analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Redline Stealer.rar

Full analysis: https://app.any.run/tasks/e62b2f98-d56a-404a-bb1d-368e33547b00
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Analysis date: October 05, 2022, 01:36:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
redline
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D7415F1D29E97D582C278CF3DF04ADE4

SHA1:

E4AB5E38EDC6A106CF6ED5A97DED120DF49650EE

SHA256:

4191CD799AD6D4F6D7ABDF79C91172FF042CA4C6ECC53F1F01BE5F673CAA9656

SSDEEP:

49152:03PZM4v/kvGmEr61v/onGCRh3un7ehyl3tR2:036o/uGTr6B/oGCLC33tQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 1388)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3096)
      • RedLine.MainPanel-cracked.exe (PID: 1016)
    • REDLINE detected by memory dumps

      • RedLine.MainPanel-cracked.exe (PID: 1016)
    • Application was dropped or rewritten from another process

      • RedLine.MainPanel-cracked.exe (PID: 1016)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 1388)
      • RedLine.MainPanel-cracked.exe (PID: 1016)
    • Checks supported languages

      • WinRAR.exe (PID: 1388)
      • RedLine.MainPanel-cracked.exe (PID: 1016)
    • Executed as Windows Service

      • SearchIndexer.exe (PID: 2880)
      • SearchIndexer.exe (PID: 944)
    • Creates files in the program directory

      • SearchIndexer.exe (PID: 2880)
      • SearchIndexer.exe (PID: 944)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1388)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1388)
    • Reads Environment values

      • RedLine.MainPanel-cracked.exe (PID: 1016)
    • Starts Internet Explorer

      • RedLine.MainPanel-cracked.exe (PID: 1016)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2296)
  • INFO

    • Checks supported languages

      • SearchIndexer.exe (PID: 2880)
      • msconfig.exe (PID: 2900)
      • SearchProtocolHost.exe (PID: 3096)
      • SearchIndexer.exe (PID: 944)
      • SearchProtocolHost.exe (PID: 3588)
      • SearchFilterHost.exe (PID: 2296)
      • SearchFilterHost.exe (PID: 728)
      • SearchProtocolHost.exe (PID: 1332)
      • SearchProtocolHost.exe (PID: 3068)
      • msconfig.exe (PID: 2500)
      • iexplore.exe (PID: 3888)
      • iexplore.exe (PID: 2296)
    • Reads the computer name

      • msconfig.exe (PID: 2900)
      • SearchIndexer.exe (PID: 2880)
      • SearchIndexer.exe (PID: 944)
      • SearchProtocolHost.exe (PID: 3588)
      • SearchFilterHost.exe (PID: 2296)
      • SearchProtocolHost.exe (PID: 3096)
      • SearchProtocolHost.exe (PID: 1332)
      • SearchFilterHost.exe (PID: 728)
      • SearchProtocolHost.exe (PID: 3068)
      • msconfig.exe (PID: 2500)
      • iexplore.exe (PID: 3888)
      • iexplore.exe (PID: 2296)
    • Manual execution by user

      • msconfig.exe (PID: 1972)
      • msconfig.exe (PID: 2900)
      • RedLine.MainPanel-cracked.exe (PID: 1016)
      • msconfig.exe (PID: 2500)
      • msconfig.exe (PID: 3916)
    • Reads Microsoft Office registry keys

      • SearchProtocolHost.exe (PID: 3068)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2296)
      • iexplore.exe (PID: 3888)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 3888)
    • Application launched itself

      • iexplore.exe (PID: 3888)
    • Creates files in the user directory

      • iexplore.exe (PID: 2296)
    • Changes internet zones settings

      • iexplore.exe (PID: 3888)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3888)
      • iexplore.exe (PID: 2296)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
16
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe msconfig.exe no specs msconfig.exe searchindexer.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs searchprotocolhost.exe no specs searchindexer.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs searchprotocolhost.exe no specs #REDLINE redline.mainpanel-cracked.exe no specs msconfig.exe no specs msconfig.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1388"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Redline Stealer.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1972"C:\Windows\system32\msconfig.exe" C:\Windows\system32\msconfig.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Configuration Utility
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2900"C:\Windows\system32\msconfig.exe" C:\Windows\system32\msconfig.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
System Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2880C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\system32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3096"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2296"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528 C:\Windows\system32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
3588"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
944C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\system32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
1332"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
728"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532 C:\Windows\system32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Total events
31 139
Read events
28 975
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
46
Text files
21
Unknown types
26

Dropped files

PID
Process
Filename
Type
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.Pdb.pdbbinary
MD5:8E07476DB3813903E596B669D3744855
SHA256:AA6469974D04CBA872F86E6598771663BB8721D43A4A0A2A44CF3E2CD2F1E646
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.Rocks.pdbbinary
MD5:17E3CCB3A96BE6D93CA3C286CA3B93DC
SHA256:CA54D2395697EFC3163016BBC2BB1E91B13D454B9A5A3EE9A4304012F012E5EB
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Bunifu_UI_v1.52.dllexecutable
MD5:5ECA94D909F1BA4C5F3E35AC65A49076
SHA256:DE0E530D46C803D85B8AEB6D18816F1B09CB3DAFEFB5E19FDFA15C9F41E0F474
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.pdbbinary
MD5:C0A69F1B0C50D4F133CD0B278AC2A531
SHA256:A4F79C99D8923BD6C30EFAFA39363C18BABE95F6609BBAD242BCA44342CCC7BB
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\System.Drawing.Pen.dllexecutable
MD5:1D4E91345A76C90E0849C9389E66FE8C
SHA256:1D820D1C1E9D661603CD32177FB128C9A6844FE2492B6FBB3120BD37553663B0
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\builder.exeexecutable
MD5:DE6F68CDF350FCE9BE13803D84BE98C4
SHA256:51BBC69942823B84C2A1F0EFDB9D63FB04612B223E86AF8A83B4B307DD15CD24
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\protobuf-net.dllexecutable
MD5:D16FFFEB71891071C1C5D9096BA03971
SHA256:141B235AF8EBF25D5841EDEE29E2DCF6297B8292A869B3966C282DA960CBD14D
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.Mdb.pdbbinary
MD5:0BA762B6B5FBDA000E51D66722A3BB2C
SHA256:D18EB89421D50F079291B78783408CEE4BAB6810E4C5A4B191849265BDD5BA7C
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\RedLine.SharedModels.dllexecutable
MD5:BEE2969583715BFA584D073AC8D98C42
SHA256:5F92DB78E43986F063632FB2CFAFDCE73E5E7E64979900783CA9A00016933375
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.Mdb.dllexecutable
MD5:DC80F588F513D998A5DF1CA415EDB700
SHA256:90CFC73BEFD43FC3FD876E23DCC3F5CE6E9D21D396BBB346513302E2215DB8C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
19
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2296
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQC2T6rhHiP0ng%3D%3D
US
der
1.74 Kb
whitelisted
2296
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2296
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2296
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
2296
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCEogYJNoeJw2
US
der
1.74 Kb
whitelisted
3888
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2296
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEBJBetlj4ZeUEqggpI8HVMI%3D
US
der
471 b
whitelisted
2296
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEB%2Fvu3PmotRDEvKn%2FiRyWpo%3D
US
der
471 b
whitelisted
2296
iexplore.exe
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2296
iexplore.exe
GET
200
8.248.113.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?01df0d85d71783d9
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2296
iexplore.exe
142.250.185.106:443
fonts.googleapis.com
GOOGLE
US
whitelisted
2296
iexplore.exe
192.124.249.24:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
2296
iexplore.exe
142.250.186.131:443
fonts.gstatic.com
GOOGLE
US
whitelisted
3888
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2296
iexplore.exe
8.248.113.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
2296
iexplore.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious
3888
iexplore.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious
2296
iexplore.exe
216.58.212.131:80
ocsp.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 8.248.113.254
  • 8.241.123.254
  • 67.27.158.254
  • 8.248.133.254
  • 67.27.158.126
whitelisted
ocsp.godaddy.com
  • 192.124.249.24
  • 192.124.249.23
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.22
whitelisted
fonts.googleapis.com
  • 142.250.185.106
whitelisted
telegram.org
  • 149.154.167.99
whitelisted
ocsp.pki.goog
  • 216.58.212.131
whitelisted
fonts.gstatic.com
  • 142.250.186.131
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
No debug info