File name:

d3d9.dll

Full analysis: https://app.any.run/tasks/9ff7c78d-5924-4863-8a55-047c4497dc7e
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: July 07, 2024, 11:34:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
metastealer
redline
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

106FE1980DBCB4FA2FE0C00B6D6FA7C2

SHA1:

5CB7EB7BE8F3D1641CB458024D868363658A2955

SHA256:

C0716389100B55B09F46FAFEF37BB7D120453DF3BFB1097DCD30E14BB97C09BC

SSDEEP:

3072:TkeXkn3nzLR0nyiJUAe9l+Vmz4l9Mshb7eSwUy0/M0npMx03CQJNUI8qEgmlpjV:TkeXcJ0yiJUAer+Vf9GSw03Ca8Capx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rundll32.exe (PID: 4152)

    • REDLINE has been detected (YARA)

      • MSBuild.exe (PID: 2328)

    • METASTEALER has been detected (SURICATA)

      • MSBuild.exe (PID: 2328)

    • REDLINE has been detected (SURICATA)

      • MSBuild.exe (PID: 2328)

    • Connects to the CnC server

      • MSBuild.exe (PID: 2328)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 2328)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 2328)

  • SUSPICIOUS

    • Connects to unusual port

      • MSBuild.exe (PID: 2328)

    • Searches for installed software

      • MSBuild.exe (PID: 2328)

  • INFO

    • Reads the computer name

      • MSBuild.exe (PID: 2328)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 2328)

    • Checks supported languages

      • MSBuild.exe (PID: 2328)

    • Reads Environment values

      • MSBuild.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(2328) MSBuild.exe
C2 (1)185.196.9.26:6302
Botnet@Zakielk
Options
ErrorMessage
Keys
XorStruggling
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:06 13:42:20+00:00
ImageFileCharacteristics: Executable, 32-bit, DLL
PEType: PE32
LinkerVersion: 14.38
CodeSize: 111616
InitializedDataSize: 337920
UninitializedDataSize: -
EntryPoint: 0x1045e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs #REDLINE msbuild.exe

Process information

PID
CMD
Path
Indicators
Parent process
2328"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
RedLine
(PID) Process(2328) MSBuild.exe
C2 (1)185.196.9.26:6302
Botnet@Zakielk
Options
ErrorMessage
Keys
XorStruggling
4152"C:\WINDOWS\SysWOW64\rundll32.exe" C:\Users\admin\Desktop\d3d9.dll, #1C:\Windows\SysWOW64\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
2 239
Read events
2 228
Write events
5
Delete events
6

Modification events

(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
1809000091C2FEB161D0DA01
(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
72AD9EC084625AB4C88C796CF4D24EA0ADE6A6ED3D3C5B4A175690C317A9CC9E
(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Google\Chrome\User Data\lockfile
(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
F1540274866294FD6D7866AE25FC553B3DC199D367812E404D5A537AAAE83436
(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
哱琂抆ﶔ硭깦ﰥ㭕섽펙腧䀮婍穓㘴
(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Google\Chrome\User Data\lockfile
(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:

(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
굲삞抄둚賈汹틴ꁎ㰽䩛嘗쎐ꤗ黌
(PID) Process:(2328) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
4
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6116
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2448
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2448
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6116
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3692
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
200
20.42.73.27:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6116
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3692
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2448
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6116
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4032
svchost.exe
239.255.255.250:1900
whitelisted
2448
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2448
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2328
MSBuild.exe
185.196.9.26:6302
Simple Carrier LLC
US
malicious
6116
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.42.73.27
whitelisted

Threats

PID
Process
Class
Message
2328
MSBuild.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
2328
MSBuild.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
2328
MSBuild.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
2328
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
2328
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
2328
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
2328
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
2328
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
2328
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
2328
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d3d9.dll