| File name: | Luma.exe |
| Full analysis: | https://app.any.run/tasks/ff875dd7-7833-47c6-b644-5c7c4b1f0b02 |
| Verdict: | Malicious activity |
| Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
| Analysis date: | October 29, 2023, 19:17:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | FE0D5BC9BF5F4A8FDDFA53328CBADA8F |
| SHA1: | E210A4E57BB1EA0D3A7434C9D58CC3ECF0A0DEAB |
| SHA256: | 7995799F3871A6D3F12F49421E4EA92E09B67A841E4C2639DA56CAF406091091 |
| SSDEEP: | 12288:YIUnYwtqpxcjoxl/W1KncSuZZSfPbl/BFetj:YIUnYNpxcExlaSSZSfPbl/BFs |
MALICIOUS
Steals credentials from Web Browsers
- vbc.exe (PID: 1332)
REDLINE has been detected (SURICATA)
- vbc.exe (PID: 1332)
Unusual connection from system programs
- vbc.exe (PID: 1332)
Actions looks like stealing of personal data
- vbc.exe (PID: 1332)
SUSPICIOUS
Reads settings of System Certificates
- vbc.exe (PID: 1332)
Reads the Internet Settings
- vbc.exe (PID: 1332)
The process executes VB scripts
- Luma.exe (PID: 1764)
Searches for installed software
- vbc.exe (PID: 1332)
Reads browser cookies
- vbc.exe (PID: 1332)
INFO
Checks supported languages
- vbc.exe (PID: 1332)
- Luma.exe (PID: 1764)
- wmpnscfg.exe (PID: 3488)
Reads the computer name
- vbc.exe (PID: 1332)
- wmpnscfg.exe (PID: 3488)
Reads the machine GUID from the registry
- vbc.exe (PID: 1332)
- wmpnscfg.exe (PID: 3488)
Reads product name
- vbc.exe (PID: 1332)
Reads Environment values
- vbc.exe (PID: 1332)
Manual execution by a user
- wmpnscfg.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:10:29 10:00:28+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.32 |
| CodeSize: | 706048 |
| InitializedDataSize: | 591360 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11ea |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1332 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | Luma.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 12.0.51209.34209 Modules
| |||||||||||||||
| 1764 | "C:\Users\admin\Desktop\Luma.exe" | C:\Users\admin\Desktop\Luma.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3488 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 395
Read events
4 360
Write events
12
Delete events
23
Modification events
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: 33BF2C361E7C58CC9D64B7B7EDD4B4FA9BE5161B7C323C283034670649FAB08D | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFiles0000 |
Value: C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: 423C42B34A832ACDA50899DFB9B6159E1523CA51D1919A886C3EE198E631AA47 | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: 340500007C2AA9879C0ADA01 | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: A697BDCC695D4E620C364977E03EA60D384CE295FA00594C3F2D37E098451ECF | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFiles0000 |
Value: C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies | |||
| (PID) Process: | (1332) vbc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: 85E82343FE00EB9A052924E7E1BD5732CFC576062D9E29F665623B74F5CEB7A9 | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
1
Threats
6
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1332 | vbc.exe | 94.142.138.94:80 | — | Network Management Ltd | RU | malicious |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1332 | vbc.exe | 104.26.12.31:443 | api.ip.sb | CLOUDFLARENET | US | unknown |
2656 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.ip.sb |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1332 | vbc.exe | Potentially Bad Traffic | ET INFO Microsoft net.tcp Connection Initialization Activity |
1332 | vbc.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) |
1332 | vbc.exe | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt |
1332 | vbc.exe | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt |
2 ETPRO signatures available at the full report