MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11
SHA3-384 hash: 80a954c0fe0e92961623c260ddaaa2d46d6002ff478345c296bd5b48e59c8e5a6cd68ced54894eda3ca471c4fe21e5ab
SHA1 hash: d2bf72c72edf1908704fb862c90b543281ea5a93
MD5 hash: 027f0e14065dee4d9ce749e0092442c7
humanhash: ceiling-illinois-utah-xray
File name:027f0e14065dee4d9ce749e0092442c7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'851'072 bytes
First seen:2022-11-17 07:40:50 UTC
Last seen:2022-11-17 09:37:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 019a6c4b2959b4d629831b7385dab1ad (2 x RedLineStealer)
ssdeep 196608:ngR6kLoMzIN9k95TGNoYm2+mVig3FJpNNoh:ngUZNKywmViq7NNq
Threatray 246 similar samples on MalwareBazaar
TLSH T1CA6623A362250149E4E68C3E96373DD036F7171F8B42AC7866DEBEC136316A4F257A43
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f04460b09193f0a1 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.138:32796

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
027f0e14065dee4d9ce749e0092442c7.exe
Verdict:
Malicious activity
Analysis date:
2022-11-17 07:45:25 UTC
Tags:
evasion loader trojan rat redline amadey stealer tofsee miner
Link:
https://app.any.run/tasks/4cb21f70-4483-403f-8d7e-914c3c3abbc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335212/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.7502.3363.9134.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Replacing files
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching a service
Launching a process
Creating a file
Sending a UDP request
Connecting to a non-recommended domain
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Searching for the window
Running batch commands
Launching the process to change the firewall settings
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/6375e58fc52d9f2e4f87c3c5/reports/9178c80d-5247-45a2-97cc-2352fb33cbba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/363e5f98-0422-4e2c-a9ee-597bfc2dc5c3
Result
Threat name:
Amadey, CryptOne, ManusCrypt, PrivateLoa
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115567
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Downloads files with wrong headers with respect to MIME Content-Type
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies Group Policy settings
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected CryptOne packer
Yara detected ManusCrypt
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748272 Sample: re11Yukwra.exe Startdate: 17/11/2022 Architecture: WINDOWS Score: 100 127 Malicious sample detected (through community Yara rule) 2->127 129 Antivirus detection for URL or domain 2->129 131 Antivirus detection for dropped file 2->131 133 28 other signatures 2->133 8 re11Yukwra.exe 10 46 2->8         started        13 brtgxpa.exe 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 process3 dnsIp4 113 vk.com 87.240.132.78, 443, 49716, 49717 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->113 115 sun9-81.userapi.com 87.240.169.4, 443, 49749 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->115 119 14 other IPs or domains 8->119 91 C:\Users\...\xQiDYhKDUAb3fRl2sHJe_pAe.exe, PE32 8->91 dropped 93 C:\Users\...\wx2U3NeK9JyIsKKKzVLV1g8w.exe, PE32 8->93 dropped 95 C:\Users\...\wM_BHjws4JMMr9Y1NcPta282.exe, PE32 8->95 dropped 97 17 other malicious files 8->97 dropped 151 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->151 153 May check the online IP address of the machine 8->153 155 Creates HTML files with .exe extension (expired dropper behavior) 8->155 167 4 other signatures 8->167 19 9QV7bEfB4Rppd2w3hl07vZdw.exe 15 8->19         started        24 Z7kTkskYZP8oKsUEd3pxHkhM.exe 3 8->24         started        26 xQiDYhKDUAb3fRl2sHJe_pAe.exe 2 8->26         started        30 8 other processes 8->30 157 Detected unpacking (changes PE section rights) 13->157 159 Detected unpacking (overwrites its own PE header) 13->159 161 Writes to foreign memory regions 13->161 169 2 other signatures 13->169 117 51.104.136.2 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 15->117 163 Query firmware table information (likely to detect VMs) 15->163 165 Changes security center settings (notifications, updates, antivirus, firewall) 17->165 28 WerFault.exe 17->28         started        file5 signatures6 process7 dnsIp8 99 telegram.org 149.154.167.99 TELEGRAMRU United Kingdom 19->99 101 kokoko-24.online 19->101 75 C:\Users\...\WITjlpHBQ9m0EMC2I8ZEs00Z.exe, MS-DOS 19->75 dropped 77 C:\Users\user\AppData\Local\...\WW14[1].bmp, MS-DOS 19->77 dropped 79 C:\...\PowerControl_Svc.exe, MS-DOS 19->79 dropped 135 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->135 137 Query firmware table information (likely to detect VMs) 19->137 139 Hides threads from debuggers 19->139 141 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->141 81 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 24->81 dropped 32 rovwer.exe 24->32         started        83 C:\Users\user\AppData\Local\...\is-65727.tmp, PE32 26->83 dropped 36 is-65727.tmp 26->36         started        103 45.10.52.33 MTW-ASRU Russian Federation 30->103 105 star-mini.c10r.facebook.com 31.13.92.36 FACEBOOKUS Ireland 30->105 107 3 other IPs or domains 30->107 85 C:\Users\user\AppData\Local\...\ivv6_E5.QYI, PE32 30->85 dropped 87 C:\Users\user\AppData\Local\...\brtgxpa.exe, PE32 30->87 dropped 89 C:\...\ClipManager_Svc.exe, PE32 30->89 dropped 143 Tries to harvest and steal browser information (history, passwords, etc) 30->143 145 Writes to foreign memory regions 30->145 147 Allocates memory in foreign processes 30->147 149 Injects a PE file into a foreign processes 30->149 38 PM5LEeWducIkgyBdjiVVZ3gT.exe 30->38         started        41 cmd.exe 30->41         started        43 schtasks.exe 30->43         started        45 11 other processes 30->45 file9 signatures10 process11 dnsIp12 59 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 32->59 dropped 61 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 32->61 dropped 121 Detected unpacking (changes PE section rights) 32->121 123 Detected unpacking (overwrites its own PE header) 32->123 125 Creates an undocumented autostart registry key 32->125 63 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->63 dropped 65 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 36->65 dropped 67 C:\...\unins000.exe (copy), PE32 36->67 dropped 73 4 other files (2 malicious) 36->73 dropped 109 188.114.97.3 CLOUDFLARENETUS European Union 38->109 111 xv.yxzgamen.com 38->111 69 C:\Users\user\AppData\Local\Temp\db.dll, PE32 38->69 dropped 71 C:\Windows\SysWOW64\...\brtgxpa.exe (copy), PE32 41->71 dropped 47 conhost.exe 41->47         started        49 conhost.exe 43->49         started        51 conhost.exe 45->51         started        53 conhost.exe 45->53         started        55 conhost.exe 45->55         started        57 3 other processes 45->57 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11/
Threat name:
Win32.Infostealer.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 15:43:49 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f67tkbzsbv3442fnikognxopbvj45xftz6bznqifpsbaon57tyiq._file
Verdict:
malicious
Similar samples:
0d0be8ecc5e7c7d3fb48665b5860aa8eb97d367f58af0de01e8bcff3861f4c52
RedLineStealer
3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
RedLineStealer
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
RedLineStealer
7c23a4178b8fc14dedfd30b2b8fe462b4d936210bc64d6a14671b14a9387306a
RedLineStealer
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
RedLineStealer
b295631063a6186a09a9dfee224bca7af6d4ab1650e9d63cdc325cf3fe1cd3d6
RedLineStealer
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
RedLineStealer
db4cd51f4764ebca116f02bf9bd6b8d0f1fb530271c258fe64ef1905ca060060
RedLineStealer
+ 236 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:nymaim family:privateloader family:redline family:tofsee family:xmrig botnet:@madboyza botnet:huilo botnet:logsdiller cloud (tg: @logsdillabot) discovery evasion infostealer loader main miner persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/221117-jh4njadh59/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
GoLang User-Agent
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Uses the VBS compiler for execution
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
XMRig Miner payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect Amadey credential stealer module
NyMaim
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
Tofsee
xmrig
Malware Config
C2 Extraction:
208.67.104.60
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
svartalfheim.top
jotunheim.name
193.106.191.27:47242
213.32.44.120:6254
45.139.105.171
85.31.46.167
193.106.191.138:32796
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec843592-85f2-4423-946a-df4b73ecff92
Unpacked files
SH256 hash:
2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11
MD5 hash:
027f0e14065dee4d9ce749e0092442c7
SHA1 hash:
d2bf72c72edf1908704fb862c90b543281ea5a93
Link:
https://www.unpac.me/results/3d1db684-bce3-4d26-ab2a-62d00d3899c3/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fbf3507320d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/335212/

Comments