
Application launched itself
- cmd.exe (PID: 3576)
- cmd.exe (PID: 3424)
- cmd.exe (PID: 4052)
- cmd.exe (PID: 4036)
Get information on the list of running processes
- cmd.exe (PID: 3424)
- cmd.exe (PID: 4036)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 3424)
- cmd.exe (PID: 4036)
Drops the AutoIt3 executable file
- cmd.exe (PID: 3812)
- cmd.exe (PID: 2116)
Starts application with an unusual extension
- cmd.exe (PID: 3424)
- cmd.exe (PID: 4036)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 3424)
- cmd.exe (PID: 4036)
Process drops legitimate windows executable
- Refers.pif (PID: 3928)
- Refers.pif (PID: 3808)
Connects to unusual port
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
- loader.exe (PID: 2484)
- loader.exe (PID: 2864)
- loader.exe (PID: 2964)
Searches for installed software
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
Reads browser cookies
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
INFO
Create files in a temporary directory
- BFruits Script.exe (PID: 3572)
- Refers.pif (PID: 3928)
- BFruits Script.exe (PID: 4080)
- Refers.pif (PID: 3808)
Manual execution by a user
- BFruits Script.exe (PID: 3572)
- BFruits Script.exe (PID: 4080)
- jsc.exe (PID: 4040)
- wmpnscfg.exe (PID: 528)
- jsc.exe (PID: 2312)
- notepad.exe (PID: 2644)
- notepad.exe (PID: 1812)
- notepad.exe (PID: 2784)
- loader.exe (PID: 2484)
- loader.exe (PID: 2864)
- loader.exe (PID: 2964)
Checks supported languages
- BFruits Script.exe (PID: 3572)
- Refers.pif (PID: 3928)
- BFruits Script.exe (PID: 4080)
- Refers.pif (PID: 3808)
- jsc.exe (PID: 4040)
- wmpnscfg.exe (PID: 528)
- jsc.exe (PID: 2312)
- loader.exe (PID: 2484)
- loader.exe (PID: 2864)
- loader.exe (PID: 2964)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3428)
The executable file from the user directory is run by the CMD process
- Refers.pif (PID: 3928)
- Refers.pif (PID: 3808)
Reads mouse settings
- Refers.pif (PID: 3928)
- Refers.pif (PID: 3808)
Reads the computer name
- Refers.pif (PID: 3928)
- Refers.pif (PID: 3808)
- wmpnscfg.exe (PID: 528)
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
- loader.exe (PID: 2484)
- loader.exe (PID: 2864)
- loader.exe (PID: 2964)
Reads product name
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
Reads Environment values
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 528)
- jsc.exe (PID: 4040)
- jsc.exe (PID: 2312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RedLine
(PID) Process(4040) jsc.exe
C2 (1)45.15.156.142:33597
Botnet@Maksimus33
Err_msg
Auth_value3c05a8664d756c04ba672065496ef669
US (14)
net.tcp://
/
localhost
3c05a8664d756c04ba672065496ef669
Authorization
ns1
HC07Eio9IQYfPTtVKwMxQx8DAR0qEyFGHB5TWg==
AyxfDwZaOgMwMTgdKhM5Tg==
Ringgits
(PID) Process(2312) jsc.exe
C2 (1)45.15.156.142:33597
Botnet@Maksimus33
Err_msg
Auth_value3c05a8664d756c04ba672065496ef669
US (14)
net.tcp://
/
localhost
3c05a8664d756c04ba672065496ef669
Authorization
ns1
HC07Eio9IQYfPTtVKwMxQx8DAR0qEyFGHB5TWg==
AyxfDwZaOgMwMTgdKhM5Tg==
Ringgits
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
85
Monitored processes
34
Malicious processes
13
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 528 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 756 | ping -n 5 localhost | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1812 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Blox Fruits\.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2116 | cmd /c copy /b Endless + Rail + Simulations + Beatles + Championships 2828\Refers.pif | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2312 | C:\Users\admin\AppData\Local\Temp\2797\2828\jsc.exe | C:\Users\admin\AppData\Local\Temp\2797\2828\jsc.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: jsc.exe Exit code: 0 Version: 12.0.51209.34209 built by: FX452RTMGDR Modules
RedLine(PID) Process(2312) jsc.exe C2 (1)45.15.156.142:33597 Botnet@Maksimus33 Err_msg Auth_value3c05a8664d756c04ba672065496ef669 US (14) net.tcp:// / localhost 3c05a8664d756c04ba672065496ef669 Authorization ns1 HC07Eio9IQYfPTtVKwMxQx8DAR0qEyFGHB5TWg== AyxfDwZaOgMwMTgdKhM5Tg== Ringgits | |||||||||||||||
| 2484 | "C:\Users\admin\Desktop\Blox Fruits\Method 2\loader.exe" | C:\Users\admin\Desktop\Blox Fruits\Method 2\loader.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2644 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Blox Fruits\0jdnnqdx0h.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2784 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Blox Fruits\34.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2864 | "C:\Users\admin\Desktop\Blox Fruits\Method 2\loader.exe" | C:\Users\admin\Desktop\Blox Fruits\Method 2\loader.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2964 | "C:\Users\admin\Desktop\Blox Fruits\Method 2\loader.exe" | C:\Users\admin\Desktop\Blox Fruits\Method 2\loader.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
4 851
Read events
4 792
Write events
20
Delete events
39
Modification events
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
| (PID) Process: | (3428) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
| Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop | |||
Executable files
9
Suspicious files
10
Text files
11
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3428 | WinRAR.exe | C:\Users\admin\Desktop\Blox Fruits\Client.config | — | |
MD5:— | SHA256:— | |||
| 3428 | WinRAR.exe | C:\Users\admin\Desktop\Blox Fruits\ai.cfg | text | |
MD5:73ED0E22C8CC70ED93DFD0C1B8F81E19 | SHA256:DB9EC7AE21D140904D44D6E6550C0C964E32EF11C055696B355835905C9C3A53 | |||
| 3428 | WinRAR.exe | C:\Users\admin\Desktop\Blox Fruits\.txt | binary | |
MD5:A6C0B3622F0B7AE2F78069F64DFB10A4 | SHA256:60C4707AC6767F079E53AA507E8F8008D94A87A0C6726CB9D8BB2E153DDFEC29 | |||
| 3572 | BFruits Script.exe | C:\Users\admin\AppData\Local\Temp\49504\Endless | executable | |
MD5:D1B8E3DDED92E3E7EA8073AE615FD9E7 | SHA256:9F34CF3450224C87F62DB2313F766FFA84D3FC954977DC61D61783EA4E4A24BF | |||
| 3428 | WinRAR.exe | C:\Users\admin\Desktop\Blox Fruits\Method 2\loader.exe | executable | |
MD5:2BAFD1C5D1F1FA48157358BF4C705B35 | SHA256:5711D48D1C1A4ACCB0076188B7F11E9921619614369B0D0CFC8CFA191A881C58 | |||
| 3428 | WinRAR.exe | C:\Users\admin\Desktop\Blox Fruits\binkawin.asi | executable | |
MD5:D51B5B46735B25C2D8372608159ED1A9 | SHA256:DD68562B5E4686E1A07603057DB7A12040821BEADD81D142BFB6A57D2DE45DDB | |||
| 3428 | WinRAR.exe | C:\Users\admin\Desktop\Blox Fruits\cacert.pem | text | |
MD5:39F89143815797C4A41C62F30F137094 | SHA256:5513AA54AFE134569E08B27AA61E60E888AB31D9E112F8C5881ADBAECC817678 | |||
| 3428 | WinRAR.exe | C:\Users\admin\Desktop\Blox Fruits\config.vdf | text | |
MD5:BB23E26ED15C9951460513EFDB0B7AC7 | SHA256:9FCE8B4AC41455418615F2785199F72D7FE6CE39D8CD9182027A752C4F26D04A | |||
| 3572 | BFruits Script.exe | C:\Users\admin\AppData\Local\Temp\49504\Rail | binary | |
MD5:5548B95B6FC4AAB2B874EC4B205CA0FB | SHA256:001C53DFB1CC9BED7D5A0F549987D10229AD68D95C9F261CA92725A9438038A5 | |||
| 3428 | WinRAR.exe | C:\Users\admin\Desktop\Blox Fruits\BFruits Script.exe | executable | |
MD5:8E370C99412B4314F530F64C3939B5B8 | SHA256:C39F8D7B0A96565E50B46D03083CFB61E9AB4FB9D1556F5F5AF25C12457ECC67 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
1
Threats
19
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4040 | jsc.exe | 45.15.156.142:33597 | — | Galaxy LLC | RU | malicious |
2312 | jsc.exe | 45.15.156.142:33597 | — | Galaxy LLC | RU | malicious |
2484 | loader.exe | 146.70.169.164:2227 | — | — | RO | unknown |
2864 | loader.exe | 146.70.169.164:2227 | — | — | RO | unknown |
2964 | loader.exe | 146.70.169.164:2227 | — | — | RO | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
qwZCNiDTZYrQbGo.qwZCNiDTZYrQbGo |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4040 | jsc.exe | Potentially Bad Traffic | ET INFO Microsoft net.tcp Connection Initialization Activity |
4040 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
4040 | jsc.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) |
4040 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC - Id1Response |
4040 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
4040 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer Activity (Response) |
4040 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
4040 | jsc.exe | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt |
4040 | jsc.exe | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt |
4040 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |