| File name: | ps99 Dupe script loader.exe |
| Full analysis: | https://app.any.run/tasks/f6b6327e-6158-4828-b568-78eb6ab8d037 |
| Verdict: | Malicious activity |
| Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
| Analysis date: | December 16, 2023, 13:31:16 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 5E0FE871049D3E3EF7D26AAF96CA3CBD |
| SHA1: | 2BF4D13C5F68F2BCDC1CF27BD531D79C2BC62645 |
| SHA256: | 69C5F47BC5580E98F56512FA1D386C8A71C24674FBFF336A2430347BEF65562A |
| SSDEEP: | 12288:YaO5JN78444CWr5NNkcm5LAmAyvdzzhz8BVEWDHdjxK2KrV6Pxq/5TvUzzEQAdVP:i5JMyNtyLqDUtutw5A9goNoP |
MALICIOUS
REDLINE has been detected (SURICATA)
- AppLaunch.exe (PID: 2076)
Steals credentials from Web Browsers
- AppLaunch.exe (PID: 2076)
Actions looks like stealing of personal data
- AppLaunch.exe (PID: 2076)
SUSPICIOUS
Searches for installed software
- AppLaunch.exe (PID: 2076)
Reads browser cookies
- AppLaunch.exe (PID: 2076)
Connects to unusual port
- AppLaunch.exe (PID: 2076)
INFO
Checks supported languages
- ps99 Dupe script loader.exe (PID: 280)
- AppLaunch.exe (PID: 2076)
- wmpnscfg.exe (PID: 2424)
Reads the computer name
- AppLaunch.exe (PID: 2076)
- wmpnscfg.exe (PID: 2424)
Reads product name
- AppLaunch.exe (PID: 2076)
Reads Environment values
- AppLaunch.exe (PID: 2076)
Reads the machine GUID from the registry
- AppLaunch.exe (PID: 2076)
Manual execution by a user
- wmpnscfg.exe (PID: 2424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:16 12:21:05+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.34 |
| CodeSize: | 812032 |
| InitializedDataSize: | 1103872 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1127 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 280 | "C:\Users\admin\AppData\Local\Temp\ps99 Dupe script loader.exe" | C:\Users\admin\AppData\Local\Temp\ps99 Dupe script loader.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2076 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | ps99 Dupe script loader.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 2424 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 747
Read events
3 747
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
0
Threats
5
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2076 | AppLaunch.exe | 80.66.89.64:33090 | — | Megacom-it LLC | RU | unknown |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
2076 | AppLaunch.exe | Potentially Bad Traffic | ET INFO Microsoft net.tcp Connection Initialization Activity |
2076 | AppLaunch.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) |
2076 | AppLaunch.exe | A Network Trojan was detected | ET MALWARE Redline Stealer Family Activity (Response) |
2076 | AppLaunch.exe | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt |
2076 | AppLaunch.exe | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt |