| File name: | hackmod.exe |
| Full analysis: | https://app.any.run/tasks/4e2274bb-a0de-4b43-9387-aad0f06f012d |
| Verdict: | Malicious activity |
| Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
| Analysis date: | May 13, 2025, 17:25:29 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | D317D016FAC5D1B9A14F8D7176A1F718 |
| SHA1: | 97C80346EBCEB61773D974954018B39906FE1FDD |
| SHA256: | 711D042332873E34945BF9B40AB61FF7140768541F1717D261F699666934AE51 |
| SSDEEP: | 6144:X45YqofbluopdSShoLunLI26Tv/3gVwbY:I5Y3fbluoTSShoLULI26Tv/3gVwbY |
MALICIOUS
REDLINE has been detected (YARA)
- hackmod.exe (PID: 7796)
SUSPICIOUS
Application launched itself
- hackmod.exe (PID: 7672)
Multiple wallet extension IDs have been found
- hackmod.exe (PID: 7796)
INFO
Reads the computer name
- hackmod.exe (PID: 7672)
- hackmod.exe (PID: 7796)
Reads the machine GUID from the registry
- hackmod.exe (PID: 7796)
Checks supported languages
- hackmod.exe (PID: 7796)
- hackmod.exe (PID: 7672)
Disables trace logs
- hackmod.exe (PID: 7796)
Checks proxy server information
- hackmod.exe (PID: 7796)
- slui.exe (PID: 8140)
Reads the software policy settings
- slui.exe (PID: 8140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RedLine
(PID) Process(7796) hackmod.exe
C2 (1)ierinapu.xyz:80
Botnet@romzxz
Options
ErrorMessage
Keys
XorNavigably
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (62) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.5) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Win16/32 Executable Delphi generic (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2093:04:11 16:39:23+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 364544 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5aeae |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 0.0.0.0 |
| InternalName: | Teepees.exe |
| LegalCopyright: | |
| OriginalFileName: | Teepees.exe |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
130
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | |
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) | ||||
| 7672 | "C:\Users\admin\Desktop\hackmod.exe" | C:\Users\admin\Desktop\hackmod.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
| 7700 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | hackmod.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) | ||||
| 7796 | C:\Users\admin\Desktop\hackmod.exe | C:\Users\admin\Desktop\hackmod.exe | hackmod.exe | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 RedLine(PID) Process(7796) hackmod.exe C2 (1)ierinapu.xyz:80 Botnet@romzxz Options ErrorMessage Keys XorNavigably | ||||
| 8140 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) | ||||
Total events
0
Read events
0
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
21
DNS requests
31
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2112 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7408 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8140 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
ierinapu.xyz |
| malicious |
activation-v2.sls.microsoft.com |
| whitelisted |