MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5826867a6f14d608cc6989f7d3cb47834c4893fe5a9e0c91169f3a02347c01e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5826867a6f14d608cc6989f7d3cb47834c4893fe5a9e0c91169f3a02347c01e1
SHA3-384 hash: c648c060e3a7ddcbc6c30e5bdc52470e15bef597a01e81030a795f52867bae77cb5c51a5b0bc6560e23633a930437b32
SHA1 hash: 68cd57999a660a446f2cbb8135f77cb5638208a1
MD5 hash: eab5a56791a6f2790dbb9470ece5cb3e
humanhash: coffee-april-december-bluebird
File name:EAB5A56791A6F2790DBB9470ECE5CB3E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'866'624 bytes
First seen:2024-08-21 09:00:20 UTC
Last seen:2024-08-21 09:27:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 98304:sEJoQVfqcIfrDdcMdTb0Hmx6m0JBe6Vkj:sEE/XaMdTb0Hk0ve6VM
Threatray 91 similar samples on MalwareBazaar
TLSH T1080623EE07370903DA6540B5913EE7B4497A2FC875FBC11B91DA3E2BFB95B80590209B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon fe4e526c342d3080 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://193.233.232.86/api/crazyfish.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.233.232.86/api/twofish.php https://threatfox.abuse.ch/ioc/1313504/
http://193.233.232.86/api/crazyfish.php https://threatfox.abuse.ch/ioc/1314306/

Intelligence

File Origin
# of uploads :
2
# of downloads :
461
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EAB5A56791A6F2790DBB9470ECE5CB3E.exe
Verdict:
Malicious activity
Analysis date:
2024-08-21 09:02:42 UTC
Tags:
privateloader evasion
Link:
https://app.any.run/tasks/63416e48-3f36-4852-b621-ad0c69656c33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.NSIS.Runner.AM.tr.7951.18671.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c5acd1e7ff3f5a063bb043
Tags:
Discovery Encryption Execution Generic Network Static Stealth Malware
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66c5acd698e036ebc6366868/reports/30abd3ec-2443-4d33-93c7-b8a60b805764/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/5826867a6f14d608cc6989f7d3cb47834c4893fe5a9e0c91169f3a02347c01e1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d7153af-f3d2-49c4-b4c2-7569ff94886c
Result
Threat name:
Latrodectus
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1496482
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1496482 Sample: 7CTH165fQv.exe Startdate: 21/08/2024 Architecture: WINDOWS Score: 100 63 pomaspoteraka.com 2->63 65 iplis.ru 2->65 67 3 other IPs or domains 2->67 83 Multi AV Scanner detection for domain / URL 2->83 85 Suricata IDS alerts for network traffic 2->85 87 Antivirus detection for URL or domain 2->87 89 4 other signatures 2->89 11 7CTH165fQv.exe 39 2->11         started        15 Update_239a5453.exe 2->15         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\Temp\Pb, DOS 11->55 dropped 57 C:\Users\user\AppData\Local\Temp57u, DOS 11->57 dropped 59 C:\Users\user\AppData\Local\Temp\Wendy, data 11->59 dropped 61 24 other malicious files 11->61 dropped 101 Writes many files with high entropy 11->101 17 cmd.exe 2 11->17         started        signatures6 process7 file8 47 C:\Users\user\AppData\Local\...\Workshops.pif, PE32+ 17->47 dropped 79 Drops PE files with a suspicious file extension 17->79 81 Writes many files with high entropy 17->81 21 Workshops.pif 17->21         started        24 cmd.exe 2 17->24         started        27 conhost.exe 17->27         started        29 7 other processes 17->29 signatures9 process10 file11 91 Drops PE files to the document folder of the user 21->91 93 Modifies the context of a thread in another process (thread injection) 21->93 95 Injects a PE file into a foreign processes 21->95 97 Found direct / indirect Syscall (likely to bypass EDR) 21->97 31 Workshops.pif 1 15 21->31         started        53 C:\Users\user\AppData\Local\Temp\310308\O, data 24->53 dropped signatures12 process13 dnsIp14 71 147.45.47.57, 49712, 80 FREE-NET-ASFREEnetEU Russian Federation 31->71 73 193.233.232.86, 49713, 80 FREE-NET-ASFREEnetEU Russian Federation 31->73 75 4 other IPs or domains 31->75 43 C:\Users\...\zZjBwJ7mKFzrWBlJZhpe5LzJ.exe, PE32+ 31->43 dropped 45 C:\Users\user\...\66c4c5421a16e_tz4j[1].exe, PE32+ 31->45 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 31->77 36 zZjBwJ7mKFzrWBlJZhpe5LzJ.exe 2 31->36         started        file15 signatures16 process17 file18 49 C:\Users\user\AppData\...\Update_239a5453.exe, PE32+ 36->49 dropped 51 :wtfbbq (copy), PE32+ 36->51 dropped 39 Update_239a5453.exe 12 36->39         started        process19 dnsIp20 69 pomaspoteraka.com 188.114.97.3, 443, 49720 CLOUDFLARENETUS European Union 39->69 99 Detected unpacking (creates a PE file in dynamic memory) 39->99 signatures21
Score:
9%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5826867a6f14d608cc6989f7d3cb47834c4893fe5a9e0c91169f3a02347c01e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5826867a6f14d608cc6989f7d3cb47834c4893fe5a9e0c91169f3a02347c01e1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 14:57:01 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=latim6tpctlartdjrh35hs2hqngere76lkpazeiwt45aend4ahqq._file
Verdict:
unknown
Similar samples:
08ec2bbf9b90c71fcfb135214e597399d489cd623d5c71c9665278ad30a0a6a7
RedLineStealer
3e841431aaa53eb3cfa6f167b3a46bca0eb16d22e6fd1d06944414b78cc512d8
RedLineStealer
57bd1d7a3ce9a10797575f75af56a675b3739ab5901e383a7870b17fa328ecb4
RedLineStealer
5826867a6f14d608cc6989f7d3cb47834c4893fe5a9e0c91169f3a02347c01e1
RedLineStealer
5dcea548692418c3f47e0f0b2f05991720e870c2c65170c603f6e8dbcc11dd23
RedLineStealer
888c74512d59e6f5890bff6424e73d72245a3df2bb6d2bd3a8b31d55e541d1ae
RedLineStealer
ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
RedLineStealer
+ 81 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/240821-kyv7rstdrj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a1846bf6-7836-4e7e-bbaf-71c88c2741fd
Unpacked files
SH256 hash:
5826867a6f14d608cc6989f7d3cb47834c4893fe5a9e0c91169f3a02347c01e1
MD5 hash:
eab5a56791a6f2790dbb9470ece5cb3e
SHA1 hash:
68cd57999a660a446f2cbb8135f77cb5638208a1
Link:
https://www.unpac.me/results/5e11a43e-4a13-4fbe-92db-51ec9afbc6be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5826867a6f14d608cc6989f7d3cb47834c4893fe5a9e0c91169f3a02347c01e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments


Avatar
Kasibe commented on 2024-08-21 09:21:36 UTC

PrivateLoader