MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 131e8b4cfd3d6911aa1a5a7109767a094b0593c405722d1691ee7422eeb00ea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 131e8b4cfd3d6911aa1a5a7109767a094b0593c405722d1691ee7422eeb00ea2
SHA3-384 hash: 2fdc2708f69d1d3aa512b16ee11d8f1e548aa5b184749de2af9d36e3fb77518014d5ce9d9781e8e94b6b4d3bd6d5c888
SHA1 hash: b80f2182794e662803b8008824b47ce03831c749
MD5 hash: aa434a77997feec2d83acb2a58b96263
humanhash: king-nebraska-golf-tennessee
File name:aa434a77997feec2d83acb2a58b96263.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:13'712'793 bytes
First seen:2022-12-07 15:30:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 393216:eC1gK3j22BT14aZtcpd0pcgTHuNvxKGYJzau1:eCf3j5bSpddgTOfKGYcu1
TLSH T127D63303F6C1D4B2C4892D75BAB61A02A3B6BC3506DBD797A3D0473A8532DD1E372762
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0cccacaece4e0f0 (12 x RedLineStealer, 2 x GCleaner, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.73.134.15:43250

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa434a77997feec2d83acb2a58b96263.exe
Verdict:
Malicious activity
Analysis date:
2022-12-07 15:37:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fd98f316-57b2-4f95-a9db-39479be4e896

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Launching a process
Running batch commands
Creating a process with a hidden window
Sending an HTTP GET request
Connecting to a non-recommended domain
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Downloading the file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6390b1b8a2c2485912c7b6bb/reports/d5982e79-426e-4b35-afdf-59363cb47a0f/overview
Result
Verdict:
MALICIOUS
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3c528fc-e0ff-4360-b62d-d32adefb58c8
Result
Threat name:
Fabookie, ManusCrypt, RedLine
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130107
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Download and Execute IEX
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Fabookie
Yara detected ManusCrypt
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 762839 Sample: vQDvcLViTy.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 100 169 Snort IDS alert for network traffic 2->169 171 Multi AV Scanner detection for domain / URL 2->171 173 Malicious sample detected (through community Yara rule) 2->173 175 14 other signatures 2->175 11 vQDvcLViTy.exe 11 2->11         started        14 rundll32.exe 2->14         started        16 csrss.exe 2->16         started        18 2 other processes 2->18 process3 file4 117 C:\Users\user\Desktop\Resource.exe, PE32+ 11->117 dropped 119 C:\Users\user\Desktop\Proceed.exe, PE32 11->119 dropped 121 C:\Users\user\Desktop\Folder.exe, PE32 11->121 dropped 123 3 other malicious files 11->123 dropped 20 Files.exe 2 11->20         started        24 File.exe 13 11->24         started        26 Continue.exe 13 11->26         started        35 3 other processes 11->35 29 rundll32.exe 14->29         started        31 cmd.exe 16->31         started        33 cmd.exe 18->33         started        process5 dnsIp6 101 C:\Users\user\AppData\Local\...\Files.tmp, PE32 20->101 dropped 179 Suspicious powershell command line found 20->179 181 Obfuscated command line found 20->181 37 Files.tmp 20->37         started        183 Detected unpacking (changes PE section rights) 24->183 185 Detected unpacking (overwrites its own PE header) 24->185 187 Machine Learning detection for dropped file 24->187 201 2 other signatures 24->201 40 File.exe 24->40         started        149 nassarplastic.com 155.94.249.9, 443, 49702, 49705 ASN-QUADRANET-GLOBALUS United States 26->149 189 Antivirus detection for dropped file 26->189 43 cmd.exe 26->43         started        45 cmd.exe 26->45         started        191 Writes to foreign memory regions 29->191 193 Allocates memory in foreign processes 29->193 195 Creates a thread in another existing process (thread injection) 29->195 47 svchost.exe 29->47 injected 49 7 other processes 29->49 51 4 other processes 31->51 53 2 other processes 33->53 151 aaa.apiaaaeg.com 45.66.159.18, 49699, 49704, 80 ENZUINC-US Russian Federation 35->151 153 157.240.196.35 FACEBOOKUS United States 35->153 155 4 other IPs or domains 35->155 197 Creates processes via WMI 35->197 199 Injects a PE file into a foreign processes 35->199 55 5 other processes 35->55 file7 signatures8 process9 dnsIp10 103 C:\Users\user\AppData\Local\...\isrojsgj.dll, PE32 37->103 dropped 105 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 37->105 dropped 58 Files.exe 37->58         started        107 C:\Windows\rss\csrss.exe, PE32 40->107 dropped 203 Drops executables to the windows directory (C:\Windows) and starts them 40->203 205 Creates an autostart registry key pointing to binary in C:\Windows 40->205 62 csrss.exe 40->62         started        64 cmd.exe 40->64         started        207 Uses ping.exe to check the status of other devices and networks 43->207 66 PING.EXE 43->66         started        69 conhost.exe 43->69         started        209 Uses netsh to modify the Windows network and firewall settings 45->209 75 2 other processes 45->75 211 System process connects to network (likely due to code injection or exploit) 47->211 213 Sets debug register (to hijack the execution of another thread) 47->213 215 Modifies the context of a thread in another process (thread injection) 47->215 71 svchost.exe 47->71         started        73 consent.exe 47->73         started        145 77.73.134.15 FIBEROPTIXDE Kazakhstan 55->145 147 xv.yxzgamen.com 188.114.96.3, 49700, 80 CLOUDFLARENETUS European Union 55->147 109 C:\Users\user\AppData\Local\Temp\db.dll, PE32 55->109 dropped 77 3 other processes 55->77 file11 signatures12 process13 dnsIp14 111 C:\Users\user\AppData\Local\...\Files.tmp, PE32 58->111 dropped 217 Obfuscated command line found 58->217 79 Files.tmp 58->79         started        83 powershell.exe 58->83         started        86 conhost.exe 58->86         started        219 Detected unpacking (changes PE section rights) 62->219 221 Detected unpacking (overwrites its own PE header) 62->221 223 Machine Learning detection for dropped file 62->223 88 netsh.exe 64->88         started        90 conhost.exe 64->90         started        131 127.0.0.1 unknown unknown 66->131 133 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 71->133 135 208.95.112.1 TUT-ASUS United States 71->135 137 104.21.34.132 CLOUDFLARENETUS United States 71->137 113 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 71->113 dropped 115 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 71->115 dropped 225 Query firmware table information (likely to detect VMs) 71->225 227 Installs new ROOT certificates 71->227 229 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 71->229 231 Tries to harvest and steal browser information (history, passwords, etc) 71->231 233 Writes to foreign memory regions 73->233 139 nassarplastic.com 75->139 141 217.182.227.118 OVHFR France 75->141 92 conhost.exe 77->92         started        file15 signatures16 process17 dnsIp18 125 C:\Users\user\AppData\Local\...\isrojsgj.dll, PE32 79->125 dropped 127 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 79->127 dropped 161 Injects code into the Windows Explorer (explorer.exe) 79->161 163 Sample uses process hollowing technique 79->163 94 explorer.exe 79->94         started        143 45.10.43.242 RACKTECHRU Russian Federation 83->143 129 C:\Program Files (x86)\...\vsdll.exe, PE32 83->129 dropped 165 Powershell drops PE file 83->165 167 Creates files in the system32 config directory 88->167 file19 signatures20 process21 dnsIp22 157 104.21.53.46 CLOUDFLARENETUS United States 94->157 159 162.159.130.233 CLOUDFLARENETUS United States 94->159 235 System process connects to network (likely due to code injection or exploit) 94->235 98 cmd.exe 94->98         started        signatures23 process24 signatures25 177 Suspicious powershell command line found 98->177
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/131e8b4cfd3d6911aa1a5a7109767a094b0593c405722d1691ee7422eeb00ea2/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 07:00:01 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmpiwth5hvurdkq2ljyqs5t2bffqle6eavzc2fur5z2cf3vqb2ra._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:redline botnet:bharat discovery dropper evasion infostealer loader persistence trojan vmprotect
Link:
https://tria.ge/reports/221207-sx2l6afc57/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Unexpected DNS network traffic destination
Uses the VBS compiler for execution
Windows security modification
Blocklisted process makes network request
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Possible attempt to disable PatchGuard
VMProtect packed file
Modifies boot configuration data using bcdedit
Windows security bypass
Glupteba
Process spawned unexpected child process
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
77.73.134.15:43250
Dropper Extraction:
https://nassarplastic.com/wp-content/config_40.ps1
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7142a2ae-ebc4-4227-b624-740955f46c64
Unpacked files
SH256 hash:
4876fd85ab011e9ef9196435b5594fc8047b1b7d0116f7fc338fb6f5b5124e41
MD5 hash:
056b57958e65199d97aa1b99f653b84a
SHA1 hash:
c3264a6c7f363380930626da50093ddad150c560
Link:
https://www.unpac.me/results/431b8052-5c14-4d5f-bbdf-0428de1202aa/
SH256 hash:
132e7c320d58329dd4b8e6fda210f7acbcbd425313931103e39d73091d781a3f
MD5 hash:
5c4d187c49ff1823326841138adf6315
SHA1 hash:
5d06a98573ed214462b1970b965a2ee3d902d78a
Link:
https://www.unpac.me/results/431b8052-5c14-4d5f-bbdf-0428de1202aa/
Parent samples :
81b8d673c51e5f98a4690c11f4f4f156349b2ab850733cbac4119c7c6ec3d804
ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
SH256 hash:
0901e25e59110833e729566f69b3ac137bf7748daae16c635bd02635d820754c
MD5 hash:
ecc923727c02bee72528a05656af93df
SHA1 hash:
0b326aa436a49a4ebaad6cc7df4683a5802c714a
Link:
https://www.unpac.me/results/431b8052-5c14-4d5f-bbdf-0428de1202aa/
SH256 hash:
5f695137840ccc65ab755ff8220ffb20d631623c9851a1a265b521d8b37a9ff3
MD5 hash:
947a85cfb17f4a7e9d00ca59fce2d78d
SHA1 hash:
a81ad86699c74f8cfd776098f2522f8c8111439c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/431b8052-5c14-4d5f-bbdf-0428de1202aa/
SH256 hash:
d087c6f2e8fe06e60ec013d4b474223ef918408583f1892c54f20dc9ffa2cbeb
MD5 hash:
16d3104ef6eb369c6006574e36a864df
SHA1 hash:
081fcf35877e763e21f99b2576b5e968de318cd8
Link:
https://www.unpac.me/results/431b8052-5c14-4d5f-bbdf-0428de1202aa/
SH256 hash:
4c51164d7351ae080b4c8e139d1ef07eb0e63724f374b8e8d1425416bdc32b99
MD5 hash:
e6191d0ccc866326dcee67ac8df9786a
SHA1 hash:
d9e8b27bf4eb3d66744b10c0dfba44ce900c45dd
Link:
https://www.unpac.me/results/431b8052-5c14-4d5f-bbdf-0428de1202aa/
SH256 hash:
131e8b4cfd3d6911aa1a5a7109767a094b0593c405722d1691ee7422eeb00ea2
MD5 hash:
aa434a77997feec2d83acb2a58b96263
SHA1 hash:
b80f2182794e662803b8008824b47ce03831c749
Link:
https://www.unpac.me/results/431b8052-5c14-4d5f-bbdf-0428de1202aa/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/131e8b4cfd3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/131e8b4cfd3d6911aa1a5a7109767a094b0593c405722d1691ee7422eeb00ea2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments