File name:

5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe

Full analysis: https://app.any.run/tasks/cbbf1a4f-0a14-4d66-9cab-8e16c228cd68
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 04:03:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
redline
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

44E17821665477B21D6C50CEE97C84EF

SHA1:

4FC146790747758F49F1FD4375144F000099A6CB

SHA256:

5ADAC427A6EFF8B0C1674C6095E2719D5EE46945FD4E397384AF02B8EC691045

SSDEEP:

3072:Y8lszkzartdJClv/hFXGRsf1MiFGZtHTAmthSKC1AcgrIkECoW2MOP+luhz:YRRsFGZ9TAChJc4kCoW2tP5h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REDLINE has been detected (YARA)

      • 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe (PID: 5400)

  • SUSPICIOUS

    • Connects to unusual port

      • 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe (PID: 5400)

  • INFO

    • Creates files or folders in the user directory

      • 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe (PID: 5400)

    • Checks supported languages

      • 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe (PID: 5400)

    • Reads the computer name

      • 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe (PID: 5400)

    • Reads the machine GUID from the registry

      • 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe (PID: 5400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (49)
.exe | Win32 Executable MS Visual C++ (generic) (20.9)
.exe | Win64 Executable (generic) (18.5)
.dll | Win32 Dynamic Link Library (generic) (4.4)
.exe | Win32 Executable (generic) (3)

EXIF

EXE

AssemblyVersion: 1.1.21.1
ProductVersion: 12.9.1.22
ProductName: XHP booster
OriginalFileName: Dispones.exe
LegalTrademarks: -
LegalCopyright: XHP Corporation Copyright © 2021
InternalName: Dispones.exe
FileVersion: 12.9.1.22
FileDescription: XHP
CompanyName: -
Comments: XHP Booster
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 12.9.1.22
FileVersionNumber: 12.9.1.22
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2b9a6
UninitializedDataSize: -
InitializedDataSize: 118784
CodeSize: 191488
LinkerVersion: 48
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2095:11:27 07:30:13+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REDLINE 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe

Process information

PID
CMD
Path
Indicators
Parent process
5400"C:\Users\admin\Desktop\5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe" C:\Users\admin\Desktop\5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XHP
Version:
12.9.1.22
Modules
Images
c:\users\admin\desktop\5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
1 632
Read events
1 632
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
54005adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exeC:\Users\admin\AppData\Local\Temp\Tmp666E.tmpbinary
MD5:1420D30F964EAC2C85B2CCFE968EEBCE
SHA256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
54005adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exeC:\Users\admin\AppData\Local\Temp\Tmp671B.tmpbinary
MD5:1420D30F964EAC2C85B2CCFE968EEBCE
SHA256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
54005adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\76b53b3ec448f7ccdda2063b15d2bfc3_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:BBC8DA7D36DF3F91C460984C2ABE8419
SHA256:0399CCF5E780949A63400736A46CCE7D1879903D0F45C6B7D194C960BA4DDDC2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
47
DNS requests
6
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
716
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
716
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
716
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
716
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5400
5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe
38.180.109.140:20007
COGENT-174
US
malicious
716
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 51.116.253.170
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045.exe