MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1670e8390a0d65edc5f7bf18568d692d88761f03a9d2e447652d9455b69826cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1670e8390a0d65edc5f7bf18568d692d88761f03a9d2e447652d9455b69826cb
SHA3-384 hash: 721c07e3630eece1d39a130ce183cc1877201c72caf1431609d3c5bc810fcbf1f982527f220c78babb51fef12a57f50c
SHA1 hash: d0d507e7b977b9c16e1ac23b709aac2f338f060b
MD5 hash: 9992f64c18ad33acf10daf78c3f96beb
humanhash: east-artist-edward-florida
File name:9992f64c18ad33acf10daf78c3f96beb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'176'320 bytes
First seen:2023-03-08 03:20:21 UTC
Last seen:2023-03-08 04:26:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20fcca9c4f6d6a96b55e9305c9ac59ff (3 x RedLineStealer, 2 x Tofsee, 2 x LaplasClipper)
ssdeep 98304:tD3+c2j5aLZIsnFFGPG2T9yH58ZBEE6wKdPUF:Ic20JnkryZM/Kdc
TLSH T162362333111504C4F1F4CD3BB967FCE871F7432A4A936C7BA96AA8C63A291E4E613953
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 86b0fc86bc84e07c (1 x RedLineStealer, 1 x Vidar)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.244.182.218:45352

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9992f64c18ad33acf10daf78c3f96beb.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 03:26:02 UTC
Tags:
evasion opendir
Link:
https://app.any.run/tasks/4ad8cc01-3c19-416b-92d4-963cef9a5d66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372466/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65736812.18111.26519.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Forced system process termination
Creating a file in the %temp% subdirectories
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Replacing files
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Creating a process from a recently created file
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun greyware netwire packed shell32.dll
Link:
https://www.filescan.io/uploads/6407ff1f4f3305980720fcff/reports/308ebdd1-8d6e-4d3f-ae86-ac86eb02abf9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1670e8390a0d65edc5f7bf18568d692d88761f03a9d2e447652d9455b69826cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cbfe8278-755a-4541-a00f-629e62516d6b
Result
Threat name:
Fabookie, Glupteba, ManusCrypt, PrivateL
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.rans
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189141
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Fabookie
Yara detected Glupteba
Yara detected ManusCrypt
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 822017 Sample: ce8zqKvcuI.exe Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for URL or domain 2->123 125 Multi AV Scanner detection for dropped file 2->125 127 21 other signatures 2->127 8 ce8zqKvcuI.exe 10 55 2->8         started        13 svchost.exe 3 2->13         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 process3 dnsIp4 95 93.186.225.194 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->95 97 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->97 101 18 other IPs or domains 8->101 77 C:\Users\...\y5pbaVlhAQxz0EkSFe__B52F.exe, PE32 8->77 dropped 79 C:\Users\...\tV2GlE8XN13Qe7tEwsMAnWcV.exe, PE32 8->79 dropped 81 C:\Users\...\q6X0gcE8qFxMYOhKS_U4QoGm.exe, PE32 8->81 dropped 83 21 other malicious files 8->83 dropped 157 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->157 159 Creates HTML files with .exe extension (expired dropper behavior) 8->159 161 Disables Windows Defender (deletes autostart) 8->161 167 3 other signatures 8->167 19 U1CiIOArcYSHzbnxvhPFKFCB.exe 8->19         started        22 VVBE9istwEQN_et1gvki09Ii.exe 2 8->22         started        24 DYybmGj0uQUDJ10aiMt8ZmqF.exe 8->24         started        34 11 other processes 8->34 163 Query firmware table information (likely to detect VMs) 13->163 165 Changes security center settings (notifications, updates, antivirus, firewall) 15->165 99 192.168.2.1 unknown unknown 17->99 28 WerFault.exe 17->28         started        30 WerFault.exe 17->30         started        32 WerFault.exe 17->32         started        file5 signatures6 process7 dnsIp8 59 C:\Windows\Temp\321.exe, PE32 19->59 dropped 61 C:\Windows\Temp\1234.exe, PE32 19->61 dropped 63 C:\Windows\Temp\123.exe, PE32 19->63 dropped 36 123.exe 19->36         started        39 1234.exe 19->39         started        41 321.exe 19->41         started        65 C:\Users\user\AppData\Local\...\is-5N1NJ.tmp, PE32 22->65 dropped 45 is-5N1NJ.tmp 22->45         started        103 104.21.38.123 CLOUDFLARENETUS United States 24->103 105 188.114.96.3 CLOUDFLARENETUS European Union 24->105 67 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 24->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 24->69 dropped 73 4 other malicious files 24->73 dropped 147 Tries to steal Mail credentials (via file / registry access) 24->147 149 Tries to harvest and steal browser information (history, passwords, etc) 24->149 107 149.154.167.99 TELEGRAMRU United Kingdom 34->107 109 23.254.227.202 HOSTWINDSUS United States 34->109 111 7 other IPs or domains 34->111 71 C:\Users\...\BJsUWk7A5lNDrBLSDStleRfl.exe, PE32 34->71 dropped 75 2 other malicious files 34->75 dropped 151 Writes to foreign memory regions 34->151 153 Allocates memory in foreign processes 34->153 155 Injects a PE file into a foreign processes 34->155 47 bVoZnyhZSRIw67e9t_EQchba.exe 34->47         started        49 WerFault.exe 34->49         started        51 WerFault.exe 34->51         started        53 3 other processes 34->53 file9 signatures10 process11 dnsIp12 129 Multi AV Scanner detection for dropped file 36->129 131 Writes to foreign memory regions 36->131 133 Allocates memory in foreign processes 36->133 55 RegSvcs.exe 36->55         started        135 Injects a PE file into a foreign processes 39->135 113 127.0.0.1 unknown unknown 41->113 85 C:\Users\user\AppData\...\DownloadMetadata, PDP-11 41->85 dropped 137 Tries to harvest and steal browser information (history, passwords, etc) 41->137 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->87 dropped 89 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 45->89 dropped 91 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 45->91 dropped 93 7 other files (5 malicious) 45->93 dropped 139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->139 141 Maps a DLL or memory area into another process 47->141 143 Checks if the current machine is a virtual machine (disk enumeration) 47->143 145 Creates a thread in another existing process (thread injection) 47->145 115 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 49->115 57 Conhost.exe 49->57         started        117 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->117 119 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->119 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1670e8390a0d65edc5f7bf18568d692d88761f03a9d2e447652d9455b69826cb/
Threat name:
Win32.Trojan.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 14:12:58 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=czyoqoikbvs63rpxx4mfndljfwehmhydvhjoir3ffwkflnuye3fq._file
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230308-dwbxsadg53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
02676e93ebdcee66360b424675f97a8a1de8941ed66a8aa207c09759e28be07e
MD5 hash:
54b0a121c229a3b0e645327d75131315
SHA1 hash:
abcf0ec4efe16d09297d2ef6d76d7ede543cab86
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/704d8727-d290-47d6-87e4-2e04f0dbc50c/
SH256 hash:
1670e8390a0d65edc5f7bf18568d692d88761f03a9d2e447652d9455b69826cb
MD5 hash:
9992f64c18ad33acf10daf78c3f96beb
SHA1 hash:
d0d507e7b977b9c16e1ac23b709aac2f338f060b
Link:
https://www.unpac.me/results/704d8727-d290-47d6-87e4-2e04f0dbc50c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1670e8390a0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1670e8390a0d65edc5f7bf18568d692d88761f03a9d2e447652d9455b69826cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372466/

Comments