File name:

Loader.exe

Full analysis: https://app.any.run/tasks/6eb7e4fa-5535-4cf6-a57e-86a55f69b3dc
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: November 21, 2023, 08:42:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
redline
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

651087191042690229ABAAE1AC8DF6C9

SHA1:

5430A9C24D047A32473C3D62D57AB40B11B29056

SHA256:

483C44A7AB44B47C1FC984390980B1BE100920041EB01F2FD1CD26A8A4B9857E

SSDEEP:

3072:CChUyaprqY0d3WTAw/fVQ2Ja+dehEIcmqwbkJWSBH8jBJfVr5cIU3sfGdYrcccc0:DUya8Y0VWjS2Kk/8bVr2IU3s+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • Loader.exe (PID: 3128)

    • Connects to the CnC server

      • Loader.exe (PID: 3128)

    • REDLINE has been detected (SURICATA)

      • Loader.exe (PID: 3128)

    • Actions looks like stealing of personal data

      • Loader.exe (PID: 3128)

  • SUSPICIOUS

    • Searches for installed software

      • Loader.exe (PID: 3128)

    • Reads browser cookies

      • Loader.exe (PID: 3128)

    • Connects to unusual port

      • Loader.exe (PID: 3128)

  • INFO

    • Checks supported languages

      • Loader.exe (PID: 3128)
      • wmpnscfg.exe (PID: 3488)

    • Reads the computer name

      • Loader.exe (PID: 3128)
      • wmpnscfg.exe (PID: 3488)

    • Reads product name

      • Loader.exe (PID: 3128)

    • Reads Environment values

      • Loader.exe (PID: 3128)

    • Reads the machine GUID from the registry

      • Loader.exe (PID: 3128)
      • wmpnscfg.exe (PID: 3488)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:20 10:23:53+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 50176
InitializedDataSize: 366080
UninitializedDataSize: -
EntryPoint: 0x4122
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows command line
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REDLINE loader.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Users\admin\AppData\Local\Temp\Loader.exe" C:\Users\admin\AppData\Local\Temp\Loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3488"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
1 409
Read events
1 388
Write events
0
Delete events
21

Modification events

(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
0BB2312FB10744DA6FC284CF574F63B664029C60B10333B042ED23DF560DAE5C
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Google\Chrome\User Data\lockfile
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
F394E589B3F7E52F08877D01682103CD0DD8963291BC864E118C201AE436116E
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
380C0000FE3F70A3561CDA01
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
4EBB421F32ECF446294C53BAFA3BB65CBAF43E744312A939058247819C42EAFE
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\lockfile
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
4AFAE0A74DE66EC2DA6486F6498E4FD0C74295E73D6E3F11D65FEBF828F19C16
(PID) Process:(3128) Loader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
CE7D6A5A60775C2F8FB6EE4BB1D4E5A9158B39E5A634EE317E707B53AB1E307F
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
7

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3128
Loader.exe
4.224.60.120:28410
MICROSOFT-CORP-MSN-AS-BLOCK
IN
unknown
868
svchost.exe
95.101.148.135:80
Akamai International B.V.
NL
unknown
4
System
192.168.100.255:138
whitelisted
868
svchost.exe
23.211.8.250:80
armmf.adobe.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 23.211.8.250
whitelisted

Threats

PID
Process
Class
Message
3128
Loader.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
3128
Loader.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
3128
Loader.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
3128
Loader.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
3128
Loader.exe
A Network Trojan was detected
ET MALWARE Redline Stealer Activity (Response)
3128
Loader.exe
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
3128
Loader.exe
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Loader.exe