MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2009b8f4c568a316978b7bc19bddac9dd20ff8e2d796a44f355a3635ffc3b76e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2009b8f4c568a316978b7bc19bddac9dd20ff8e2d796a44f355a3635ffc3b76e
SHA3-384 hash: 086bedf3b7bc07b00e14a828baa99c0a0de71f4282bd4c0d1764193c4732653247ded46820886fea1a16b85cda7c22de
SHA1 hash: 6c2efed3fdce26b52cd5c9d93b9aacff4f9631b9
MD5 hash: be9d9644b6c3710cdc519055d8f66248
humanhash: louisiana-speaker-july-michigan
File name:2009B8F4C568A316978B7BC19BDDAC9DD20FF8E2D796A.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'069'275 bytes
First seen:2022-06-23 10:34:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4070734502a100c8f90bbd445995533 (11 x CryptOne, 5 x DCRat, 2 x njrat)
ssdeep 24576:9GHCm8uPdJmX2t9M1edgftvhJIeDAfurLVatOrpc/Zc09KwTAy:EuWx3M1euVv4eDdNao+Rc09KwTAy
Threatray 571 similar samples on MalwareBazaar
TLSH T1D4351201BAC1D8F2D672183256659F12AA3DBD212F75CEDF63946A1EDA312C0DB30763
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.142.146.212:4581

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.142.146.212:4581 https://threatfox.abuse.ch/ioc/716462/

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282599/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22453/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62b441d862d792dc573edcbb/reports/2b5ecd5e-bfca-4833-9675-9181e7da2970/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdcbb8fd-1e44-4f44-b9dd-2ae921f50220
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1018560
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 651056 Sample: 2009B8F4C568A316978B7BC19BD... Startdate: 23/06/2022 Architecture: WINDOWS Score: 100 46 amrican-sport-live-stream.cc 2->46 48 update-checker-status.cc 2->48 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for dropped file 2->64 66 9 other signatures 2->66 9 2009B8F4C568A316978B7BC19BDDAC9DD20FF8E2D796A.exe 1 25 2->9         started        signatures3 process4 file5 42 C:\Users\user\Desktop\Patch.exe, PE32 9->42 dropped 44 C:\Users\user\Desktop\CCleaner-Portable.exe, PE32 9->44 dropped 12 Patch.exe 3 9->12         started        process6 signatures7 78 Antivirus detection for dropped file 12->78 80 Multi AV Scanner detection for dropped file 12->80 82 Machine Learning detection for dropped file 12->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->84 15 RegAsm.exe 15 9 12->15         started        process8 dnsIp9 56 cdn.discordapp.com 162.159.130.233, 443, 49773, 49779 CLOUDFLARENETUS United States 15->56 58 utorrent-server-api.cc 185.150.117.206, 49772, 80 CHERRYSERVERS1-ASLT Lithuania 15->58 30 C:\Users\user\...\WindowsServicesGreat.exe, PE32+ 15->30 dropped 32 C:\Users\user\...\WindowsServicesFix.exe, PE32 15->32 dropped 34 C:\Users\user\...\WindowsServicesDone.exe, PE32 15->34 dropped 36 C:\Users\user\AppData\...\WindowsServices.exe, PE32 15->36 dropped 19 WindowsServicesFix.exe 4 15->19         started        24 WindowsServicesDone.exe 15->24         started        26 WindowsServices.exe 2 15->26         started        28 3 other processes 15->28 file10 process11 dnsIp12 50 172.217.168.14 GOOGLEUS United States 19->50 38 C:\Users\user\AppData\...\LANCheckerTEST.exe, PE32 19->38 dropped 68 Antivirus detection for dropped file 19->68 70 Multi AV Scanner detection for dropped file 19->70 72 Creates an undocumented autostart registry key 19->72 40 C:\Users\user\AppData\...\LANCheckerTEST2.exe, PE32 24->40 dropped 74 Machine Learning detection for dropped file 24->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->76 52 google.com 142.250.184.206 GOOGLEUS United States 26->52 54 192.168.2.1 unknown unknown 28->54 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2009b8f4c568a316978b7bc19bddac9dd20ff8e2d796a44f355a3635ffc3b76e/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-19 04:32:15 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eae3r5gfncrrnf4lppazxxnmtxja76hc26lkitzvli3dl76dw5xa._file
Verdict:
malicious
Similar samples:
0b44f1065f98dc2bde51bae5585152a276dd1f19573482589222cf24fc301c97
RedLineStealer
2c77a865f832e36bc7b53301038b19df158927276dec8e6c9a002f88a8065912
RedLineStealer
4464483a19cb1ad8b1bac91be04eaf972807cdb48f10b1fc5b675563ba1fe350
RedLineStealer
6af08cff583e8520d50beb435bf93e133b4dea697fa65e12df39c134b67177bd
RedLineStealer
e10a201d8b7cb09109715199c099ef24618f50fe09d3c1c6e7abbab79a59d94b
RedLineStealer
ee1c5cb3398bc74f8b8be8cc13916404e1258d2eb7c2336d3e65677eec4f1cb0
RedLineStealer
+ 561 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220623-mmndwsfdd7/
Behaviour
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
cf5d3035fd679f752e86175869c7bd628f0cd6c9b591484efa45982d64deeb71
MD5 hash:
d18ace4bc2c7410ad7173d33200d9ac9
SHA1 hash:
b58d052e4f0abcc2feb6b5cfb43ace0af114b778
Link:
https://www.unpac.me/results/8d1ba5af-009e-4f33-b1b4-533ba369842a/
SH256 hash:
3e306e58825e48a100d4e9ce402b356e1a6b2479b7154c1f0e73e754c11587a1
MD5 hash:
be44ef7e38c7d2d60001d3915fd25735
SHA1 hash:
f462ea927bb2a72c350b41f2a38dac1ac4229cd5
Link:
https://www.unpac.me/results/8d1ba5af-009e-4f33-b1b4-533ba369842a/
SH256 hash:
2009b8f4c568a316978b7bc19bddac9dd20ff8e2d796a44f355a3635ffc3b76e
MD5 hash:
be9d9644b6c3710cdc519055d8f66248
SHA1 hash:
6c2efed3fdce26b52cd5c9d93b9aacff4f9631b9
Link:
https://www.unpac.me/results/8d1ba5af-009e-4f33-b1b4-533ba369842a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2009b8f4c568/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2009b8f4c568a316978b7bc19bddac9dd20ff8e2d796a44f355a3635ffc3b76e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282599/

Comments