Malware analysis Nitro gen V2.4.zip Malicious activity

Add for printing

File name:	Nitro gen V2.4.zip
Full analysis:	https://app.any.run/tasks/05003186-f7b0-41c1-8fb8-3be1b9d0ec88
Verdict:	Malicious activity
Threats:	MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 25, 2024, 23:49:11
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer redline metastealer evasion
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	B35856C2AF17FD6B4EBFD3003A19BE9B
SHA1:	F00C0122937176C73910AA4460C2CCAC928DDCF1
SHA256:	93FC362E74ADC1DC1AAD5C600906186374F94FE2423DCCCEE265233980D72976
SSDEEP:	6144:imw+hz6iZXZyixahouR+aIHvtp5Cx2BS2ChYkJsst:imw+l6opyKorOPA2C6ji

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- REDLINE has been detected (SURICATA)
  - MSBuild.exe (PID: 8016)
- Connects to the CnC server
  - MSBuild.exe (PID: 8016)
- METASTEALER has been detected (SURICATA)
  - MSBuild.exe (PID: 8016)
- Drops the executable file immediately after the start
  - Main.exe (PID: 7912)
- Actions looks like stealing of personal data
  - MSBuild.exe (PID: 8016)
- Stealers network behavior
  - MSBuild.exe (PID: 8016)
- Steals credentials from Web Browsers
  - MSBuild.exe (PID: 8016)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 4296)
- Executable content was dropped or overwritten
  - Main.exe (PID: 7912)
- Searches for installed software
  - MSBuild.exe (PID: 8016)
- Checks for external IP
  - MSBuild.exe (PID: 8016)
- Potential Corporate Privacy Violation
  - MSBuild.exe (PID: 8016)
INFO
- Reads the computer name
  - TextInputHost.exe (PID: 1096)
  - Main.exe (PID: 7912)
  - MSBuild.exe (PID: 8016)
- Manual execution by a user
  - AtBroker.exe (PID: 4548)
- Checks proxy server information
  - slui.exe (PID: 6644)
  - MSBuild.exe (PID: 8016)
- Reads the software policy settings
  - slui.exe (PID: 6644)
  - MSBuild.exe (PID: 8016)
- Checks supported languages
  - TextInputHost.exe (PID: 1096)
  - MSBuild.exe (PID: 8016)
  - Main.exe (PID: 7912)
- Reads security settings of Internet Explorer
  - AtBroker.exe (PID: 4548)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4296)
- Creates files or folders in the user directory
  - Main.exe (PID: 7912)
  - MSBuild.exe (PID: 8016)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 4296)
- Reads the machine GUID from the registry
  - MSBuild.exe (PID: 8016)
- Reads Environment values
  - MSBuild.exe (PID: 8016)
- Disables trace logs
  - MSBuild.exe (PID: 8016)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:07:25 22:12:30
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Nitro gen V2.4/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

154

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1096

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

2888

C:\Windows\System32\SystemSettingsBroker.exe -Embedding

C:\Windows\System32\SystemSettingsBroker.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

System Settings Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\systemsettingsbroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shcore.dll

3800

"C:\WINDOWS\System32\osk.exe"

C:\Windows\System32\osk.exe

AtBroker.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Accessibility On-Screen Keyboard

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\osk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll

4296

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nitro gen V2.4.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4548

C:\WINDOWS\System32\ATBroker.exe /start osk

C:\Windows\System32\AtBroker.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Assistive Technology Manager

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\atbroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6328

"C:\WINDOWS\System32\osk.exe"

C:\Windows\System32\osk.exe

—

AtBroker.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Accessibility On-Screen Keyboard

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\osk.exe
c:\windows\system32\ntdll.dll

6644

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7872

C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}

C:\Windows\SysWOW64\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll

7912

"C:\Users\admin\AppData\Local\Temp\Rar$EXb4296.18718\Nitro gen V2.4\Main.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb4296.18718\Nitro gen V2.4\Main.exe

WinRAR.exe

User:

admin

Company:

Intel Core Inc.

Integrity Level:

MEDIUM

Description:

Intel Core Share

Exit code:

Version:

1.2.0.8

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb4296.18718\nitro gen v2.4\main.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

7920

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Main.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

15 746

Read events

15 406

Write events

333

Delete events

Modification events


(PID) Process:	(4296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(4296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Nitro gen V2.4.zip
(PID) Process:	(4296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4296) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4548) AtBroker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1
Operation:	write	Name:	SecureConfiguration
Value:
(PID) Process:	(4548) AtBroker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
8016	MSBuild.exe	C:\Users\admin\AppData\Local\Temp\TmpA219.tmp		der
		MD5:1420D30F964EAC2C85B2CCFE968EEBCE	SHA256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
8016	MSBuild.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\76b53b3ec448f7ccdda2063b15d2bfc3_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:BBC8DA7D36DF3F91C460984C2ABE8419	SHA256:0399CCF5E780949A63400736A46CCE7D1879903D0F45C6B7D194C960BA4DDDC2
7912	Main.exe	C:\Users\admin\AppData\Roaming\d3d9.dll		executable
		MD5:A434FCA084636CD059F1FC2785239EB9	SHA256:80D2E3BD5A72C1DA4BDD590EF120BC969E863272777FCFFDDBFF343A2FA446CA
8016	MSBuild.exe	C:\Users\admin\AppData\Local\Temp\TmpA1AA.tmp		der
		MD5:1420D30F964EAC2C85B2CCFE968EEBCE	SHA256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
4296	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb4296.18718\Nitro gen V2.4\Main.exe		executable
		MD5:AAA2B8125F580B6B8CC946BD7609EB10	SHA256:9E704FE930EFF19DF18E4E982BEF0E1C2DADE6E09D4004D6FB6EE35F2D00DD26
4296	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb4296.18718\Nitro gen V2.4\Instruction.txt		text
		MD5:938B3254DD676DEB5AF69650ADBA73EF	SHA256:FEE51720B65483997CC5D169B3A073D0EF97AF0E3DC4AAE60840D0F44BEDF3DF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5272	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7128	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6656	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4172	SystemSettings.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4172	SystemSettings.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3948	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6012	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3008	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	4.209.33.156:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4468	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6644	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5368	SearchApp.exe	104.126.37.139:443	www.bing.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.186.46	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
www.bing.com	104.126.37.139 104.126.37.144 104.126.37.163 104.126.37.130 104.126.37.128 104.126.37.176 104.126.37.131 104.126.37.136 104.126.37.154	whitelisted
login.live.com	40.126.32.136 40.126.32.76 40.126.32.140 40.126.32.133 40.126.32.138 20.190.160.20 40.126.32.68 40.126.32.74	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
arc.msn.com	20.103.156.88	whitelisted
fd.api.iris.microsoft.com	20.74.47.205	whitelisted
go.microsoft.com	184.30.17.189	whitelisted

Threats

PID	Process	Class	Message
8016	MSBuild.exe	Potentially Bad Traffic	ET INFO Microsoft net.tcp Connection Initialization Activity
8016	MSBuild.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 9
8016	MSBuild.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
8016	MSBuild.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
8016	MSBuild.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC - Id1Response
8016	MSBuild.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity
8016	MSBuild.exe	A Network Trojan was detected	ET MALWARE Redline Stealer TCP CnC Activity

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Nitro gen V2.4.zip

B35856C2AF17FD6B4EBFD3003A19BE9B

F00C0122937176C73910AA4460C2CCAC928DDCF1

93FC362E74ADC1DC1AAD5C600906186374F94FE2423DCCCEE265233980D72976

6144:imw+hz6iZXZyixahouR+aIHvtp5Cx2BS2ChYkJsst:imw+l6opyKorOPA2C6ji

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

REDLINE has been detected (SURICATA)

Connects to the CnC server

METASTEALER has been detected (SURICATA)

Drops the executable file immediately after the start

Actions looks like stealing of personal data

Stealers network behavior

Steals credentials from Web Browsers

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Searches for installed software

Checks for external IP

Potential Corporate Privacy Violation

INFO

Reads the computer name

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Checks supported languages

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Creates files or folders in the user directory

Drops the executable file immediately after the start

Reads the machine GUID from the registry

Reads Environment values

Disables trace logs

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings