Malware analysis Redline Stealer Builder.7z Malicious activity

Add for printing

File name:	Redline Stealer Builder.7z
Full analysis:	https://app.any.run/tasks/8c3ca19d-db21-4e11-940d-399933dacf63
Verdict:	Malicious activity
Threats:	RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Malware Trends Tracker >>>
Analysis date:	August 17, 2024, 01:19:25
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netreactor redline
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	3317523FCB65DE0CAD16632D204ADF2C
SHA1:	8D68B943B791774933ACFC6A9B4E6A1E018B2439
SHA256:	4F758849CC2C1A02BAF4C275EA8FC9CC2FD9A380C157D066A984162FD43CBFE3
SSDEEP:	49152:w2IewijytNDSZsB3evk3kR7smlPRS1PBYu54GziGaWsIKlb3TRrCyxCIt/UbnxX3:wmBujB3evskR7s0S1PbeGziGaWsIKBVc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- REDLINE has been detected (YARA)
  - RedLine.MainPanel-cracked.exe (PID: 6168)
  - RedLine.MainPanel-cracked.exe (PID: 6956)
- Starts CMD.EXE for self-deleting
  - Build.exe (PID: 5092)
  - test.exe (PID: 3540)
  - stub.exe (PID: 3032)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6388)
  - RedLine.MainPanel-cracked.exe (PID: 6168)
  - RedLine.MainPanel-cracked.exe (PID: 6956)
  - builder.exe (PID: 872)
- Creates file in the systems drive root
  - builder.exe (PID: 872)
- The process checks if it is being run in the virtual environment
  - builder.exe (PID: 872)
- Executable content was dropped or overwritten
  - builder.exe (PID: 872)
- Drops the executable file immediately after the start
  - builder.exe (PID: 872)
- Reads the date of Windows installation
  - RedLine.MainPanel-cracked.exe (PID: 6956)
- Starts CMD.EXE for commands execution
  - Build.exe (PID: 5092)
  - test.exe (PID: 3540)
  - stub.exe (PID: 3032)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 1948)
  - cmd.exe (PID: 2208)
  - cmd.exe (PID: 6936)
INFO
- Reads the computer name
  - RedLine.MainPanel-cracked.exe (PID: 6168)
  - RedLine.MainPanel-cracked.exe (PID: 6956)
  - builder.exe (PID: 872)
  - builder.exe (PID: 2136)
  - Build.exe (PID: 5092)
  - test.exe (PID: 3540)
  - stub.exe (PID: 3032)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6388)
- Checks supported languages
  - RedLine.MainPanel-cracked.exe (PID: 6168)
  - RedLine.MainPanel-cracked.exe (PID: 6956)
  - Build.exe (PID: 5092)
  - builder.exe (PID: 872)
  - builder.exe (PID: 2136)
  - test.exe (PID: 3540)
  - stub.exe (PID: 3032)
- Reads the machine GUID from the registry
  - RedLine.MainPanel-cracked.exe (PID: 6168)
  - RedLine.MainPanel-cracked.exe (PID: 6956)
  - builder.exe (PID: 872)
  - builder.exe (PID: 2136)
  - Build.exe (PID: 5092)
  - test.exe (PID: 3540)
  - stub.exe (PID: 3032)
- Manual execution by a user
  - RedLine.MainPanel-cracked.exe (PID: 6956)
  - test.exe (PID: 3540)
  - Build.exe (PID: 5092)
  - builder.exe (PID: 2136)
  - stub.exe (PID: 3032)
- .NET Reactor protector has been detected
  - RedLine.MainPanel-cracked.exe (PID: 6168)
  - RedLine.MainPanel-cracked.exe (PID: 6956)
- Reads Environment values
  - RedLine.MainPanel-cracked.exe (PID: 6956)
  - Build.exe (PID: 5092)
  - test.exe (PID: 3540)
  - stub.exe (PID: 3032)
  - RedLine.MainPanel-cracked.exe (PID: 6168)
- Process checks computer location settings
  - RedLine.MainPanel-cracked.exe (PID: 6956)
- Disables trace logs
  - Build.exe (PID: 5092)
  - test.exe (PID: 3540)
  - stub.exe (PID: 3032)
- Checks proxy server information
  - Build.exe (PID: 5092)
  - test.exe (PID: 3540)
  - stub.exe (PID: 3032)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

155

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

872

"C:\Users\admin\Desktop\Redline Stealer\Libraries\builder.exe"

C:\Users\admin\Desktop\Redline Stealer\Libraries\builder.exe

RedLine.MainPanel-cracked.exe

User:

admin

Integrity Level:

MEDIUM

Description:

builder

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\redline stealer\libraries\builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1948

"cmd.exe" /C taskkill /F /PID 5092 && choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\Desktop\Redline Stealer\Libraries\Build.exe"

C:\Windows\SysWOW64\cmd.exe

—

Build.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2136

"C:\Users\admin\Desktop\Redline Stealer\Libraries\builder.exe"

C:\Users\admin\Desktop\Redline Stealer\Libraries\builder.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

builder

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\redline stealer\libraries\builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2208

"cmd.exe" /C taskkill /F /PID 3540 && choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\Desktop\Redline Stealer\Libraries\test.exe"

C:\Windows\SysWOW64\cmd.exe

—

test.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2632

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\choice.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Offers the user a choice

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3032

"C:\Users\admin\Desktop\Redline Stealer\Libraries\stub.exe"

C:\Users\admin\Desktop\Redline Stealer\Libraries\stub.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

RedLine

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\redline stealer\libraries\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

3540

"C:\Users\admin\Desktop\Redline Stealer\Libraries\test.exe"

C:\Users\admin\Desktop\Redline Stealer\Libraries\test.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

RedLine

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\redline stealer\libraries\test.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

5092

"C:\Users\admin\Desktop\Redline Stealer\Libraries\Build.exe"

C:\Users\admin\Desktop\Redline Stealer\Libraries\Build.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

RedLine

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\redline stealer\libraries\build.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

5468

taskkill /F /PID 5092

C:\Windows\SysWOW64\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Terminates Processes

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

5632

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\choice.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Offers the user a choice

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

24 141

Read events

23 996

Write events

138

Delete events

Modification events


(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Redline Stealer Builder.7z
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6388) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\WINDOWS\System32\acppage.dll,-6002
Value: Windows Batch File

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\Libraries\Mono.Cecil.pdb		binary
		MD5:C0A69F1B0C50D4F133CD0B278AC2A531	SHA256:A4F79C99D8923BD6C30EFAFA39363C18BABE95F6609BBAD242BCA44342CCC7BB
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\Libraries\Mono.Cecil.Pdb.pdb		binary
		MD5:8E07476DB3813903E596B669D3744855	SHA256:AA6469974D04CBA872F86E6598771663BB8721D43A4A0A2A44CF3E2CD2F1E646
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\MetroSet UI.dll.config		xml
		MD5:9A25AE6E4FBE956CC33A232AC97D3B16	SHA256:A407B110C78C0077B651FCBD05CCE073541B61E3E8B4747608069AC5CE686A8C
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\Libraries\Mono.Cecil.Rocks.pdb		binary
		MD5:17E3CCB3A96BE6D93CA3C286CA3B93DC	SHA256:CA54D2395697EFC3163016BBC2BB1E91B13D454B9A5A3EE9A4304012F012E5EB
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\LICENSE		text
		MD5:624DABF940FEB6357C70AFB0E1769DD9	SHA256:F70F862F10B5E832A87D98B159294B68CCF58D4188D7EFB323C053EECED58D82
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\README.md		text
		MD5:E2DB1441B03414CCD5627075A7F567CF	SHA256:41DED26595B824BD680E0B2E895A6B1CA3AE6D0D2260653175DCA35A6A56B54A
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\OpenPort.bat		text
		MD5:CF1CC90281E28CEE22DCE7ED013C2678	SHA256:84399F8BCCEFA404E156A5351B1DE75A2D5290B4FDDD1754EFB16401ED7218EF
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\RedLine.MainPanel.exe.config		xml
		MD5:6EBC9B76090C8C4BF6B65C02503C6CD6	SHA256:EF9352989527D16CF5BE708B0D8E6D384618746A3999230F477CF50F34FF67C9
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\RedLine.MainPanel.idb		binary
		MD5:3DA6C975E08BF1A134B25EE33D0288B1	SHA256:16FEEF35E1C0B52A51E898A04D98034ABBC413E483DEB9C410469427035778C8
6388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb6388.40548\Redline Stealer\Libraries\Build.exe		executable
		MD5:1035BBF6B782B7A8819FA9BC616A9657	SHA256:4060699BE22D52CD3753FA0BB8D3147A7B14B4EE9769013F2F0AD284586911CB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4592	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6908	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6860	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4056	svchost.exe	52.167.249.196:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3140	RUXIMICS.exe	52.167.249.196:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2120	MoUsoCoreWorker.exe	52.167.249.196:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4056	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5336	SearchApp.exe	2.23.209.130:443	www.bing.com	Akamai International B.V.	GB	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4592	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	52.167.249.196 20.73.194.208 51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.184.238	whitelisted
www.bing.com	2.23.209.130 2.23.209.187 2.23.209.133 2.23.209.182	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.160.14 20.190.160.22 40.126.32.68 40.126.32.138 40.126.32.134 20.190.160.17 40.126.32.72 40.126.32.74	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
th.bing.com	2.23.209.179 2.23.209.130 2.23.209.133 2.23.209.182 2.23.209.149	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Redline Stealer Builder.7z

3317523FCB65DE0CAD16632D204ADF2C

8D68B943B791774933ACFC6A9B4E6A1E018B2439

4F758849CC2C1A02BAF4C275EA8FC9CC2FD9A380C157D066A984162FD43CBFE3

49152:w2IewijytNDSZsB3evk3kR7smlPRS1PBYu54GziGaWsIKlb3TRrCyxCIt/UbnxX3:wmBujB3evskR7s0S1PbeGziGaWsIKBVc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

REDLINE has been detected (YARA)

Starts CMD.EXE for self-deleting

SUSPICIOUS

Reads security settings of Internet Explorer

Creates file in the systems drive root

The process checks if it is being run in the virtual environment

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Uses TASKKILL.EXE to kill process

INFO

Reads the computer name

Executable content was dropped or overwritten

Checks supported languages

Reads the machine GUID from the registry

Manual execution by a user

.NET Reactor protector has been detected

Reads Environment values

Process checks computer location settings

Disables trace logs

Checks proxy server information

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings