MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25db06aabf72392be5659c5e97f6202affc2601f2a49d37e73bd534d05f5b275. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Phonk


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25db06aabf72392be5659c5e97f6202affc2601f2a49d37e73bd534d05f5b275
SHA3-384 hash: eb878cf035c2425f7e2fdcd5b997dbbef061636e0a5aaf88713b580ed5d4a81912f9f3f469fd8ac61109a5551705cc1c
SHA1 hash: 07bd6a901522d8641fb81851500eb40467fb0297
MD5 hash: eeb0e69c051619aa1ce77f63fbbf5d32
humanhash: mississippi-cold-mirror-uniform
File name:25DB06AABF72392BE5659C5E97F6202AFFC2601F2A49D.exe
Download: download sample
Signature Phonk
Create hunting rule
File size:1'633'105 bytes
First seen:2023-06-18 11:46:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91e96141ed5dbe3bc541c8aad7ff3c38 (22 x CryptOne, 7 x njrat, 5 x DCRat)
ssdeep 24576:NLllLl72qz8WAxUorN5WyqbtoB0YaM3DQfYpnghglp:VllLXz7AxU5hnVgpe2lp
TLSH T109757A31FE82C0E2D4952634CDE35F59773AE8AA87114B8787E8153D8DE33985CAE583
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe Phonk


Avatar
abuse_ch
Phonk C2:
116.203.13.177:28786

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
25DB06AABF72392BE5659C5E97F6202AFFC2601F2A49D.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 11:48:47 UTC
Tags:
redline
Link:
https://app.any.run/tasks/9c2dde31-0568-47db-9863-0f9b56c8b070

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400166/
Detection(s):
Win.Dropper.njRAT-9986242-0
Create hunting rule

Win.Dropper.Nanocore-9986456-0
Create hunting rule

SecuriteInfo.com.Variant.Fugrafa.267521.30514.22927.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91391/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware lolbin njrat overlay setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/648eeeb6ff07c3e39a353ccc/reports/f735db3c-8042-40da-b6e3-8d89254394e2/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/25db06aabf72392be5659c5e97f6202affc2601f2a49d37e73bd534d05f5b275
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc5ea445-f262-4572-a794-788e035dcc4b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256843
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889863 Sample: 25DB06AABF72392BE5659C5E97F... Startdate: 18/06/2023 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic 2->85 87 Multi AV Scanner detection for domain / URL 2->87 89 Found malware configuration 2->89 91 7 other signatures 2->91 10 25DB06AABF72392BE5659C5E97F6202AFFC2601F2A49D.exe 9 2->10         started        13 LUAAQ.exe 2->13         started        process3 file4 59 C:\Users\user\AppData\Local\Temp\Update.exe, PE32+ 10->59 dropped 61 C:\Users\user\AppData\Local\Temp\1.exe, PE32 10->61 dropped 15 Update.exe 5 10->15         started        19 1.exe 1 10->19         started        process5 file6 63 C:\ProgramData\ProgrammFile\LUAAQ.exe, PE32+ 15->63 dropped 71 Antivirus detection for dropped file 15->71 73 Detected unpacking (changes PE section rights) 15->73 75 Machine Learning detection for dropped file 15->75 77 Adds a directory exclusion to Windows Defender 15->77 21 cmd.exe 15->21         started        24 powershell.exe 20 15->24         started        26 powershell.exe 17 15->26         started        79 Writes to foreign memory regions 19->79 81 Allocates memory in foreign processes 19->81 83 Injects a PE file into a foreign processes 19->83 28 AppLaunch.exe 15 4 19->28         started        31 conhost.exe 19->31         started        signatures7 process8 dnsIp9 99 Uses schtasks.exe or at.exe to add and modify task schedules 21->99 33 LUAAQ.exe 21->33         started        37 conhost.exe 21->37         started        39 timeout.exe 21->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        67 kakamalyaka.top 116.203.13.177, 28786, 49696 HETZNER-ASDE Germany 28->67 69 t.me 149.154.167.99, 443, 49695 TELEGRAMRU United Kingdom 28->69 101 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->101 103 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->103 105 Tries to harvest and steal browser information (history, passwords, etc) 28->105 107 Tries to steal Crypto Currency Wallets 28->107 signatures10 process11 dnsIp12 65 179.43.140.168, 443, 49697, 49698 PLI-ASCH Panama 33->65 93 Antivirus detection for dropped file 33->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->95 97 Adds a directory exclusion to Windows Defender 33->97 45 cmd.exe 33->45         started        47 powershell.exe 33->47         started        49 powershell.exe 33->49         started        signatures13 process14 process15 51 conhost.exe 45->51         started        53 schtasks.exe 45->53         started        55 conhost.exe 47->55         started        57 conhost.exe 49->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25db06aabf72392be5659c5e97f6202affc2601f2a49d37e73bd534d05f5b275/
Threat name:
ByteCode-MSIL.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-03 17:39:02 UTC
AV detection:
29 of 37 (78.38%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=exnqnkv7oi4sxzlftrpjp5rafl74eya7fje5g7ttxvju2bpvwj2q._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:5637482599 infostealer spyware
Link:
https://tria.ge/reports/230618-nxvrdsfb28/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
a.dedicforall.top:28786
Unpacked files
SH256 hash:
6eb07d32d940fbf18fdbeb59ab121e3d9e9825e36bfbc1b940d4eed38820f0b1
MD5 hash:
a7dde308b7f6cc9b2cb2a4116f3aa3cf
SHA1 hash:
82ceb2459b5d458388c3315931c2a1b5c648334d
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/202260dc-2e3e-4855-af4a-37f49070b6d3/
SH256 hash:
459d3fc6919406b52c3c320fb032db06ebb5a6bb434b93a0689346812176466e
MD5 hash:
eac57b553534e46241f012797b841259
SHA1 hash:
55f267f1085b332e184e073e6c750580c8eaebe7
Link:
https://www.unpac.me/results/202260dc-2e3e-4855-af4a-37f49070b6d3/
SH256 hash:
25db06aabf72392be5659c5e97f6202affc2601f2a49d37e73bd534d05f5b275
MD5 hash:
eeb0e69c051619aa1ce77f63fbbf5d32
SHA1 hash:
07bd6a901522d8641fb81851500eb40467fb0297
Link:
https://www.unpac.me/results/202260dc-2e3e-4855-af4a-37f49070b6d3/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25db06aabf72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25db06aabf72392be5659c5e97f6202affc2601f2a49d37e73bd534d05f5b275

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400166/

Comments