Try VMRay Platform
Malicious
Classifications

Spyware Injector

Threat Names

RedLine RedLine.A Trojan.GenericKDZ.79353

Dynamic Analysis Report

Created on 2021-10-29T14:55:00

9642554127816b22f13288b6ae6b06f4ca66f04d1e8073bded6ad065f6147abd.exe

Windows Exe (x86-32)
...
Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\9642554127816b22f13288b6ae6b06f4ca66f04d1e8073bded6ad065f6147abd.exe Sample File Binary
malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 4.16 MB
MD5 3645676180db7e06664a53e0ac6317b5 Copy to Clipboard
SHA1 caa35a080f3e5b2d7f2672b08533fae7350cb71e Copy to Clipboard
SHA256 9642554127816b22f13288b6ae6b06f4ca66f04d1e8073bded6ad065f6147abd Copy to Clipboard
SSDeep 98304:q74x9tum8OvcqReP2V827sYfB4qdSW/NdVlMEIOTGnO2:ZbtMqReP2VTvfB4slVdrMzOT8 Copy to Clipboard
ImpHash 908bea7ee71339f1c35ba419da3ba679 Copy to Clipboard
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKDZ.79353
malicious
PE Information
»
Image Base 0x400000
Entry Point 0xa077e4
Size Of Code 0x23400
Size Of Initialized Data 0x2ae00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2021-10-27 11:08:29+00:00
Version Information (7)
»
CompanyName NVIDIA Corporation
FileDescription NVIDIA Notification
FileVersion 73.3683.1933.5
InternalName NVIDIA Notification
LegalCopyright (C) 2017-2021 NVIDIA Corporation. All rights reserved.
ProductName NVIDIA Notification
ProductVersion rel_03_23/6986037
Sections (7)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x21fc2 0x22000 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.65
.biJ1zjw 0x423000 0x1326 0x0 0x0 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 0.0
.rdata 0x425000 0xebb8 0xec00 0x22400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.7
.data 0x434000 0x1cf8 0x1000 0x31000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.03
.iQWIeij 0x436000 0x269436 0x0 0x0 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 0.0
.iQWIeij 0x6a0000 0x3f6610 0x3f6800 0x32000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.92
.rsrc 0xa97000 0x53d 0x600 0x428800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.85
Imports (7)
»
KERNEL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
Sleep - 0x905000 0x5b9164 0x34b164 0x0
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
ShowWindow - 0x905008 0x5b916c 0x34b16c 0x0
WTSAPI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
WTSSendMessageW - 0x905010 0x5b9174 0x34b174 0x0
KERNEL32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
VirtualQuery - 0x905018 0x5b917c 0x34b17c 0x0
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcessWindowStation - 0x905020 0x5b9184 0x34b184 0x0
KERNEL32.dll (12)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
LocalAlloc - 0x905028 0x5b918c 0x34b18c 0x0
LocalFree - 0x90502c 0x5b9190 0x34b190 0x0
GetModuleFileNameW - 0x905030 0x5b9194 0x34b194 0x0
GetProcessAffinityMask - 0x905034 0x5b9198 0x34b198 0x0
SetProcessAffinityMask - 0x905038 0x5b919c 0x34b19c 0x0
SetThreadAffinityMask - 0x90503c 0x5b91a0 0x34b1a0 0x0
Sleep - 0x905040 0x5b91a4 0x34b1a4 0x0
ExitProcess - 0x905044 0x5b91a8 0x34b1a8 0x0
FreeLibrary - 0x905048 0x5b91ac 0x34b1ac 0x0
LoadLibraryA - 0x90504c 0x5b91b0 0x34b1b0 0x0
GetModuleHandleA - 0x905050 0x5b91b4 0x34b1b4 0x0
GetProcAddress - 0x905054 0x5b91b8 0x34b1b8 0x0
USER32.dll (2)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetProcessWindowStation - 0x90505c 0x5b91c0 0x34b1c0 0x0
GetUserObjectInformationW - 0x905060 0x5b91c4 0x34b1c4 0x0
Memory Dumps (15)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
9642554127816b22f13288b6ae6b06f4ca66f04d1e8073bded6ad065f6147abd.exe 1 0x00400000 0x00A97FFF Relevant Image False 32-bit 0x00999BAF False False
...
buffer 1 0x001E0000 0x001E0FFF Content Changed False 32-bit - False False
...
buffer 1 0x001E0000 0x001E0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BA0000 0x00BA0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BA0000 0x00BA0FFF First Execution False 32-bit 0x00BA0015 False False
...
buffer 1 0x00BB0000 0x00BB0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BB0000 0x00BB0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BD0000 0x00BD0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BD0000 0x00BD0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BE0000 0x00BE0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BE0000 0x00BE0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BF0000 0x00BF0FFF Content Changed False 32-bit - False False
...
buffer 1 0x00BF0000 0x00BF0FFF Content Changed False 32-bit - False False
...
buffer 1 0x0019F710 0x0019FE8D First Execution False 32-bit 0x0019F891 False False
...
buffer 1 0x00C00000 0x00C1DFFF Content Changed False 32-bit - False True
...
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpC80C.tmp Dropped File ZIP
clean
...
»
Also Known As C:\Users\RDhJ0CNFevzX\Desktop\_25u4 u3.docx (Dropped File)
MIME Type application/zip
File Size 48.83 KB
MD5 63fd4a0a6d511abd866e76404816b8a0 Copy to Clipboard
SHA1 c2ada50ea5393ab5fec496203d2b22270e9c378b Copy to Clipboard
SHA256 07323e082ec156cabc3333329f8c56d62e8e21d6a4f393d7197a9bee61e01989 Copy to Clipboard
SSDeep 1536:zH9EqDTu+aYtu63hfCU1WvvmGM4xYFgCGA6EFcdcVOtW:zGMu+a4u63hft1Wv0ecgCGA6EKdRtW Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpCCEF.tmp Dropped File ZIP
clean
...
»
Also Known As C:\Users\RDhJ0CNFevzX\Documents\C0CC wXtnQbxcIx0Yw.docx (Dropped File)
MIME Type application/zip
File Size 32.50 KB
MD5 7a148a65686b87d7c19e7732de23012a Copy to Clipboard
SHA1 8a781af97e2734f2bfd637dff606eaa331e79275 Copy to Clipboard
SHA256 35c3d17c5c87c29a3b2b8056dec916bc92a8b26e8e0eec7add026cc978373d50 Copy to Clipboard
SSDeep 768:O6u76LRLC1C3ZTPMAUTZIIx+5XgS3ydwGHTqoL9JJch6wkD1MaQ:OW1+8ZT7UTZIsS3MzzL9JAGMaQ Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpCCFF.tmp Dropped File ZIP
clean
...
»
Also Known As C:\Users\RDhJ0CNFevzX\Documents\lRxOx1U0aktspsok.docx (Dropped File)
MIME Type application/zip
File Size 44.08 KB
MD5 1bc2ed0ee98bff833dc00e3fd7d7ca7f Copy to Clipboard
SHA1 1b160860c86ebe2502b901885801f2f60733d56f Copy to Clipboard
SHA256 5087e8ac5272b1465b512a35e251fc910b07339e0ee28f3281d7c2edb1e9573d Copy to Clipboard
SSDeep 768:UaSdwo9Fe78BqBfo5CCFWlUdWoRE1uB9PviSjGtXbO4ak4pI+nm5JX+QKRUF:URwo68MK5CCoUdBRE1uHPve5bOVk427/ Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpCD10.tmp Dropped File ZIP
clean
...
»
Also Known As C:\Users\RDhJ0CNFevzX\Documents\O2cncwJj9.docx (Dropped File)
MIME Type application/zip
File Size 84.65 KB
MD5 cb20f6a06dba6e686ee4688492a2922a Copy to Clipboard
SHA1 51b7b89b8b934dbc6b30198b4774398d4709822a Copy to Clipboard
SHA256 5e83d0f9bb7c1830acb21973fc8e43956e1146568ad3f80c16abf7e586ccdc93 Copy to Clipboard
SSDeep 1536:C6G861/UHgzV+iuUjQivB1Iezy2bo7IHYq7V2gREl77sHIMvIlL2+pczC:CN8DHg8iuji/In207IHx2giZYlIlKQc+ Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpCD40.tmp Dropped File ZIP
clean
...
»
Also Known As C:\Users\RDhJ0CNFevzX\Documents\oJr6ZesmKU IzSK.docx (Dropped File)
MIME Type application/zip
File Size 6.32 KB
MD5 8329bbd786652fcd368c2cfb4cfc7e26 Copy to Clipboard
SHA1 de9225fae843130c5919f96625e182c533d3d32c Copy to Clipboard
SHA256 e6bfa6a7623cd9a7ea1118a0e10f290a3d07e00f5096e38f466b4d93139d5c55 Copy to Clipboard
SSDeep 192:n5sVByy3frTA2IUCC4j9cypvHKtxBPb2M:ninvr0CMSAqtxt5 Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpCD50.tmp Dropped File ZIP
clean
...
»
Also Known As C:\Users\RDhJ0CNFevzX\Documents\x87mVcjjbZa.docx (Dropped File)
MIME Type application/zip
File Size 52.54 KB
MD5 caee0ddf1f6b448e207b4f714f7e7578 Copy to Clipboard
SHA1 c6ba4b13dae4a1b54950f21cbe43685d5dd80db0 Copy to Clipboard
SHA256 1f6c2c1bc2db465f6783e9eb8cc6aa570fbb3bbad5ea7d2e56668130d06f4997 Copy to Clipboard
SSDeep 768:qNHiS3k4+MGNgZxBvlAb/AciqfHkezM6lXkMGwZDPabyEnZc2G67fIPE4xV:qNHcD7cnib/niq/kzwZmyEntG67fd47 Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpCD61.tmp Dropped File ZIP
clean
...
»
Also Known As C:\Users\RDhJ0CNFevzX\Documents\YFe19.docx (Dropped File)
MIME Type application/zip
File Size 73.51 KB
MD5 0b7c990d1f6ea7f69008de5f4a5bcb32 Copy to Clipboard
SHA1 b4181a7886bc1d857cf4f6b2abdac57d86e73b86 Copy to Clipboard
SHA256 2468e43c68642d0e932d6169c15048f8e50f794b370e0a9c77bef76443863cdc Copy to Clipboard
SSDeep 1536:Q4Rhi2eWELoBKb4XtazfXlnUpQsrj03NLvmVwwBCrnXg07KdJTIYk7qpTV:RDi7WEkoLBUisrg9oTMDX9edw7qV Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image