popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

build.exe

RedLine Infostealer RedlineStealer RedLine stealer Malicious Library .NET framework(MSIL) UPX PE File OS Processor Check PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 24, 2024, 10:58 a.m. Oct. 24, 2024, 11 a.m.
Size 95.5KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 26ab43d45d842d638fa8001df1c9fb6b
SHA256 8796a221328335cc0c97d7c5a73194f37b5259e5ee9479d72814fe9189267570
CRC32 74114A95
ssdeep 1536:9HqsUEq76ElbG6jejoigIY43Ywzi0Zb78ivombfexv0ujXyyed2DtmulgS6pM:91p+68YY+zi0ZbYe1g0ujyzdLM
Yara
  • Malicious_Library_Zero - Malicious_Library
  • MALWARE_Win_VT_RedLine - Detects RedLine infostealer
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • IsPE32 - (no description)
  • RedLine_Stealer_b_Zero - RedLine stealer
  • UPX_Zero - UPX packed file
  • detect_Redline_Stealer_V2 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
bestmetrys.zapto.org 20.0.1.56
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:53673 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53 2028703 ET POLICY DNS Query to DynDNS Domain *.zapto .org Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00672cf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00672cf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00672d78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
domain bestmetrys.zapto.org
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b70000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00930000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00605000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00607000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.RedLine.i!c
tehtris Generic.Malware
CAT-QuickHeal Trojan.MsilFC.S24736542
Skyhigh BehavesLike.Win32.Generic.nm
ALYac Gen:Variant.Jalapeno.273
Cylance Unsafe
VIPRE Gen:Variant.Jalapeno.273
Sangfor Suspicious.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (D)
BitDefender Gen:Variant.Jalapeno.273
K7GW Spyware ( 0057a2d41 )
K7AntiVirus Spyware ( 0057a2d41 )
Arcabit Trojan.Jalapeno.273
VirIT Trojan.Win32.Genus.PKJ
Symantec Trojan Horse
Elastic Windows.Trojan.Generic
ESET-NOD32 a variant of MSIL/Spy.RedLine.A
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
ClamAV Win.Malware.Bulz-9880537-0
Kaspersky HEUR:Trojan-PSW.MSIL.Reline.gen
Alibaba TrojanPSW:MSIL/RedLine.5ec59424
NANO-Antivirus Trojan.Win32.Reline.ksypxx
SUPERAntiSpyware Trojan.Agent/Gen-Crypt
MicroWorld-eScan Gen:Variant.Jalapeno.273
Rising Backdoor.SectopRAT!1.DA27 (CLASSIC)
Emsisoft Trojan-Spy.Agent (A)
F-Secure Heuristic.HEUR/AGEN.1305503
DrWeb Trojan.PWS.Stealer.32288
TrendMicro TrojanSpy.MSIL.REDLINE.SMYXDILZ
McAfeeD Real Protect-LS!26AB43D45D84
Trapmine malicious.high.ml.score
CTX exe.trojan.msil
Sophos Mal/Reline-B
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.26ab43d45d842d63
Jiangmin Trojan.PSW.MSIL.cihh
Google Detected
Avira HEUR/AGEN.1305503
Antiy-AVL Trojan[Spy]/MSIL.Agent
Kingsoft MSIL.Trojan-PSW.Reline.gen
Gridinsoft Trojan.Win32.AsyncRAT.dd!n
Microsoft PWS:MSIL/RedLine!atmn
ZoneAlarm HEUR:Trojan-PSW.MSIL.Reline.gen
GData MSIL.Trojan-Stealer.Redline.B
Varist W32/MSIL_Agent.BJO.gen!Eldorado
AhnLab-V3 Infostealer/Win.RedLine.C4566112
McAfee GenericRXPZ-SW!26AB43D45D84
TACHYON Trojan-PWS/W32.DN-Reline.97792.N