MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9
SHA3-384 hash: dee9c37dd686c19f30a33f69d95682edbda5033f9f7078bb36420b798b1953cb81ef7ca550801579dbeebf69c53d779e
SHA1 hash: b07b9f0a199ad4f859efd13fe50aecc154353bee
MD5 hash: b48eb1e7e377f6e7356e9fb62c94ca46
humanhash: arkansas-double-eleven-florida
File name:b48eb1e7e377f6e7356e9fb62c94ca46.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'885'760 bytes
First seen:2023-04-22 01:40:16 UTC
Last seen:2023-05-18 13:54:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f540b6d6dcfc33b21d0deb0ccba24751 (3 x RedLineStealer, 2 x PrivateLoader, 2 x Amadey)
ssdeep 98304:/IAOnqfjWvGRCbRwpo6xJgye1pNiFQ4rPaAmGDyF7b97vUg:/IAmttgHgyePNiFQ0PIay9b9Ug
Threatray 98 similar samples on MalwareBazaar
TLSH T1A796236752655285E4E6CC3DC937FE9236F703678791F839ACDA39C23612898E213B43
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 8c14555d5918ccce (2 x CoinMiner, 1 x ArkeiStealer, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.161.248.153:38452

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b48eb1e7e377f6e7356e9fb62c94ca46.exe
Verdict:
Malicious activity
Analysis date:
2023-04-22 01:42:21 UTC
Tags:
opendir evasion privateloader
Link:
https://app.any.run/tasks/cadb23c6-6c8e-4edd-a232-b78c903ef3cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384094/
Detection(s):
Win.Dropper.Tinba-9943147-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
DNS request
Replacing files
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Launching a service
Launching a process
Creating a file
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64433b2ff2acc4ba529d0f52/reports/fb043457-3edf-45ee-a13b-b78e42cf672a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/529436db-9e62-449e-8489-fe519c51894f
Result
Threat name:
PrivateLoader, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218979
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 851925 Sample: w07laBItyK.exe Startdate: 22/04/2023 Architecture: WINDOWS Score: 100 104 Snort IDS alert for network traffic 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 21 other signatures 2->110 7 w07laBItyK.exe 11 82 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 3 2->14         started        16 9 other processes 2->16 process3 dnsIp4 86 208.67.104.60, 49695, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 7->86 88 109.206.243.208, 49715, 80 AWMLTNL Germany 7->88 90 19 other IPs or domains 7->90 64 C:\Users\...\ybdIUuRJ3aZbElt2NJu4P8sA.exe, PE32 7->64 dropped 66 C:\Users\...\qcCv_ed7CHySEQHjKL12n4cu.exe, PE32 7->66 dropped 68 C:\Users\...\oQB35mJ7aM_IDVApL4AyiSpK.exe, PE32+ 7->68 dropped 70 25 other malicious files 7->70 dropped 148 Creates HTML files with .exe extension (expired dropper behavior) 7->148 150 Disables Windows Defender (deletes autostart) 7->150 152 Tries to harvest and steal browser information (history, passwords, etc) 7->152 158 3 other signatures 7->158 18 HvFJL1cZBWPg2OwNrukbLQ_S.exe 7->18         started        21 97gbhDfAgJi4uwUQK8Esz20k.exe 7->21         started        24 bSNGnX6LPShw59DvfVDbYBu7.exe 7->24         started        28 15 other processes 7->28 154 Changes security center settings (notifications, updates, antivirus, firewall) 12->154 156 Query firmware table information (likely to detect VMs) 14->156 26 WerFault.exe 16->26         started        file5 signatures6 process7 dnsIp8 48 C:\Users\user\AppData\Local\...\is-21VMR.tmp, PE32 18->48 dropped 31 is-21VMR.tmp 18->31         started        132 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->132 134 Maps a DLL or memory area into another process 21->134 136 Checks if the current machine is a virtual machine (disk enumeration) 21->136 138 Creates a thread in another existing process (thread injection) 21->138 34 explorer.exe 21->34 injected 50 C:\Windows\Temp\321.exe, PE32 24->50 dropped 52 C:\Windows\Temp\123.exe, PE32 24->52 dropped 54 C:\Windows\Temp\11.exe, PE32 24->54 dropped 37 11.exe 24->37         started        98 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 28->98 100 94.142.138.113 IHOR-ASRU Russian Federation 28->100 102 11 other IPs or domains 28->102 56 C:\Users\...\dRSiBOQVoeMGq2sScuxBgZ4R.exe, MS-DOS 28->56 dropped 58 C:\Users\user\AppData\Local\...\wfplwfs.exe, PE32 28->58 dropped 60 C:\Users\user\AppData\Local\...\ki725284.exe, PE32 28->60 dropped 62 5 other malicious files 28->62 dropped 140 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->140 142 Query firmware table information (likely to detect VMs) 28->142 144 Disables Windows Defender (deletes autostart) 28->144 146 7 other signatures 28->146 39 wfplwfs.exe 28->39         started        41 ki725284.exe 28->41         started        43 chrome.exe 28->43         started        46 6 other processes 28->46 file9 signatures10 process11 dnsIp12 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->72 dropped 74 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 31->74 dropped 76 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 31->76 dropped 84 7 other files (5 malicious) 31->84 dropped 78 C:\Users\user\AppData\Roaming\hvigrfe, PE32 34->78 dropped 112 Benign windows process drops PE files 34->112 114 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->114 116 Query firmware table information (likely to detect VMs) 37->116 118 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->118 120 Hides threads from debuggers 37->120 122 Tries to detect sandboxes / dynamic malware analysis system (registry check) 37->122 124 Multi AV Scanner detection for dropped file 39->124 126 Writes to foreign memory regions 39->126 128 Allocates memory in foreign processes 39->128 130 Injects a PE file into a foreign processes 39->130 80 C:\Users\user\AppData\Local\...\ki108561.exe, PE32 41->80 dropped 82 C:\Users\user\AppData\Local\...\ft933785.exe, PE32 41->82 dropped 92 accounts.google.com 142.250.184.109, 443, 49728 GOOGLEUS United States 43->92 94 clients.l.google.com 142.251.209.14, 443, 49729 GOOGLEUS United States 43->94 96 3 other IPs or domains 43->96 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jaqry34vpqvnajcedpr7ymvozv6dc7p4sjjdwcthlqgp5sdp7xmq._file
Verdict:
malicious
Similar samples:
1c65c0a262a9372726369cd3ba23e23086c490c2d816123ff4973a725ff8f5c0
RedLineStealer
5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10
RedLineStealer
716b0374e1cc500e077f59d1ef2ac24b956495dd2554f2953ba539e71daae747
RedLineStealer
7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97
RedLineStealer
829579ba6d7c9e90371a9238ac081d671e291cedf3ac53103aa28c1460d74822
RedLineStealer
867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e
RedLineStealer
b86b793d720b43d3fb1525f98758256d1ccf4ed543dc1bd01b54921f7143fb46
RedLineStealer
c9abeb237b284d2aee39f0c69a1042aa3dbe285aa528f23ffdaed82a0a08a229
RedLineStealer
e41ae1b899245242df356489d4c883bd7b6477f82fe1df32371a4d2b471b370c
RedLineStealer
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
RedLineStealer
+ 88 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230422-b34j9sbf57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
b05d220d5f25b836eeb607179029b7d33edc08beca7fcdd527accb5c39476ddb
MD5 hash:
5a457df131c98cab2b80031151a98102
SHA1 hash:
61ebfa37673369dc25ee185c7efea4732e960bc4
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/f0917fe1-bb0d-4656-a02d-93d8ad8ea051/
SH256 hash:
48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9
MD5 hash:
b48eb1e7e377f6e7356e9fb62c94ca46
SHA1 hash:
b07b9f0a199ad4f859efd13fe50aecc154353bee
Link:
https://www.unpac.me/results/f0917fe1-bb0d-4656-a02d-93d8ad8ea051/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48211c6f957c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/384094/

Comments