MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64287e79baab44a7bc4996b5712573de1cf3a5e279bb48abcaa79ccee9545254. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64287e79baab44a7bc4996b5712573de1cf3a5e279bb48abcaa79ccee9545254
SHA3-384 hash: 50efc1030fd55234d3ca188c3a74afe2e3bed169cd525d745aa09cb02579c45b392a0af08aff8e1963ef724bdb26c30f
SHA1 hash: 32113c537704c76d6a254bec0a6f0953b61b1414
MD5 hash: 77b6db60ce150f9d850805f3b344358a
humanhash: river-dakota-michigan-mars
File name:modest-menu.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'190'272 bytes
First seen:2023-04-17 05:45:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:E/xjSOtfDDdS4SSZc0hrbUMritLd8BfoxLf4iV:E/xRfDD3JbAqexEiV
Threatray 9 similar samples on MalwareBazaar
TLSH T153E5B23A2CFD1633D1B8D6B5CFC28827B060D1B736222A3664D3676583A3D8669C717D
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8e2eae6e292c2ee (14 x ArkeiStealer, 10 x RedLineStealer, 3 x Vidar)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.233.20.13:11552

Intelligence

File Origin
# of uploads :
1
# of downloads :
592
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
modest-menu.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 05:45:40 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/7c9495da-a6c4-4360-817e-caf3041455d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382722/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.1039.30021.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/643cdd1b12f914d0711b4bb6/reports/43fe89f5-3017-42c1-8ba2-f273e0e20b0b/overview
Verdict:
Malicious
Labled as:
MSIL/GenKryptik_AGeneric.UI trojan
Link:
https://www.hybrid-analysis.com/sample/64287e79baab44a7bc4996b5712573de1cf3a5e279bb48abcaa79ccee9545254
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/817bff66-70ee-474f-9993-92d70d8feaa9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214978
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 847906 Sample: modest-menu.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 6 other signatures 2->72 9 modest-menu.exe 15 3 2->9         started        process3 dnsIp4 48 msftstore.s.llnwi.net 95.140.230.128, 443, 49699 LLNWUS United Kingdom 9->48 40 C:\Users\user\AppData\...\modest-menu.exe.log, ASCII 9->40 dropped 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->88 90 Writes to foreign memory regions 9->90 92 Injects a PE file into a foreign processes 9->92 14 MSBuild.exe 14 8 9->14         started        file5 signatures6 process7 dnsIp8 52 193.233.20.13, 11552, 49702 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 14->52 54 s3-w.us-east-1.amazonaws.com 3.5.27.126, 443, 49704 AMAZON-AESUS United States 14->54 56 4 other IPs or domains 14->56 42 C:\Users\user\AppData\Local\Temp\update.exe, PE32 14->42 dropped 44 C:\Users\user\AppData\...\SystemUpdate.exe, PE32+ 14->44 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->60 62 Tries to harvest and steal browser information (history, passwords, etc) 14->62 64 Tries to steal Crypto Currency Wallets 14->64 19 update.exe 14 501 14->19         started        23 SystemUpdate.exe 2 14->23         started        file9 signatures10 process11 dnsIp12 46 bitbucket.org 19->46 74 Antivirus detection for dropped file 19->74 76 Multi AV Scanner detection for dropped file 19->76 78 Obfuscated command line found 19->78 80 Adds a directory exclusion to Windows Defender 19->80 26 cmd.exe 1 19->26         started        38 C:\Users\user\AppData\Roaming\...\runtime.exe, PE32+ 23->38 dropped 82 Machine Learning detection for dropped file 23->82 file13 signatures14 process15 signatures16 84 Obfuscated command line found 26->84 86 Adds a directory exclusion to Windows Defender 26->86 29 powershell.exe 26->29         started        32 conhost.exe 26->32         started        34 chcp.com 1 26->34         started        36 2 other processes 26->36 process17 dnsIp18 50 192.168.2.1 unknown unknown 29->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64287e79baab44a7bc4996b5712573de1cf3a5e279bb48abcaa79ccee9545254/
Threat name:
Win32.Spyware.Aurorastealer
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 05:46:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mquh46n2vnckppcjs22xcjlt3yophjpcpg5urk6ku6om52kukjka._file
Verdict:
malicious
Similar samples:
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4
RedLineStealer
40aac7a5a709361db31b5189b42650d420548ace3f0da200e42a64fef2d3b923
RedLineStealer
7346cbcf43050e88c5e75cd08656b6da4c4db4c07c72c9888f0cee37a2f21c97
RedLineStealer
7eca268620be477e9c5594626d5d8e15c6d26982dbd9f459bd0aee1cce88fe0d
RedLineStealer
911bbfc7ff5d4eb83d8c0f402f79cefaa2afe7f11f29ff4572189b9d973d58bc
RedLineStealer
94d2ad113de21287251ed4ac1faed0cc6119cb5c3a4734cc7ac6583e01e708f0
RedLineStealer
c1853b7f39c854c19408c29f02fb13b883edcde8d61bd261cb8be0d2c8621dbe
RedLineStealer
e3cb48e5a91062c073844676d319598ced84650b3f8a0df01da752b6a585094f
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer persistence spyware
Link:
https://tria.ge/reports/230417-ggayqaeg7t/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
193.233.20.13:11552
Unpacked files
SH256 hash:
7e4c992be60cb3361384f6d1700ebbabee71bc8f73305bb6003d5d9ad0d42676
MD5 hash:
df0061ebfca3630f415ab66f62715e07
SHA1 hash:
15b4c361ad2dce31c925400fcb2e836fec46fbbb
Link:
https://www.unpac.me/results/e243b862-cdf6-4613-bbfa-8b49f7b8472a/
SH256 hash:
09d34285a0c9f9392d7694ba0eb6e684d4bb606599dd6b87b00c255b952ee3c2
MD5 hash:
6e1bc5557aac7df8c952a3899e617941
SHA1 hash:
09552e0c9d200d88ba843963be476fc97684b750
Link:
https://www.unpac.me/results/e243b862-cdf6-4613-bbfa-8b49f7b8472a/
SH256 hash:
64287e79baab44a7bc4996b5712573de1cf3a5e279bb48abcaa79ccee9545254
MD5 hash:
77b6db60ce150f9d850805f3b344358a
SHA1 hash:
32113c537704c76d6a254bec0a6f0953b61b1414
Link:
https://www.unpac.me/results/e243b862-cdf6-4613-bbfa-8b49f7b8472a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64287e79baab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/382722/

Comments