MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11ece1cced91596811f52515dad4e21c2e88ec329a55558e23f2bed596ec08cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11ece1cced91596811f52515dad4e21c2e88ec329a55558e23f2bed596ec08cb
SHA3-384 hash: 14340fdb32463f6b2697d5abac782d034245827d6264aeaf81c382a8397c1f510a8289d50884c7a024ca739352937c2f
SHA1 hash: 0b3d35b3ec0f597590266be0d93e97e1eee2f108
MD5 hash: 222912d33ccf70da6f35e2c849631d34
humanhash: nitrogen-ceiling-juliet-alaska
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:360'448 bytes
First seen:2022-10-17 11:19:46 UTC
Last seen:2022-10-19 15:50:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6897668735e7ebf45221263d5090ec47 (3 x RedLineStealer)
ssdeep 6144:8EfW6uHE8KCA4ZypqXLeEAOzJu/xLnAeWDIgVLorHUdvq21:8LlHE8KCAG4LnAeZALoHivX1
Threatray 370 similar samples on MalwareBazaar
TLSH T10D74AE0135D3C932CCB2103109FDEF35AB2B69615BA85AFBE7F406390EE11C1B5669E9
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc738581312_650834166?hash=eZZCvIZFCYZtlCmzG7E7cPBZkXdSMe6aAo2ldZhiRXD&dl=G4ZTQNJYGEZTCMQ:1666005235:f3K7slg1EpzPare1eWhtMf5zQfwx0tw8bEzxH2i3nm8&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
990
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320954/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.8772.4547.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43454/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/634d3a65898b0652a4b85f2d/reports/44843638-ac26-4fb5-a18c-c5aaf58f7ee0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/219c6b63-589a-479e-8e13-62de6de98478
Result
Threat name:
Raccoon Stealer v2, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091775
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 724394 Sample: file.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 138 stratum-eu.rplant.xyz 2->138 140 pool-fr.rplant.xyz 2->140 156 Snort IDS alert for network traffic 2->156 158 Multi AV Scanner detection for domain / URL 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 14 other signatures 2->162 12 file.exe 1 2->12         started        15 MoUSO.exe 2->15         started        17 updater.exe 2->17         started        signatures3 process4 file5 222 Contains functionality to inject code into remote processes 12->222 224 Writes to foreign memory regions 12->224 226 Allocates memory in foreign processes 12->226 228 Injects a PE file into a foreign processes 12->228 20 AppLaunch.exe 15 7 12->20         started        25 conhost.exe 12->25         started        230 Antivirus detection for dropped file 15->230 232 Multi AV Scanner detection for dropped file 15->232 234 Detected unpacking (changes PE section rights) 15->234 242 5 other signatures 15->242 106 C:\Windows\Temp55.tmp, PE32+ 17->106 dropped 108 C:\Windows\Temp\51D.tmp, PE32+ 17->108 dropped 110 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 17->110 dropped 236 Query firmware table information (likely to detect VMs) 17->236 238 Adds a directory exclusion to Windows Defender 17->238 240 Hides threads from debuggers 17->240 27 cmd.exe 17->27         started        29 powershell.exe 17->29         started        31 cmd.exe 17->31         started        33 powershell.exe 17->33         started        signatures6 process7 dnsIp8 142 51.89.201.21, 49695, 7161 OVHFR France 20->142 144 transfer.sh 144.76.136.153, 443, 49696 HETZNER-ASDE Germany 20->144 112 C:\Users\user\AppData\Local\Temp\setu2p.exe, PE32+ 20->112 dropped 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->184 186 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->186 188 Tries to harvest and steal browser information (history, passwords, etc) 20->188 190 Tries to steal Crypto Currency Wallets 20->190 35 setu2p.exe 20->35         started        192 Modifies power options to not sleep / hibernate 27->192 38 conhost.exe 27->38         started        40 powercfg.exe 27->40         started        42 powercfg.exe 27->42         started        194 Creates files in the system32 config directory 29->194 44 conhost.exe 29->44         started        46 conhost.exe 31->46         started        48 sc.exe 31->48         started        52 2 other processes 31->52 50 conhost.exe 33->50         started        file9 signatures10 process11 signatures12 164 Multi AV Scanner detection for dropped file 35->164 166 Hijacks the control flow in another process 35->166 168 Writes to foreign memory regions 35->168 170 3 other signatures 35->170 54 RegSvcs.exe 21 35->54         started        process13 dnsIp14 146 github.com 140.82.121.4, 443, 49702 GITHUBUS United States 54->146 148 objects.githubusercontent.com 185.199.110.133, 443, 49703 FASTLYUS Netherlands 54->148 150 2 other IPs or domains 54->150 114 C:\Users\user\AppData\Local\...\watchdog.exe, PE32 54->114 dropped 116 C:\Users\user\AppData\...\setup23532.exe, PE32 54->116 dropped 118 C:\Users\user\AppData\Local\...\setup23.exe, PE32 54->118 dropped 120 5 other malicious files 54->120 dropped 58 setup.exe 1 54->58         started        62 setup23532.exe 54->62         started        64 setup23.exe 54->64         started        67 watchdog.exe 54->67         started        file15 process16 dnsIp17 122 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 58->122 dropped 124 C:\Windows\System32\drivers\etc\hosts, data 58->124 dropped 196 Multi AV Scanner detection for dropped file 58->196 198 Query firmware table information (likely to detect VMs) 58->198 200 Modifies the hosts file 58->200 218 4 other signatures 58->218 69 cmd.exe 1 58->69         started        72 cmd.exe 1 58->72         started        74 powershell.exe 58->74         started        86 2 other processes 58->86 202 Antivirus detection for dropped file 62->202 204 Machine Learning detection for dropped file 62->204 206 Writes to foreign memory regions 62->206 76 vbc.exe 62->76         started        136 dba692117be7b6d3480fe5220fdd58b38bf.xyz 172.67.222.84, 443, 49700, 49701 CLOUDFLARENETUS United States 64->136 126 C:\Users\user\AppData\Local\cache\MoUSO.exe, PE32 64->126 dropped 208 Detected unpacking (changes PE section rights) 64->208 210 Performs DNS queries to domains with low reputation 64->210 212 Uses schtasks.exe or at.exe to add and modify task schedules 64->212 220 2 other signatures 64->220 80 schtasks.exe 64->80         started        214 Allocates memory in foreign processes 67->214 216 Injects a PE file into a foreign processes 67->216 82 AppLaunch.exe 67->82         started        84 conhost.exe 67->84         started        file18 signatures19 process20 dnsIp21 172 Uses cmd line tools excessively to alter registry or file data 69->172 174 Uses powercfg.exe to modify the power settings 69->174 176 Modifies power options to not sleep / hibernate 69->176 88 conhost.exe 69->88         started        90 sc.exe 69->90         started        100 9 other processes 69->100 92 conhost.exe 72->92         started        102 4 other processes 72->102 104 2 other processes 74->104 152 77.73.133.7, 49704, 80 AS43260TR Kazakhstan 76->152 128 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 76->128 dropped 130 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 76->130 dropped 132 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 76->132 dropped 134 4 other files (2 malicious) 76->134 dropped 178 Tries to harvest and steal browser information (history, passwords, etc) 76->178 180 DLL side loading technique detected 76->180 182 Tries to steal Crypto Currency Wallets 76->182 94 conhost.exe 80->94         started        154 78.153.144.90, 14009, 49705 INTERLAN-ASRU Russian Federation 82->154 96 conhost.exe 86->96         started        98 conhost.exe 86->98         started        file22 signatures23 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11ece1cced91596811f52515dad4e21c2e88ec329a55558e23f2bed596ec08cb/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 11:20:09 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chwodthnsfmwqepveuk5vvhcdqxir3bstjkvldrd6k7nlfxmbdfq._file
Verdict:
malicious
Similar samples:
18d76178e1c00f40d1728f9a1ad418d67f74b9ae8ab96fc290fd992bafc5125a
RedLineStealer
4f97a39e2daa7ef37ec205221d380be46be6f763558b9686ecb668286d9096de
RedLineStealer
5ec3a8d538cf38f9be9ba8419dee05bf711b70baf155ae6d6728ab15444fd24c
RedLineStealer
64fb39b5034c845cb7b9bfc50591b5f5febd44e52872405aefcb4a356c493c41
RedLineStealer
71976a8939fca900ea30249c75dc1f462bebf2d9bac2e9900679c59bf2ad00c8
RedLineStealer
bba50bad1c1ca3d8e311cf17c45693949838403569d6fdb49fe0699eb9ee3202
RedLineStealer
f1f912280be7cc45100b01e152420e36c76a731d5258e2c617e3a824cf494ddc
RedLineStealer
+ 360 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221017-nffadabggm/
Gathering data
Unpacked files
SH256 hash:
11ece1cced91596811f52515dad4e21c2e88ec329a55558e23f2bed596ec08cb
MD5 hash:
222912d33ccf70da6f35e2c849631d34
SHA1 hash:
0b3d35b3ec0f597590266be0d93e97e1eee2f108
Link:
https://www.unpac.me/results/1ab8b030-c0bc-4837-8db7-d5e3a51ab3ad/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11ece1cced91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11ece1cced91596811f52515dad4e21c2e88ec329a55558e23f2bed596ec08cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/320954/

Comments