analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Redline Stealer.rar

Full analysis: https://app.any.run/tasks/2a8566ab-ea93-4a71-ae02-a861c5e2ede3
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: October 05, 2022, 01:33:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
redline
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D7415F1D29E97D582C278CF3DF04ADE4

SHA1:

E4AB5E38EDC6A106CF6ED5A97DED120DF49650EE

SHA256:

4191CD799AD6D4F6D7ABDF79C91172FF042CA4C6ECC53F1F01BE5F673CAA9656

SSDEEP:

49152:03PZM4v/kvGmEr61v/onGCRh3un7ehyl3tR2:036o/uGTr6B/oGCLC33tQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3836)
      • SearchProtocolHost.exe (PID: 3284)
      • RedLine.MainPanel-cracked.exe (PID: 3232)
      • RedLine.MainPanel-cracked.exe (PID: 3652)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 1524)

    • Application was dropped or rewritten from another process

      • RedLine.MainPanel-cracked.exe (PID: 3232)
      • RedLine.MainPanel-cracked.exe (PID: 3652)

    • REDLINE detected by memory dumps

      • RedLine.MainPanel-cracked.exe (PID: 3232)
      • RedLine.MainPanel-cracked.exe (PID: 3652)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 1524)
      • RedLine.MainPanel-cracked.exe (PID: 3232)
      • RedLine.MainPanel-cracked.exe (PID: 3652)
      • cmd.exe (PID: 1164)

    • Reads the computer name

      • WinRAR.exe (PID: 1524)
      • RedLine.MainPanel-cracked.exe (PID: 3232)
      • RedLine.MainPanel-cracked.exe (PID: 3652)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1524)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1524)

    • Executed as Windows Service

      • SearchIndexer.exe (PID: 2640)

    • Creates files in the program directory

      • SearchIndexer.exe (PID: 2640)

    • Reads Environment values

      • RedLine.MainPanel-cracked.exe (PID: 3232)
      • netsh.exe (PID: 3640)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 1164)

  • INFO

    • Manual execution by user

      • verclsid.exe (PID: 2496)
      • RedLine.MainPanel-cracked.exe (PID: 3232)
      • RedLine.MainPanel-cracked.exe (PID: 3652)
      • cmd.exe (PID: 1164)
      • msconfig.exe (PID: 2188)
      • msconfig.exe (PID: 3560)

    • Reads the computer name

      • SearchProtocolHost.exe (PID: 3284)
      • SearchIndexer.exe (PID: 2640)
      • SearchFilterHost.exe (PID: 3168)
      • SearchProtocolHost.exe (PID: 3856)
      • netsh.exe (PID: 3640)
      • msconfig.exe (PID: 2188)

    • Checks supported languages

      • SearchIndexer.exe (PID: 2640)
      • verclsid.exe (PID: 2496)
      • SearchFilterHost.exe (PID: 3168)
      • SearchProtocolHost.exe (PID: 3284)
      • SearchProtocolHost.exe (PID: 3856)
      • netsh.exe (PID: 3640)
      • msconfig.exe (PID: 2188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs verclsid.exe no specs searchindexer.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs searchprotocolhost.exe no specs #REDLINE redline.mainpanel-cracked.exe no specs #REDLINE redline.mainpanel-cracked.exe no specs cmd.exe no specs netsh.exe no specs msconfig.exe no specs msconfig.exe

Process information

PID
CMD
Path
Indicators
Parent process
1524"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Redline Stealer.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3836"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2496"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\system32\verclsid.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2640C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\system32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3284"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
3168"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528 C:\Windows\system32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
3856"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
3232"C:\Users\admin\Desktop\Redline Stealer\RedLine.MainPanel-cracked.exe" C:\Users\admin\Desktop\Redline Stealer\RedLine.MainPanel-cracked.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
RedLinePanel
Version:
1.0.0.0
3652"C:\Users\admin\Desktop\Redline Stealer\RedLine.MainPanel-cracked.exe" C:\Users\admin\Desktop\Redline Stealer\RedLine.MainPanel-cracked.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
RedLinePanel
Version:
1.0.0.0
1164C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\Redline Stealer\OpenPort.bat" "C:\Windows\system32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
7 405
Read events
7 187
Write events
215
Delete events
3

Modification events

(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1524) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Redline Stealer.rar
(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
14
Suspicious files
14
Text files
9
Unknown types
7

Dropped files

PID
Process
Filename
Type
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\Mono.Cecil.dllexecutable
MD5:7546ACEBC5A5213DEE2A5ED18D7EBC6C
SHA256:7744C9C84C28033BC3606F4DFCE2ADCD6F632E2BE7827893C3E2257100F1CF9E
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\Mono.Cecil.Mdb.dllexecutable
MD5:DC80F588F513D998A5DF1CA415EDB700
SHA256:90CFC73BEFD43FC3FD876E23DCC3F5CE6E9D21D396BBB346513302E2215DB8C9
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\Mono.Cecil.Pdb.dllexecutable
MD5:6CD3ED3DB95D4671B866411DB4950853
SHA256:D67EBD49241041E6B6191703A90D89E68D4465ADCE02C595218B867DF34581A3
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\protobuf-net.dllexecutable
MD5:D16FFFEB71891071C1C5D9096BA03971
SHA256:141B235AF8EBF25D5841EDEE29E2DCF6297B8292A869B3966C282DA960CBD14D
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\MetroSet UI.dllodttf
MD5:F13DC3CFFEF729D26C4DA102674561CF
SHA256:D490C04E6E89462FD46099D3454985F319F57032176C67403B3B92C86CA58BCB
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\Mono.Cecil.Mdb.pdbbinary
MD5:0BA762B6B5FBDA000E51D66722A3BB2C
SHA256:D18EB89421D50F079291B78783408CEE4BAB6810E4C5A4B191849265BDD5BA7C
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\builder.exeexecutable
MD5:DE6F68CDF350FCE9BE13803D84BE98C4
SHA256:51BBC69942823B84C2A1F0EFDB9D63FB04612B223E86AF8A83B4B307DD15CD24
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\Mono.Cecil.Rocks.dllexecutable
MD5:C8F36848CE8F13084B355C934FC91746
SHA256:A08C040912DF2A3C823ADE85D62239D56ABAA8F788A2684FB9D33961922687C7
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\Mono.Cecil.Pdb.pdbbinary
MD5:8E07476DB3813903E596B669D3744855
SHA256:AA6469974D04CBA872F86E6598771663BB8721D43A4A0A2A44CF3E2CD2F1E646
1524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1524.27349\Redline Stealer\Libraries\Bunifu_UI_v1.52.dllexecutable
MD5:5ECA94D909F1BA4C5F3E35AC65A49076
SHA256:DE0E530D46C803D85B8AEB6D18816F1B09CB3DAFEFB5E19FDFA15C9F41E0F474
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Redline Stealer.rar