File name: | Redline Stealer.rar |
Full analysis: | https://app.any.run/tasks/e62b2f98-d56a-404a-bb1d-368e33547b00 |
Verdict: | Malicious activity |
Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
Analysis date: | October 05, 2022, 01:36:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | D7415F1D29E97D582C278CF3DF04ADE4 |
SHA1: | E4AB5E38EDC6A106CF6ED5A97DED120DF49650EE |
SHA256: | 4191CD799AD6D4F6D7ABDF79C91172FF042CA4C6ECC53F1F01BE5F673CAA9656 |
SSDEEP: | 49152:03PZM4v/kvGmEr61v/onGCRh3un7ehyl3tR2:036o/uGTr6B/oGCLC33tQ |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1388 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Redline Stealer.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
1972 | "C:\Windows\system32\msconfig.exe" | C:\Windows\system32\msconfig.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: System Configuration Utility Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2900 | "C:\Windows\system32\msconfig.exe" | C:\Windows\system32\msconfig.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2880 | C:\Windows\system32\SearchIndexer.exe /Embedding | C:\Windows\system32\SearchIndexer.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Indexer Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3096 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
2296 | "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528 | C:\Windows\system32\SearchFilterHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Filter Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
3588 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
944 | C:\Windows\system32\SearchIndexer.exe /Embedding | C:\Windows\system32\SearchIndexer.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Indexer Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
1332 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
728 | "C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532 | C:\Windows\system32\SearchFilterHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Filter Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.Pdb.pdb | binary | |
MD5:8E07476DB3813903E596B669D3744855 | SHA256:AA6469974D04CBA872F86E6598771663BB8721D43A4A0A2A44CF3E2CD2F1E646 | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.Rocks.pdb | binary | |
MD5:17E3CCB3A96BE6D93CA3C286CA3B93DC | SHA256:CA54D2395697EFC3163016BBC2BB1E91B13D454B9A5A3EE9A4304012F012E5EB | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Bunifu_UI_v1.52.dll | executable | |
MD5:5ECA94D909F1BA4C5F3E35AC65A49076 | SHA256:DE0E530D46C803D85B8AEB6D18816F1B09CB3DAFEFB5E19FDFA15C9F41E0F474 | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.pdb | binary | |
MD5:C0A69F1B0C50D4F133CD0B278AC2A531 | SHA256:A4F79C99D8923BD6C30EFAFA39363C18BABE95F6609BBAD242BCA44342CCC7BB | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\System.Drawing.Pen.dll | executable | |
MD5:1D4E91345A76C90E0849C9389E66FE8C | SHA256:1D820D1C1E9D661603CD32177FB128C9A6844FE2492B6FBB3120BD37553663B0 | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\builder.exe | executable | |
MD5:DE6F68CDF350FCE9BE13803D84BE98C4 | SHA256:51BBC69942823B84C2A1F0EFDB9D63FB04612B223E86AF8A83B4B307DD15CD24 | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\protobuf-net.dll | executable | |
MD5:D16FFFEB71891071C1C5D9096BA03971 | SHA256:141B235AF8EBF25D5841EDEE29E2DCF6297B8292A869B3966C282DA960CBD14D | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.Mdb.pdb | binary | |
MD5:0BA762B6B5FBDA000E51D66722A3BB2C | SHA256:D18EB89421D50F079291B78783408CEE4BAB6810E4C5A4B191849265BDD5BA7C | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\RedLine.SharedModels.dll | executable | |
MD5:BEE2969583715BFA584D073AC8D98C42 | SHA256:5F92DB78E43986F063632FB2CFAFDCE73E5E7E64979900783CA9A00016933375 | |||
1388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1388.44754\Redline Stealer\Libraries\Mono.Cecil.Mdb.dll | executable | |
MD5:DC80F588F513D998A5DF1CA415EDB700 | SHA256:90CFC73BEFD43FC3FD876E23DCC3F5CE6E9D21D396BBB346513302E2215DB8C9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2296 | iexplore.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQC2T6rhHiP0ng%3D%3D | US | der | 1.74 Kb | whitelisted |
2296 | iexplore.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
2296 | iexplore.exe | GET | 200 | 216.58.212.131:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
2296 | iexplore.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | US | der | 1.66 Kb | whitelisted |
2296 | iexplore.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCEogYJNoeJw2 | US | der | 1.74 Kb | whitelisted |
3888 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
2296 | iexplore.exe | GET | 200 | 216.58.212.131:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEBJBetlj4ZeUEqggpI8HVMI%3D | US | der | 471 b | whitelisted |
2296 | iexplore.exe | GET | 200 | 216.58.212.131:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEB%2Fvu3PmotRDEvKn%2FiRyWpo%3D | US | der | 471 b | whitelisted |
2296 | iexplore.exe | GET | 200 | 216.58.212.131:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
2296 | iexplore.exe | GET | 200 | 8.248.113.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?01df0d85d71783d9 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3888 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
2296 | iexplore.exe | 142.250.185.106:443 | fonts.googleapis.com | GOOGLE | US | whitelisted |
2296 | iexplore.exe | 192.124.249.24:80 | ocsp.godaddy.com | SUCURI-SEC | US | suspicious |
2296 | iexplore.exe | 142.250.186.131:443 | fonts.gstatic.com | GOOGLE | US | whitelisted |
3888 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2296 | iexplore.exe | 8.248.113.254:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
2296 | iexplore.exe | 149.154.167.99:443 | t.me | Telegram Messenger Inc | GB | malicious |
3888 | iexplore.exe | 149.154.167.99:443 | t.me | Telegram Messenger Inc | GB | malicious |
2296 | iexplore.exe | 216.58.212.131:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
t.me |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
telegram.org |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |