analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Redline Stealer.rar

Full analysis: https://app.any.run/tasks/0c30eeff-3ac4-4e7b-b427-b97959f6da1f
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: October 05, 2022, 01:31:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
redline
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D7415F1D29E97D582C278CF3DF04ADE4

SHA1:

E4AB5E38EDC6A106CF6ED5A97DED120DF49650EE

SHA256:

4191CD799AD6D4F6D7ABDF79C91172FF042CA4C6ECC53F1F01BE5F673CAA9656

SSDEEP:

49152:03PZM4v/kvGmEr61v/onGCRh3un7ehyl3tR2:036o/uGTr6B/oGCLC33tQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3884)
      • RedLine.MainPanel-cracked.exe (PID: 2840)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3160)

    • REDLINE detected by memory dumps

      • RedLine.MainPanel-cracked.exe (PID: 2840)

    • Application was dropped or rewritten from another process

      • RedLine.MainPanel-cracked.exe (PID: 2840)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3160)
      • RedLine.MainPanel-cracked.exe (PID: 2840)

    • Reads the computer name

      • WinRAR.exe (PID: 3160)
      • RedLine.MainPanel-cracked.exe (PID: 2840)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3160)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3160)

    • Reads Environment values

      • RedLine.MainPanel-cracked.exe (PID: 2840)

  • INFO

    • Manual execution by user

      • RedLine.MainPanel-cracked.exe (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs #REDLINE redline.mainpanel-cracked.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3160"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Redline Stealer.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3884"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2840"C:\Users\admin\Desktop\Redline Stealer\RedLine.MainPanel-cracked.exe" C:\Users\admin\Desktop\Redline Stealer\RedLine.MainPanel-cracked.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
RedLinePanel
Version:
1.0.0.0
Total events
2 065
Read events
2 034
Write events
31
Delete events
0

Modification events

(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3160) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Redline Stealer.rar
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
14
Suspicious files
5
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.dllexecutable
MD5:7546ACEBC5A5213DEE2A5ED18D7EBC6C
SHA256:7744C9C84C28033BC3606F4DFCE2ADCD6F632E2BE7827893C3E2257100F1CF9E
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.Pdb.dllexecutable
MD5:6CD3ED3DB95D4671B866411DB4950853
SHA256:D67EBD49241041E6B6191703A90D89E68D4465ADCE02C595218B867DF34581A3
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.Mdb.dllexecutable
MD5:DC80F588F513D998A5DF1CA415EDB700
SHA256:90CFC73BEFD43FC3FD876E23DCC3F5CE6E9D21D396BBB346513302E2215DB8C9
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Bunifu_UI_v1.52.dllexecutable
MD5:5ECA94D909F1BA4C5F3E35AC65A49076
SHA256:DE0E530D46C803D85B8AEB6D18816F1B09CB3DAFEFB5E19FDFA15C9F41E0F474
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.Rocks.pdbbinary
MD5:17E3CCB3A96BE6D93CA3C286CA3B93DC
SHA256:CA54D2395697EFC3163016BBC2BB1E91B13D454B9A5A3EE9A4304012F012E5EB
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\System.Drawing.Pen.dllexecutable
MD5:1D4E91345A76C90E0849C9389E66FE8C
SHA256:1D820D1C1E9D661603CD32177FB128C9A6844FE2492B6FBB3120BD37553663B0
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\MetroSet UI.dllodttf
MD5:F13DC3CFFEF729D26C4DA102674561CF
SHA256:D490C04E6E89462FD46099D3454985F319F57032176C67403B3B92C86CA58BCB
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\RedLine.SharedModels.dllexecutable
MD5:BEE2969583715BFA584D073AC8D98C42
SHA256:5F92DB78E43986F063632FB2CFAFDCE73E5E7E64979900783CA9A00016933375
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.Rocks.dllexecutable
MD5:C8F36848CE8F13084B355C934FC91746
SHA256:A08C040912DF2A3C823ADE85D62239D56ABAA8F788A2684FB9D33961922687C7
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.15766\Redline Stealer\Libraries\Mono.Cecil.pdbbinary
MD5:C0A69F1B0C50D4F133CD0B278AC2A531
SHA256:A4F79C99D8923BD6C30EFAFA39363C18BABE95F6609BBAD242BCA44342CCC7BB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Redline Stealer.rar