File name:

Launcher_x64.exe

Full analysis: https://app.any.run/tasks/80583a6d-0d91-44de-8e33-aca6406b4879
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: August 06, 2024, 20:03:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
redline
metastealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

0EE23C08812E4488AC822318FB9A6D3D

SHA1:

F6EE6595190D8ADDDBE24EEF24902286B2E3C6DA

SHA256:

FB174F86FFE616316393E500EB19C415FEA2A2A1E6E628D999D1B1BFB27F0DAF

SSDEEP:

12288:2jPnbajr4eMWzuOBvDOXeDIvtF2yLdhLeeZ3GJMEaTIN8Dxzjg6gwJFGpSBasNFo:2Tnbajr4NWbB7MeDIvtF2yLdhDGp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Launcher_x64.exe (PID: 6556)

    • Stealers network behavior

      • MSBuild.exe (PID: 6636)

    • METASTEALER has been detected (SURICATA)

      • MSBuild.exe (PID: 6636)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 6636)

    • REDLINE has been detected (SURICATA)

      • MSBuild.exe (PID: 6636)

    • Connects to the CnC server

      • MSBuild.exe (PID: 6636)

    • REDLINE has been detected (YARA)

      • MSBuild.exe (PID: 6636)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 6636)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Launcher_x64.exe (PID: 6556)

    • Connects to unusual port

      • MSBuild.exe (PID: 6636)

    • Searches for installed software

      • MSBuild.exe (PID: 6636)

  • INFO

    • Reads the computer name

      • Launcher_x64.exe (PID: 6556)
      • MSBuild.exe (PID: 6636)

    • Checks supported languages

      • Launcher_x64.exe (PID: 6556)
      • MSBuild.exe (PID: 6636)

    • Creates files or folders in the user directory

      • Launcher_x64.exe (PID: 6556)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 6636)

    • Reads Environment values

      • MSBuild.exe (PID: 6636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(6636) MSBuild.exe
C2 (1)5.42.92.213:26889
Botnet665841
Options
ErrorMessage
Keys
XorLongish
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:06 14:36:26+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 577024
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x8ecee
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.0.6.4
ProductVersionNumber: 1.0.6.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Logitech G professional gaming keyboards are designed for competition.
CompanyName: Logitech G Innovations Inc.
FileDescription: Logitech G Technologies
FileVersion: 1.0.6.4
InternalName: Hannah730Hannah.pdf
LegalCopyright: Copyright © 2024
LegalTrademarks: Logitech G Innovations Trademark
OriginalFileName: Hannah730Hannah.pdf
ProductName: Logitech G Advanced Suite
ProductVersion: 1.0.6.4
AssemblyVersion: 1.0.6.4
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start launcher_x64.exe conhost.exe no specs #REDLINE msbuild.exe

Process information

PID
CMD
Path
Indicators
Parent process
6556"C:\Users\admin\Desktop\Launcher_x64.exe" C:\Users\admin\Desktop\Launcher_x64.exe
explorer.exe
User:
admin
Company:
Logitech G Innovations Inc.
Integrity Level:
MEDIUM
Description:
Logitech G Technologies
Exit code:
0
Version:
1.0.6.4
Modules
Images
c:\users\admin\desktop\launcher_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLauncher_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6636"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Launcher_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(6636) MSBuild.exe
C2 (1)5.42.92.213:26889
Botnet665841
Options
ErrorMessage
Keys
XorLongish
Total events
2 347
Read events
2 336
Write events
5
Delete events
6

Modification events

(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
EC190000C73E5CB93BE8DA01
(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
42F7864501BBD3C4987558B6B006A6106D4CCCDA9A34F71B945C64FD82CA26B1
(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Google\Chrome\User Data\lockfile
(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
7F2CAE392205F600FD927DDCEE75AC815E834E507DDDC5BA0284C3EEBD3E99AB
(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
Ɀ㦮Ԣö鋽�痮膬荞偎�뫅萂㺽ꮙ
(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Google\Chrome\User Data\lockfile
(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:

(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
䖆묁쓓疘뙘ڰႦ䱭�㒚᯷岔ﵤ쪂넦
(PID) Process:(6636) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6556Launcher_x64.exeC:\Users\admin\AppData\Roaming\d3d9x.dllexecutable
MD5:B3AFA8BB521F151BCB68EA4A82E4F174
SHA256:A4CF3D85A8A6737E152A8D07324F117DF7F152EC32A8BF3F652C2BBC5DC9E01F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
3
Threats
29

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3720
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4100
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6636
MSBuild.exe
5.42.92.213:26889
CJSC Kolomna-Sviaz TV
RU
malicious
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted

Threats

PID
Process
Class
Message
6636
MSBuild.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
6636
MSBuild.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
6636
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6636
MSBuild.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
6636
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
6636
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6636
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
6636
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6636
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6636
MSBuild.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Launcher_x64.exe