MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dc7e9979eac4e1aef7b7479431445d4397bd53757f23e11a2e1a258ef5b33af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dc7e9979eac4e1aef7b7479431445d4397bd53757f23e11a2e1a258ef5b33af
SHA3-384 hash: 48f06c4d0aaa51ceaa92c6aefcaba7fb74e81c36ea8df4fb2d8ed4d165bd82ec7643fc9a5c68d185bfae004cef07868b
SHA1 hash: 9d397589879ee49bd5248b142cfd07a1848dd432
MD5 hash: f5e23a3d237bc9ea991933c0fffd608a
humanhash: mango-hotel-colorado-monkey
File name:5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'796'041 bytes
First seen:2023-08-13 13:15:13 UTC
Last seen:2023-08-13 13:39:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (266 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/HRZPnSKic6QL3E2vVsjECUAQT45deRV9Rt:sBuZrEU2KIy029s4C1eH9r
Threatray 366 similar samples on MalwareBazaar
TLSH T1ED85CF3FF268A13EC56A1B3245B38350997BBA51B81A8C1E07FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (112 x Adware.Generic, 73 x OffLoader, 43 x LummaStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.142.138.167:19615

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe
Verdict:
No threats detected
Analysis date:
2023-08-13 13:16:55 UTC
Tags:
installer
Link:
https://app.any.run/tasks/34468348-9d5d-4c4b-9b6c-2d47a7ab744c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442509/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.27978.26640.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102779/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/64d8d7942a1db2a88acd6937/reports/758755e5-ab8d-4597-a55a-41c0eadb6f2e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/5dc7e9979eac4e1aef7b7479431445d4397bd53757f23e11a2e1a258ef5b33af
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/117f6610-7d6c-49e0-bfd3-b37cc99f73d4
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1290670
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1290670 Sample: 5dc7e9979eac4e1aef7b7479431... Startdate: 13/08/2023 Architecture: WINDOWS Score: 84 184 collect.installeranalytics.com 2->184 186 124.t.keepitpumpin.io 2->186 188 2 other IPs or domains 2->188 230 Snort IDS alert for network traffic 2->230 232 Malicious sample detected (through community Yara rule) 2->232 234 Antivirus detection for URL or domain 2->234 236 6 other signatures 2->236 12 msiexec.exe 2->12         started        15 5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe 2 2->15         started        17 Windows Updater.exe 2->17         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 142 C:\Windows\Installer\MSIF9A0.tmp, PE32 12->142 dropped 144 C:\Windows\Installer\MSIF6DF.tmp, PE32 12->144 dropped 146 C:\Windows\Installer\MSIF2C7.tmp, PE32 12->146 dropped 152 57 other malicious files 12->152 dropped 22 msiexec.exe 12->22         started        27 msiexec.exe 12->27         started        29 msiexec.exe 12->29         started        35 2 other processes 12->35 148 5dc7e9979eac4e1aef...d4397bd53757f23.tmp, PE32 15->148 dropped 31 5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.tmp 3 27 15->31         started        180 allroadslimit.com 188.114.97.7 CLOUDFLARENETUS European Union 17->180 150 C:\Windows\Temp\...\Windows Updater.exe, PE32 17->150 dropped 33 Windows Updater.exe 17->33         started        182 110.t.keepitpumpin.io 20->182 file6 process7 dnsIp8 116 C:\Windows\Temp\shiEB1D.tmp, PE32 22->116 dropped 118 C:\Windows\Temp\shiEA22.tmp, PE32 22->118 dropped 120 C:\Windows\Temp\shi5D43.tmp, PE32 22->120 dropped 122 C:\Windows\Temp\shi5BEA.tmp, PE32 22->122 dropped 248 Query firmware table information (likely to detect VMs) 22->248 37 taskkill.exe 22->37         started        39 taskkill.exe 22->39         started        41 taskkill.exe 22->41         started        206 pstbbk.com 157.230.96.32 DIGITALOCEAN-ASNUS United States 27->206 208 collect.installeranalytics.com 52.71.211.199 AMAZON-AESUS United States 27->208 124 2 other malicious files 27->124 dropped 43 taskkill.exe 27->43         started        126 2 other malicious files 29->126 dropped 210 ambasoftgroup.info 77.246.100.5 MEDIAL-ASRU Russian Federation 31->210 212 www.mildstat.com 23.106.59.52, 49780, 80 LEASEWEB-UK-LON-11GB United Kingdom 31->212 216 4 other IPs or domains 31->216 128 6 other files (5 malicious) 31->128 dropped 250 Performs DNS queries to domains with low reputation 31->250 45 s0.exe 2 31->45         started        48 s3.exe 31->48         started        52 s2.exe 65 31->52         started        214 dl.likeasurfer.com 104.21.32.100 CLOUDFLARENETUS United States 33->214 130 4 other malicious files 33->130 dropped 54 v113.exe 33->54         started        56 v114.exe 33->56         started        132 2 other malicious files 35->132 dropped file9 signatures10 process11 dnsIp12 58 conhost.exe 37->58         started        60 conhost.exe 39->60         started        62 conhost.exe 41->62         started        64 conhost.exe 43->64         started        154 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 45->154 dropped 66 s0.tmp 26 23 45->66         started        172 iplogger.com 148.251.234.93 HETZNER-ASDE Germany 48->172 174 seriopoli.info 48->174 166 2 other malicious files 48->166 dropped 228 Multi AV Scanner detection for dropped file 48->228 70 160149546.exe 48->70         started        176 54.160.207.153 AMAZON-AESUS United States 52->176 178 collect.installeranalytics.com 52->178 156 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 52->156 dropped 168 5 other malicious files 52->168 dropped 73 msiexec.exe 52->73         started        158 C:\Windows\Temp\shi27AC.tmp, PE32+ 54->158 dropped 160 C:\Windows\Temp\MSI2F20.tmp, PE32 54->160 dropped 162 C:\Windows\Temp\MSI2C8F.tmp, PE32 54->162 dropped 170 4 other malicious files 54->170 dropped 75 msiexec.exe 54->75         started        164 C:\AppData\Roaming\...\decoder.dll, PE32 56->164 dropped file13 signatures14 process15 dnsIp16 108 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 66->108 dropped 110 C:\...\unins000.exe (copy), PE32 66->110 dropped 112 C:\Program Files (x86)\...\is-MA0KC.tmp, PE32 66->112 dropped 114 11 other files (10 malicious) 66->114 dropped 238 Obfuscated command line found 66->238 77 cmd.exe 1 66->77         started        79 cmd.exe 1 66->79         started        81 cmd.exe 13 66->81         started        83 wmiprvse.exe 17 66->83         started        218 b47n300.info 77.105.136.3 PLUSTELECOM-ASRU Russian Federation 70->218 220 api.ip.sb 70->220 240 Detected unpacking (changes PE section rights) 70->240 242 Detected unpacking (overwrites its own PE header) 70->242 244 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->244 246 8 other signatures 70->246 86 chrome.exe 70->86         started        file17 signatures18 process19 dnsIp20 88 expand.exe 25 77->88         started        91 conhost.exe 77->91         started        93 reg.exe 1 1 79->93         started        96 conhost.exe 79->96         started        98 chrome.exe 22 81->98         started        101 conhost.exe 81->101         started        200 familystrike.top 5.8.54.110, 1203, 49732 PINDC-ASRU Russian Federation 83->200 202 geography.netsupportsoftware.com 51.142.119.24, 49733, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 83->202 204 geo.netsupportsoftware.com 83->204 103 chrome.exe 86->103         started        process21 dnsIp22 134 C:\ProgramData\...\wmiprvse.exe (copy), PE32 88->134 dropped 136 C:\ProgramData\...\remcmdstub.exe (copy), PE32 88->136 dropped 138 C:\ProgramData\...\pcicapi.dll (copy), PE32 88->138 dropped 140 15 other files (13 malicious) 88->140 dropped 252 Creates an undocumented autostart registry key 93->252 190 192.168.2.1 unknown unknown 98->190 192 239.255.255.250 unknown Reserved 98->192 105 chrome.exe 98->105         started        194 172.217.16.164 GOOGLEUS United States 103->194 196 www.google.com 103->196 198 accounts.google.com 103->198 file23 signatures24 process25 dnsIp26 222 www.google.com 142.251.36.164, 443, 49803 GOOGLEUS United States 105->222 224 clients.l.google.com 142.251.36.174, 443, 49736 GOOGLEUS United States 105->224 226 10 other IPs or domains 105->226
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dc7e9979eac4e1aef7b7479431445d4397bd53757f23e11a2e1a258ef5b33af/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-13 13:16:06 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lxd6tf46vrhbv333or4ugfcf2q4xxvjxk7zd4enc4grfr323goxq._file
Verdict:
unknown
Similar samples:
036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
RedLineStealer
24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db
RedLineStealer
361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327
RedLineStealer
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
RedLineStealer
6b109e55911293b4e5098d3711849b85499a988385721863a01c2e0dcd9ba0a6
RedLineStealer
82e3523dc7d162e55eaa4f69c2dba9555592661eadcc6807898da7196e57289a
RedLineStealer
83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5222c8a377514d6a5651
RedLineStealer
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
RedLineStealer
906774638a383308ce21011b3dbce87721ee4f0e5764b6470a273671bbddaa18
RedLineStealer
+ 356 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230813-qhsplacd59/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
47db8b5ce77779d040a6838263e2a7c2c52bb99708fcf2773ce47b0a5cecbb04
MD5 hash:
b43051e2fefdc7dd51a9f45cf8dc896e
SHA1 hash:
19c560e66f1750d09642509e9683d88bc778e1ad
Link:
https://www.unpac.me/results/0e8af97a-6653-40a1-82ca-c54277a05d5b/
SH256 hash:
74dc2dac54b56f413d7e962b4c8eb84567ed4c3b544a35f7b935ca68e5b594c5
MD5 hash:
8f008345dd8b073f2a0c8a5fcededc2a
SHA1 hash:
f2fa955d832984229b4ead7d6be855116b97de4b
Link:
https://www.unpac.me/results/0e8af97a-6653-40a1-82ca-c54277a05d5b/
SH256 hash:
04ea68480fecf235509d792d7c85ac205612ac122630dde6d71a69c2969650e5
MD5 hash:
61061bf637994d370c101c32199d1fdd
SHA1 hash:
80f7a5b44aa90aeff926e030ccdedceb298338e6
Link:
https://www.unpac.me/results/0e8af97a-6653-40a1-82ca-c54277a05d5b/
SH256 hash:
5dc7e9979eac4e1aef7b7479431445d4397bd53757f23e11a2e1a258ef5b33af
MD5 hash:
f5e23a3d237bc9ea991933c0fffd608a
SHA1 hash:
9d397589879ee49bd5248b142cfd07a1848dd432
Link:
https://www.unpac.me/results/0e8af97a-6653-40a1-82ca-c54277a05d5b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5dc7e9979eac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5dc7e9979eac4e1aef7b7479431445d4397bd53757f23e11a2e1a258ef5b33af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442509/

Comments