File name:

Software1.30.1.exe

Full analysis: https://app.any.run/tasks/fad10dfa-6734-4731-afdc-d1430f14b8cc
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: July 18, 2024, 12:38:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
metastealer
redline
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

4BC9395FFEEB5559C1CBA0CE2BF16825

SHA1:

233C593846C44EAC4C517DB5951C4CD59D5F9CA4

SHA256:

AB893C01FB0DD8E6A83BD16CC550C49A6A2D41C34B01F6E75BEC6517208CD42A

SSDEEP:

24576:Zxy6iCX7kjQzhampfxkc/VRDvVxHPdPCzGrDd/:ZNiCX7kjQzhampfxkc7DvVxHPdPCzGXx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Software1.30.1.exe (PID: 2928)

    • Stealers network behavior

      • RegAsm.exe (PID: 8000)

    • REDLINE has been detected (SURICATA)

      • RegAsm.exe (PID: 8000)

    • METASTEALER has been detected (SURICATA)

      • RegAsm.exe (PID: 8000)

    • Connects to the CnC server

      • RegAsm.exe (PID: 8000)

    • REDLINE has been detected (YARA)

      • RegAsm.exe (PID: 8000)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 8000)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 8000)

  • SUSPICIOUS

    • Searches for installed software

      • RegAsm.exe (PID: 8000)

    • Checks for external IP

      • RegAsm.exe (PID: 8000)

    • Potential Corporate Privacy Violation

      • RegAsm.exe (PID: 8000)

  • INFO

    • Checks supported languages

      • Software1.30.1.exe (PID: 2928)
      • RegAsm.exe (PID: 8000)

    • Reads the computer name

      • RegAsm.exe (PID: 8000)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 8000)

    • Reads Environment values

      • RegAsm.exe (PID: 8000)

    • Disables trace logs

      • RegAsm.exe (PID: 8000)

    • Checks proxy server information

      • RegAsm.exe (PID: 8000)

    • Reads the software policy settings

      • RegAsm.exe (PID: 8000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(8000) RegAsm.exe
C2 (1)85.28.47.132:80
Botnet@fgkyleoff
Options
ErrorMessageClick Close to exit the program. Error code: 1142
Keys
XorElevatory
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:17 11:14:32+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 147456
InitializedDataSize: 374784
UninitializedDataSize: -
EntryPoint: 0x8bfc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start software1.30.1.exe no specs conhost.exe no specs #REDLINE regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Users\admin\Desktop\Software1.30.1.exe" C:\Users\admin\Desktop\Software1.30.1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\software1.30.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSoftware1.30.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8000"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Software1.30.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(8000) RegAsm.exe
C2 (1)85.28.47.132:80
Botnet@fgkyleoff
Options
ErrorMessageClick Close to exit the program. Error code: 1142
Keys
XorElevatory
Total events
6 790
Read events
6 764
Write events
20
Delete events
6

Modification events

(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8000) RegAsm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
29
DNS requests
6
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
unknown
GET
200
104.26.13.31:443
https://api.ip.sb/ip
unknown
text
13 b
unknown
GET
200
20.74.47.205:443
https://fd.api.iris.microsoft.com/v4/api/selection?&asid=1B4E36DDEAEC41A385546FC71CAD882C&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&arch=AMD64&chassis=1&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19045.4046&dinst=1661339444&dmret=0&flightbranch=&flightring=Retail&icluc=0&localid=w%3AAC7699B0-48EA-FD22-C8DC-06A02098A0F0&oem=DELL&osbranch=vb_release&oslocale=en-US&osret=1&ossku=Professional&osskuid=48&prccn=4&prccs=3094&prcmf=AuthenticAMD&procm=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&ram=4096&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=15.3&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=260281&frdsk=218544&lo=3608917&tsu=999447
unknown
binary
102 b
unknown
GET
200
184.86.251.15:443
https://www.bing.com/client/config?cc=US&setlang=en-US
unknown
binary
2.15 Kb
unknown
POST
4.209.33.156:443
https://licensing.mp.microsoft.com/v7.0/licenses/content
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4716
svchost.exe
40.126.31.69:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
20.103.156.88:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4.209.32.198:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
239.255.255.250:1900
whitelisted
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4.209.33.156:443
licensing.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
40.115.3.253:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7396
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6556
backgroundTaskHost.exe
20.74.47.205:443
fd.api.iris.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
licensing.mp.microsoft.com
  • 4.209.33.156
whitelisted
google.com
  • 142.250.185.238
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
www.bing.com
  • 184.86.251.14
  • 184.86.251.19
  • 184.86.251.21
  • 184.86.251.11
  • 184.86.251.16
  • 184.86.251.13
  • 184.86.251.17
  • 184.86.251.20
  • 184.86.251.15
whitelisted
api.ip.sb
  • 172.67.75.172
  • 104.26.13.31
  • 104.26.12.31
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
8000
RegAsm.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
8000
RegAsm.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
8000
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
8000
RegAsm.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
8000
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
8000
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
8000
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
8000
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
8000
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Software1.30.1.exe