| File name: | PO.exe |
| Full analysis: | https://app.any.run/tasks/88aa48f6-cafa-4e94-9b55-1e39bb365e4b |
| Verdict: | Malicious activity |
| Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
| Analysis date: | April 02, 2024, 10:20:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 8DCA427EAB6AFD10DF49829925F59D9E |
| SHA1: | 9735F697A89255D7641DE835E25D7EF1974C31BB |
| SHA256: | C7A4FD70D3705F22F9E60009DC7534BE74E6A85358F90316A6AF8F24F9676F32 |
| SSDEEP: | 24576:Vu+jPk5keK5LKGilFFgf+xXmwJW8gdHd+IxIkYsvY:Vu+jPkqeyLKGilFqGxXmwJW8gdHd+Ixw |
MALICIOUS
Drops the executable file immediately after the start
- PO.exe (PID: 4008)
REDLINE has been detected (SURICATA)
- PO.exe (PID: 3092)
Steals credentials from Web Browsers
- PO.exe (PID: 3092)
Steals credentials
- PO.exe (PID: 3092)
REDLINE has been detected (YARA)
- PO.exe (PID: 3092)
Actions looks like stealing of personal data
- PO.exe (PID: 3092)
SUSPICIOUS
Application launched itself
- PO.exe (PID: 4008)
Reads the Internet Settings
- PO.exe (PID: 3092)
Connects to unusual port
- PO.exe (PID: 3092)
Reads settings of System Certificates
- PO.exe (PID: 3092)
Searches for installed software
- PO.exe (PID: 3092)
Reads browser cookies
- PO.exe (PID: 3092)
INFO
Checks supported languages
- PO.exe (PID: 4008)
- PO.exe (PID: 3092)
Reads the computer name
- PO.exe (PID: 4008)
- PO.exe (PID: 3092)
Reads the machine GUID from the registry
- PO.exe (PID: 3092)
- PO.exe (PID: 4008)
Reads Environment values
- PO.exe (PID: 3092)
Reads the software policy settings
- PO.exe (PID: 3092)
Create files in a temporary directory
- PO.exe (PID: 3092)
Reads product name
- PO.exe (PID: 3092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RedLine
(PID) Process(3092) PO.exe
C2 (1)185.222.58.253:55615
Botnetcheat
Keys
Xor
Options
ErrorMessage
TRiD
| .exe | | | Win64 Executable (generic) (61.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.6) |
| .exe | | | Win32 Executable (generic) (10) |
| .exe | | | Win16/32 Executable Delphi generic (4.6) |
| .exe | | | Generic Win/DOS Executable (4.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:03:27 03:43:47+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 512000 |
| InitializedDataSize: | 8192 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x7e942 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 4.3.6.8 |
| ProductVersionNumber: | 4.3.6.8 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | |
| CompanyName: | Acrobat PDF |
| FileDescription: | Acrobat Pdf |
| FileVersion: | 4.3.6.8 |
| InternalName: | RmZG.exe |
| LegalCopyright: | @Acrobat PDF |
| LegalTrademarks: | - |
| OriginalFileName: | RmZG.exe |
| ProductName: | Acrobat PDF |
| ProductVersion: | 4.3.6.8 |
| AssemblyVersion: | 2.5.3.9 |
Total processes
39
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3092 | "C:\Users\admin\AppData\Local\Temp\PO.exe" | C:\Users\admin\AppData\Local\Temp\PO.exe | PO.exe | ||||||||||||
User: admin Company: Acrobat PDF Integrity Level: MEDIUM Description: Acrobat Pdf Exit code: 0 Version: 4.3.6.8 Modules
RedLine(PID) Process(3092) PO.exe C2 (1)185.222.58.253:55615 Botnetcheat Keys Xor Options ErrorMessage | |||||||||||||||
| 4008 | "C:\Users\admin\AppData\Local\Temp\PO.exe" | C:\Users\admin\AppData\Local\Temp\PO.exe | — | explorer.exe | |||||||||||
User: admin Company: Acrobat PDF Integrity Level: MEDIUM Description: Acrobat Pdf Exit code: 0 Version: 4.3.6.8 Modules
| |||||||||||||||
Total events
4 999
Read events
4 973
Write events
26
Delete events
0
Modification events
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASMANCS |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3092) PO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PO_RASMANCS |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
Executable files
0
Suspicious files
40
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp9083.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp9094.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp90A4.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp90A5.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp90B6.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp90B7.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp90B8.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp90C8.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp90C9.tmp | binary | |
MD5:— | SHA256:— | |||
| 3092 | PO.exe | C:\Users\admin\AppData\Local\Temp\tmp90CA.tmp | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
2
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3092 | PO.exe | POST | 200 | 185.222.58.253:55615 | http://185.222.58.253:55615/ | unknown | — | — | unknown |
3092 | PO.exe | POST | 200 | 185.222.58.253:55615 | http://185.222.58.253:55615/ | unknown | — | — | unknown |
3092 | PO.exe | POST | 200 | 185.222.58.253:55615 | http://185.222.58.253:55615/ | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3092 | PO.exe | 185.222.58.253:55615 | — | RootLayer Web Services Ltd. | NL | unknown |
3092 | PO.exe | 104.26.13.31:443 | api.ip.sb | CLOUDFLARENET | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.ip.sb |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Malware Command and Control Activity Detected | ET MALWARE RedLine Stealer - CheckConnect Response |
— | — | Malware Command and Control Activity Detected | ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound |
— | — | A Network Trojan was detected | AV TROJAN RedLine Stealer Config Download |
— | — | A Network Trojan was detected | ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) |
— | — | Successful Credential Theft Detected | STEALER [ANY.RUN] Clear Text Login Exfiltration Atempt |
— | — | Successful Credential Theft Detected | STEALER [ANY.RUN] Clear Text Password Exfiltration Atempt |
6 ETPRO signatures available at the full report