File name:

upd.exe

Full analysis: https://app.any.run/tasks/bffb01d1-1877-4cb8-80a8-ec7977b69839
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: July 12, 2024, 16:49:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
redline
metastealer
netreactor
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E8A7D0C6DEDCE0D4A403908A29273D43

SHA1:

8289C35DABAEE32F61C74DE6A4E8308DC98EB075

SHA256:

672F24842AEB72D7BD8D64E78AABA5F3A953409CE21CFE97D3A80E7EF67F232A

SSDEEP:

98304:wRuOpyB5OHqdnJyylO0KuH5y+JxUNsK4XWsDryjJ0Xw4EPrq85yObm/NuuGOF64a:K2tHXq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • upd.exe (PID: 5392)
      • RegAsm.exe (PID: 5380)

    • METASTEALER has been detected (SURICATA)

      • svhoost.exe (PID: 4544)

    • REDLINE has been detected (SURICATA)

      • svhoost.exe (PID: 4544)

    • REDLINE has been detected (YARA)

      • RegAsm.exe (PID: 5380)

    • METASTEALER has been detected (YARA)

      • RegAsm.exe (PID: 5380)
      • One.exe (PID: 1960)

    • Steals credentials from Web Browsers

      • svhoost.exe (PID: 4544)

    • Connects to the CnC server

      • svhoost.exe (PID: 4544)

    • Actions looks like stealing of personal data

      • svhoost.exe (PID: 4544)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RegAsm.exe (PID: 5380)

    • Reads security settings of Internet Explorer

      • RegAsm.exe (PID: 5380)

    • Reads the date of Windows installation

      • RegAsm.exe (PID: 5380)

    • Connects to unusual port

      • svhoost.exe (PID: 4544)
      • One.exe (PID: 1960)

    • Searches for installed software

      • svhoost.exe (PID: 4544)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 1292)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 1292)

  • INFO

    • Checks supported languages

      • RegAsm.exe (PID: 5380)
      • upd.exe (PID: 5392)
      • svhoost.exe (PID: 4544)
      • One.exe (PID: 1960)
      • default-browser-agent.exe (PID: 1292)

    • Reads the computer name

      • RegAsm.exe (PID: 5380)
      • svhoost.exe (PID: 4544)
      • One.exe (PID: 1960)

    • Creates files or folders in the user directory

      • RegAsm.exe (PID: 5380)
      • svhoost.exe (PID: 4544)

    • Process checks computer location settings

      • RegAsm.exe (PID: 5380)

    • Reads the machine GUID from the registry

      • One.exe (PID: 1960)
      • svhoost.exe (PID: 4544)

    • Reads Environment values

      • svhoost.exe (PID: 4544)

    • .NET Reactor protector has been detected

      • RegAsm.exe (PID: 5380)
      • One.exe (PID: 1960)

    • Application launched itself

      • firefox.exe (PID: 2568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(5380) RegAsm.exe
C2 (1)185.172.128.33:8970
Botnet@LOGSCLOUDYT_BOT
Options
ErrorMessage
Keys
XorLevins
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:02 07:10:42+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 145408
InitializedDataSize: 1681920
UninitializedDataSize: -
EntryPoint: 0x7359
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start upd.exe no specs THREAT regasm.exe #METASTEALER svhoost.exe THREAT one.exe conhost.exe no specs default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
992\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeOne.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1292"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
2147500037
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1960"C:\Users\admin\AppData\Roaming\configurationValue\One.exe" C:\Users\admin\AppData\Roaming\configurationValue\One.exe
RegAsm.exe
User:
admin
Company:
Pushing
Integrity Level:
MEDIUM
Description:
Pushing
Version:
5.27.40
Modules
Images
c:\users\admin\appdata\roaming\configurationvalue\one.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2196"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2568"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exedefault-browser-agent.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\windows\system32\crypt32.dll
4544"C:\Users\admin\AppData\Roaming\configurationValue\svhoost.exe" C:\Users\admin\AppData\Roaming\configurationValue\svhoost.exe
RegAsm.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XHP
Exit code:
0
Version:
12.9.1.22
Modules
Images
c:\users\admin\appdata\roaming\configurationvalue\svhoost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5380"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
upd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(5380) RegAsm.exe
C2 (1)185.172.128.33:8970
Botnet@LOGSCLOUDYT_BOT
Options
ErrorMessage
Keys
XorLevins
5392"C:\Users\admin\Desktop\upd.exe" C:\Users\admin\Desktop\upd.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\upd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\kernel.appcore.dll
Total events
10 877
Read events
10 849
Write events
22
Delete events
6

Modification events

(PID) Process:(5380) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5380) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5380) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5380) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5380) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4544) svhoost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
C01100007B81796C7BD4DA01
(PID) Process:(4544) svhoost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
9F7D5192C45193BA0E21B6A51D3CF3B7B625B231044BD516A273D55474054D10
(PID) Process:(4544) svhoost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(4544) svhoost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Google\Chrome\User Data\lockfile
(PID) Process:(4544) svhoost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
68C5B4D8700E1A93B51ACDA5EA533BDA7D91418050DA9F5217F13B35DE95B6F9
Executable files
2
Suspicious files
5
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2196firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmpdbf
MD5:1C3C58F7838DDE7F753614D170F110FC
SHA256:81C14432135B2A50DC505904E87781864CA561EFEF9E94BAECA3704D04E6DB3D
4544svhoost.exeC:\Users\admin\AppData\Local\Temp\TmpF738.tmpder
MD5:1420D30F964EAC2C85B2CCFE968EEBCE
SHA256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
5380RegAsm.exeC:\Users\admin\AppData\Roaming\configurationValue\One.exeexecutable
MD5:816DF4AC8C796B73A28159A0B17369B6
SHA256:7843255BC50DDDA8C651F51347313DAF07E53A745D39CC61D708C6E7D79B3647
4544svhoost.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\76b53b3ec448f7ccdda2063b15d2bfc3_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:BBC8DA7D36DF3F91C460984C2ABE8419
SHA256:0399CCF5E780949A63400736A46CCE7D1879903D0F45C6B7D194C960BA4DDDC2
2196firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs-1.jstext
MD5:85D761C92FE23739635B60B62305BE6B
SHA256:2807A7C097E33A14465562CB02E97DB23FD332D0FFC1E5DDD5C2BC1BE01DCD9F
5380RegAsm.exeC:\Users\admin\AppData\Roaming\configurationValue\svhoost.exeexecutable
MD5:15A7CAE61788E4718D3C33ABB7BE6436
SHA256:BED71147AA297D95D2E2C67352FC06F7F631AF3B7871EA148638AE66FC41E200
2196firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.binbinary
MD5:1C3C58F7838DDE7F753614D170F110FC
SHA256:81C14432135B2A50DC505904E87781864CA561EFEF9E94BAECA3704D04E6DB3D
2196firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.jstext
MD5:85D761C92FE23739635B60B62305BE6B
SHA256:2807A7C097E33A14465562CB02E97DB23FD332D0FFC1E5DDD5C2BC1BE01DCD9F
4544svhoost.exeC:\Users\admin\AppData\Local\Temp\TmpF824.tmpder
MD5:1420D30F964EAC2C85B2CCFE968EEBCE
SHA256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
66
DNS requests
7
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2196
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2056
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2196
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
444
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
444
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.189.173.6:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2056
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2196
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
444
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.160:443
www.bing.com
Akamai International B.V.
DE
unknown
104.126.37.147:443
www.bing.com
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
2056
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2196
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.147
  • 104.126.37.155
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.139
  • 104.126.37.186
  • 104.126.37.130
  • 104.126.37.154
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.50.73.10
whitelisted

Threats

PID
Process
Class
Message
4544
svhoost.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
4544
svhoost.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
4544
svhoost.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
4544
svhoost.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
4544
svhoost.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
1960
One.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
1960
One.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
4544
svhoost.exe
A Network Trojan was detected
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
4544
svhoost.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
4544
svhoost.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
upd.exe