MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 053e095aadd84662c18caec141b4dca4f26ad9ac28ba9e82db02ea1aef9eb9b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 053e095aadd84662c18caec141b4dca4f26ad9ac28ba9e82db02ea1aef9eb9b3
SHA3-384 hash: 64eddb51beef6079ceb0e9f224cd84042ac3f8babe14023cae28cfc6df6182ca71eb2d159a0d7366a2b2828a24766a3c
SHA1 hash: e572a7a807af058e07c25e8308604269b225b91f
MD5 hash: c90720ba16d8752a433b595db49c4a16
humanhash: echo-pip-india-gee
File name:c90720ba16d8752a433b595db49c4a16.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'101'568 bytes
First seen:2023-01-30 19:00:30 UTC
Last seen:2023-01-30 20:32:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 019a6c4b2959b4d629831b7385dab1ad (2 x RedLineStealer)
ssdeep 98304:Ehm4e6R6usY3PbiSKkillX1+GyVD489AZVGh4b9nwE+kmW2MEN7sjqK:EZe6R6us1SKkillX1+x4pVGh4buFkmR0
TLSH T13136232356550196D4EAC839853BFEE032F31F364B91A83976EAB9CB24735E1E603D43
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c8e3efe6a696c6cc (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://62.204.41.92/n9dks3s/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
c90720ba16d8752a433b595db49c4a16.exe
Verdict:
Malicious activity
Analysis date:
2023-01-30 19:01:03 UTC
Tags:
evasion opendir loader trojan rat redline stealer
Link:
https://app.any.run/tasks/f25504f2-2017-47f0-be24-bdd0ef44bf66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358419/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65196508.5628.13017.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Replacing files
Launching a service
Reading critical registry keys
Launching a process
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Searching for the window
Creating a file in the Program Files subdirectories
Searching for synchronization primitives
Forced system process termination
Enabling the 'hidden' option for recently created files
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed redline shell32.dll
Link:
https://www.filescan.io/uploads/63d813f02d4f6d560e23b8ad/reports/b928ebeb-3dd0-4bfd-82a6-a0eb5b190277/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90493529-630a-4307-b48d-36450ab5c826
Result
Threat name:
Glupteba, Nymaim, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161905
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Downloads files with wrong headers with respect to MIME Content-Type
Drops executable to a common third party application directory
Found C&C like URL pattern
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Glupteba
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 794660 Sample: XkvOVuEgpY.exe Startdate: 30/01/2023 Architecture: WINDOWS Score: 100 121 45.12.253.98 CMCSUS Germany 2->121 123 www.facebook.com 2->123 125 17 other IPs or domains 2->125 153 Snort IDS alert for network traffic 2->153 155 Multi AV Scanner detection for domain / URL 2->155 157 Malicious sample detected (through community Yara rule) 2->157 159 25 other signatures 2->159 10 XkvOVuEgpY.exe 11 62 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 3 2->17         started        19 13 other processes 2->19 signatures3 process4 dnsIp5 135 23.254.227.214, 49697, 80 HOSTWINDSUS United States 10->135 137 vk.com 87.240.129.133, 443, 49702, 49703 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->137 143 14 other IPs or domains 10->143 103 C:\Users\...\r3n72aGLAVoTDIB7s6Gmu7JT.exe, PE32 10->103 dropped 105 C:\Users\...\qSzPlbFtU3XMuAoPparOkBt6.exe, PE32 10->105 dropped 107 C:\Users\...\pE1GwcFTYoHgB5gA_XzIpG0w.exe, PE32 10->107 dropped 113 14 other malicious files 10->113 dropped 185 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->185 187 Creates HTML files with .exe extension (expired dropper behavior) 10->187 189 Disables Windows Defender (deletes autostart) 10->189 195 3 other signatures 10->195 21 pE1GwcFTYoHgB5gA_XzIpG0w.exe 2 10->21         started        25 CKqzEetp1uVyemtJxHQ3J4Zd.exe 10->25         started        27 hZUdh1uN0Y6Rp2k9rQtfm9yQ.exe 10->27         started        33 7 other processes 10->33 191 Changes security center settings (notifications, updates, antivirus, firewall) 15->191 193 Query firmware table information (likely to detect VMs) 17->193 139 telegram.org 19->139 141 telegram.org 19->141 109 C:\Users\user\AppData\Local\...\WWW14[2].bmp, PE32 19->109 dropped 111 C:\Users\user\AppData\Local\...\WWW14[1].bmp, PE32 19->111 dropped 29 WerFault.exe 19->29         started        31 WerFault.exe 19->31         started        file6 signatures7 process8 dnsIp9 89 C:\Users\...\pE1GwcFTYoHgB5gA_XzIpG0w.tmp, PE32 21->89 dropped 161 Obfuscated command line found 21->161 36 pE1GwcFTYoHgB5gA_XzIpG0w.tmp 21->36         started        91 C:\Windows\Temp\321.exe, PE32 25->91 dropped 93 C:\Windows\Temp\123.exe, PE32 25->93 dropped 39 321.exe 25->39         started        42 123.exe 25->42         started        163 Injects a PE file into a foreign processes 27->163 44 hZUdh1uN0Y6Rp2k9rQtfm9yQ.exe 27->44         started        115 telegram.org 149.154.167.99 TELEGRAMRU United Kingdom 33->115 117 star-mini.c10r.facebook.com 157.240.253.35 FACEBOOKUS United States 33->117 119 6 other IPs or domains 33->119 95 C:\Users\user\AppData\Roaming\Firefox.exe, PE32 33->95 dropped 97 C:\Program Files (x86)\Zip97ewFolder.exe, PE32 33->97 dropped 99 C:\...\PowerControl_Svc.exe, PE32 33->99 dropped 165 Drops executable to a common third party application directory 33->165 167 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->167 46 Firefox.exe 33->46         started        49 chrome.exe 33->49         started        51 schtasks.exe 33->51         started        53 schtasks.exe 33->53         started        file10 signatures11 process12 dnsIp13 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->81 dropped 83 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 36->83 dropped 85 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 36->85 dropped 87 7 other files (6 malicious) 36->87 dropped 55 finalrecovery.exe 36->55         started        169 Multi AV Scanner detection for dropped file 39->169 171 Writes to foreign memory regions 39->171 173 Allocates memory in foreign processes 39->173 59 vbc.exe 39->59         started        62 conhost.exe 39->62         started        175 Injects a PE file into a foreign processes 42->175 64 conhost.exe 42->64         started        66 vbc.exe 42->66         started        68 WerFault.exe 42->68         started        177 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->177 179 Maps a DLL or memory area into another process 44->179 181 Checks if the current machine is a virtual machine (disk enumeration) 44->181 70 explorer.exe 44->70 injected 145 toloreto.ru 194.58.112.174 AS-REGRU Russian Federation 46->145 147 accounts.google.com 142.250.203.109, 443, 49736 GOOGLEUS United States 49->147 149 clients.l.google.com 216.58.215.238, 443, 49734 GOOGLEUS United States 49->149 151 clients2.google.com 49->151 72 conhost.exe 51->72         started        74 conhost.exe 53->74         started        file14 signatures15 process16 dnsIp17 127 45.12.253.56 CMCSUS Germany 55->127 129 45.12.253.72 CMCSUS Germany 55->129 131 45.12.253.75 CMCSUS Germany 55->131 101 C:\Users\user\AppData\...\Qs0xnuxi70Va.exe, PE32 55->101 dropped 76 Qs0xnuxi70Va.exe 55->76         started        133 65.21.213.208 CP-ASDE United States 59->133 183 Tries to harvest and steal browser information (history, passwords, etc) 59->183 79 cmd.exe 59->79         started        file18 signatures19 process20 signatures21 197 Multi AV Scanner detection for dropped file 76->197
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/053e095aadd84662c18caec141b4dca4f26ad9ac28ba9e82db02ea1aef9eb9b3/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 01:41:16 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=au7aswvn3bdgfqmmv3audng4utzgvwnmfc5j5aw3alvbv346xgzq._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230130-xpbszsdc6s/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
ad29a55ebc671946699947f8167ca6336104ec687a76f5abbb8bd1ef79fda86b
MD5 hash:
d1a4ca0c9f064ad1284f37edb73f2f34
SHA1 hash:
719c1a564f72f09ec0e7f253ef9459d8efca7ef3
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/aff03b2f-8b64-45d8-ad30-a0e0b18733d9/
SH256 hash:
053e095aadd84662c18caec141b4dca4f26ad9ac28ba9e82db02ea1aef9eb9b3
MD5 hash:
c90720ba16d8752a433b595db49c4a16
SHA1 hash:
e572a7a807af058e07c25e8308604269b225b91f
Link:
https://www.unpac.me/results/aff03b2f-8b64-45d8-ad30-a0e0b18733d9/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/053e095aadd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/053e095aadd84662c18caec141b4dca4f26ad9ac28ba9e82db02ea1aef9eb9b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/358419/

Comments