File name:

gold.exe

Full analysis: https://app.any.run/tasks/dffbee92-23da-4cab-a3f8-f3acfd6b07aa
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: September 09, 2024, 07:42:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
redline
metastealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

2D647CF43622ED10B6D733BB5F048FC3

SHA1:

6B9C5F77A9EF064A23E5018178F982570CBC64C6

SHA256:

41426DD54FCABBF30A68B2AA11AA4F61F3862BEA83109D3E3C50CFEBED1359E6

SSDEEP:

12288:Z98TCE+nEUZIiuaeKEof/yqkb+OpLCcwMlFEEgy:Z9QCE+EUZIiuaeKE2/9kb+OQd6Ff

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • METASTEALER has been detected (SURICATA)

      • RegAsm.exe (PID: 6332)

    • Stealers network behavior

      • RegAsm.exe (PID: 6332)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 6332)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 6332)

    • REDLINE has been detected (SURICATA)

      • RegAsm.exe (PID: 6332)

    • REDLINE has been detected (YARA)

      • RegAsm.exe (PID: 6332)

    • Connects to the CnC server

      • RegAsm.exe (PID: 6332)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • gold.exe (PID: 6636)

    • Connects to unusual port

      • RegAsm.exe (PID: 6332)

    • Starts a Microsoft application from unusual location

      • gold.exe (PID: 6636)

  • INFO

    • Creates files or folders in the user directory

      • RegAsm.exe (PID: 6332)

    • Reads the computer name

      • gold.exe (PID: 6636)
      • RegAsm.exe (PID: 6332)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 6332)

    • Checks supported languages

      • RegAsm.exe (PID: 6332)
      • gold.exe (PID: 6636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(6332) RegAsm.exe
C2 (1)95.179.250.45:26212
BotnetLiveTraffic
Options
ErrorMessageError! Disable antivirus and try again!
Keys
XorDiphenyl
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:03 06:03:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 317440
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x4f7ee
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 10.0.19041.1
ProductVersionNumber: 10.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Security Init
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
InternalName: secinit
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: secinit
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start gold.exe no specs conhost.exe no specs regasm.exe no specs #REDLINE regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2128"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exegold.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exegold.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6332"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
gold.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(6332) RegAsm.exe
C2 (1)95.179.250.45:26212
BotnetLiveTraffic
Options
ErrorMessageError! Disable antivirus and try again!
Keys
XorDiphenyl
6636"C:\Users\admin\Desktop\gold.exe" C:\Users\admin\Desktop\gold.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Security Init
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\gold.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
1 934
Read events
1 934
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6332RegAsm.exeC:\Users\admin\AppData\Local\Temp\TmpB8D9.tmpbinary
MD5:1420D30F964EAC2C85B2CCFE968EEBCE
SHA256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
6332RegAsm.exeC:\Users\admin\AppData\Local\Temp\TmpB85B.tmpbinary
MD5:1420D30F964EAC2C85B2CCFE968EEBCE
SHA256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
6332RegAsm.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\76b53b3ec448f7ccdda2063b15d2bfc3_bb926e54-e3ca-40fd-ae90-2764341e7792dbf
MD5:BBC8DA7D36DF3F91C460984C2ABE8419
SHA256:0399CCF5E780949A63400736A46CCE7D1879903D0F45C6B7D194C960BA4DDDC2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
22
DNS requests
5
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6516
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6516
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6516
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6332
RegAsm.exe
95.179.250.45:26212
AS-CHOOPA
DE
malicious
6516
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

PID
Process
Class
Message
6332
RegAsm.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6332
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gold.exe