MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db
SHA3-384 hash: 68b0a23ef01d23ad01c0365cdf301aec53f39747bb21430ab9ca01e5d5d00fa2501c3a5171fae5af52082500ddde78af
SHA1 hash: 2a594149e2fb3406f079b4ad3f2f4c5519f62f1e
MD5 hash: 220a068eded5f2db5d7eff197f9746f7
humanhash: missouri-idaho-oranges-alanine
File name:24a93ddf60120497dd5848ec03147621840eb5b371d81.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'767'251 bytes
First seen:2023-08-10 15:25:19 UTC
Last seen:2023-08-10 15:28:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/EpqKn0hD1Kic6QL3E2vVsjECUAQT45deRV9RV:sBuZrEUm5wKIy029s4C1eH9r
Threatray 101 similar samples on MalwareBazaar
TLSH T13885CF3FF268A13EC46A1B3245B39310997BBA61B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.103.252.216:20411

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24a93ddf60120497dd5848ec03147621840eb5b371d81.exe
Verdict:
No threats detected
Analysis date:
2023-08-10 15:27:10 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e6d72546-7539-440d-b7bc-f29978d9986b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441956/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.21030.24763.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102442/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/64d5018c6999e8f311192104/reports/3b87c233-821d-4121-98d9-0e64a33961f7/overview
Verdict:
Malicious
Labled as:
OffLoader.A.gen
Link:
https://www.hybrid-analysis.com/sample/24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a3fc84f6-c31e-4061-baad-277ace375493
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
82 / 100
Link:
https://www.joesandbox.com/analysis/1289475
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1289475 Sample: 24a93ddf60120497dd5848ec031... Startdate: 10/08/2023 Architecture: WINDOWS Score: 82 167 n57b30a.info 2->167 169 api.ip.sb 2->169 171 2 other IPs or domains 2->171 232 Snort IDS alert for network traffic 2->232 234 Malicious sample detected (through community Yara rule) 2->234 236 Antivirus detection for URL or domain 2->236 238 6 other signatures 2->238 12 24a93ddf60120497dd5848ec03147621840eb5b371d81.exe 2 2->12         started        15 msiexec.exe 2->15         started        17 Windows Updater.exe 2->17         started        signatures3 process4 dnsIp5 147 24a93ddf60120497dd...21840eb5b371d81.tmp, PE32 12->147 dropped 20 24a93ddf60120497dd5848ec03147621840eb5b371d81.tmp 3 26 12->20         started        149 C:\Windows\Installer\MSIE0AB.tmp, PE32 15->149 dropped 151 C:\Windows\Installer\MSIE07B.tmp, PE32 15->151 dropped 153 C:\Windows\Installer\MSIDC91.tmp, PE32 15->153 dropped 157 14 other malicious files 15->157 dropped 25 msiexec.exe 15->25         started        27 msiexec.exe 15->27         started        29 msiexec.exe 15->29         started        31 msiexec.exe 15->31         started        159 allroadslimit.com 17->159 155 C:\Windows\Temp\...\Windows Updater.exe, PE32 17->155 dropped 33 Windows Updater.exe 17->33         started        file6 process7 dnsIp8 173 ambasoftgroup.info 77.246.100.5 MEDIAL-ASRU Russian Federation 20->173 175 www.mildstat.com 23.106.59.52, 49726, 80 LEASEWEB-UK-LON-11GB United Kingdom 20->175 183 5 other IPs or domains 20->183 121 C:\Users\user\AppData\Local\Temp\...\s3.exe, PE32+ 20->121 dropped 135 4 other files (3 malicious) 20->135 dropped 240 Performs DNS queries to domains with low reputation 20->240 35 s0.exe 2 20->35         started        38 s3.exe 20->38         started        42 s2.exe 65 20->42         started        177 pstbbk.com 157.230.96.32, 49751, 80 DIGITALOCEAN-ASNUS United States 25->177 179 collect.installeranalytics.com 52.71.211.199, 443, 49752, 49753 AMAZON-AESUS United States 25->179 123 C:\Users\user\AppData\Local\...\shiD2EE.tmp, PE32 25->123 dropped 125 C:\Users\user\AppData\Local\...\shiD250.tmp, PE32 25->125 dropped 242 Query firmware table information (likely to detect VMs) 25->242 44 taskkill.exe 25->44         started        127 C:\Users\user\AppData\Local\...\shiC6F7.tmp, PE32 27->127 dropped 129 C:\Users\user\AppData\Local\...\shiC5FC.tmp, PE32 27->129 dropped 131 C:\Windows\Temp\shi2A35.tmp, PE32 29->131 dropped 133 C:\Windows\Temp\shi2998.tmp, PE32 29->133 dropped 181 dl.likeasurfer.com 104.21.32.100, 443, 49774 CLOUDFLARENETUS United States 33->181 137 4 other malicious files 33->137 dropped 46 v113.exe 33->46         started        file9 signatures10 process11 dnsIp12 103 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 35->103 dropped 48 s0.tmp 26 23 35->48         started        197 m10b18tu.info 38->197 199 iplogger.com 148.251.234.93 HETZNER-ASDE Germany 38->199 115 4 other malicious files 38->115 dropped 244 Multi AV Scanner detection for dropped file 38->244 52 1842189324.exe 38->52         started        55 mathstar.exe 38->55         started        201 54.160.207.153 AMAZON-AESUS United States 42->201 203 collect.installeranalytics.com 42->203 105 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 42->105 dropped 107 C:\Users\user\AppData\...\Windows Updater.exe, PE32 42->107 dropped 117 4 other malicious files 42->117 dropped 57 msiexec.exe 42->57         started        59 conhost.exe 44->59         started        109 C:\Windows\Temp\shi2573.tmp, PE32+ 46->109 dropped 111 C:\Windows\Temp\MSI2892.tmp, PE32 46->111 dropped 113 C:\Windows\Temp\MSI26FA.tmp, PE32 46->113 dropped 119 2 other malicious files 46->119 dropped 61 msiexec.exe 46->61         started        file13 signatures14 process15 dnsIp16 95 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 48->95 dropped 97 C:\...\unins000.exe (copy), PE32 48->97 dropped 99 C:\Program Files (x86)\...\is-OHCQB.tmp, PE32 48->99 dropped 101 11 other files (10 malicious) 48->101 dropped 214 Obfuscated command line found 48->214 63 cmd.exe 1 48->63         started        65 wmiprvse.exe 16 48->65         started        69 cmd.exe 1 48->69         started        71 cmd.exe 13 48->71         started        185 b47n300.info 77.105.136.3 PLUSTELECOM-ASRU Russian Federation 52->185 187 api.ip.sb 52->187 216 Multi AV Scanner detection for dropped file 52->216 218 Detected unpacking (changes PE section rights) 52->218 220 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->220 228 5 other signatures 52->228 73 chrome.exe 52->73         started        222 Tries to detect sandboxes and other dynamic analysis tools (window names) 55->222 224 Tries to evade debugger and weak emulator (self modifying code) 55->224 226 Tries to detect virtualization through RDTSC time measurements 55->226 file17 signatures18 process19 dnsIp20 75 expand.exe 25 63->75         started        78 conhost.exe 63->78         started        161 westcoalbin.top 185.9.147.202, 1203, 49714 DHUBRU Russian Federation 65->161 163 geography.netsupportsoftware.com 62.172.138.8, 49718, 49723, 49724 BTGB United Kingdom 65->163 165 geo.netsupportsoftware.com 65->165 230 Contains functionality to modify clipboard data 65->230 80 reg.exe 1 1 69->80         started        83 conhost.exe 69->83         started        85 chrome.exe 23 71->85         started        88 conhost.exe 71->88         started        90 chrome.exe 73->90         started        signatures21 process22 dnsIp23 139 C:\ProgramData\...\wmiprvse.exe (copy), PE32 75->139 dropped 141 C:\ProgramData\...\remcmdstub.exe (copy), PE32 75->141 dropped 143 C:\ProgramData\...\pcicapi.dll (copy), PE32 75->143 dropped 145 15 other files (13 malicious) 75->145 dropped 212 Creates an undocumented autostart registry key 80->212 189 192.168.2.1 unknown unknown 85->189 191 239.255.255.250 unknown Reserved 85->191 92 chrome.exe 85->92         started        193 www.google.com 90->193 195 accounts.google.com 90->195 file24 signatures25 process26 dnsIp27 205 www.google.com 92->205 208 axsboe-campaign.com 91.195.240.12, 443, 49712, 49720 SEDO-ASDE Germany 92->208 210 7 other IPs or domains 92->210 signatures28 246 Performs DNS queries to domains with low reputation 205->246
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-10 15:26:07 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
6 of 38 (15.79%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=esut3x3acicjpxkyjdwagfdwegca5nntohmbvgm6rl2v7fmum3nq._file
Verdict:
malicious
Similar samples:
036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
RedLineStealer
489eade7becb78deb88c28f80a3fc5d22e071ef8cb629f79d5e6fdebdee8ae70
RedLineStealer
5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f
RedLineStealer
5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b
RedLineStealer
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
RedLineStealer
6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca
RedLineStealer
759e360b7e36dd9f7365f452324aafd783f2ed9c057cea4bd8d394b4e69b2e66
RedLineStealer
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
RedLineStealer
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
RedLineStealer
+ 91 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230810-st6rpsfh7t/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/d74681c1-49cb-4e80-8c76-310624091894/
SH256 hash:
5a37746e26b0073f293353c6d22d6c462e70bd9942b9d6e75747f3f72c736617
MD5 hash:
9502f45df5930a8fe97921143c002475
SHA1 hash:
f5b8a3eb063525066710bb13d3353e223ff1db29
Link:
https://www.unpac.me/results/d74681c1-49cb-4e80-8c76-310624091894/
SH256 hash:
24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db
MD5 hash:
220a068eded5f2db5d7eff197f9746f7
SHA1 hash:
2a594149e2fb3406f079b4ad3f2f4c5519f62f1e
Link:
https://www.unpac.me/results/d74681c1-49cb-4e80-8c76-310624091894/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/24a93ddf6012/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441956/

Comments