MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65664a51ce820349f70735c1ec9e5d1134263c911c858308a61aba0c6d8ec227. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65664a51ce820349f70735c1ec9e5d1134263c911c858308a61aba0c6d8ec227
SHA3-384 hash: 48a81d9a0835163235dd5f357541b65a964dd4b7446f970da16254c42eef17447d4160831fcf1ddd7d68133a00080187
SHA1 hash: 26fb820c55b5f58528cecad293eae5aac5f8433a
MD5 hash: 7ac147ffab23481724ecac11c4e81acf
humanhash: california-edward-pasta-aspen
File name:7ac147ffab23481724ecac11c4e81acf
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:12'675'648 bytes
First seen:2023-02-20 21:45:01 UTC
Last seen:2023-02-20 23:27:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3b9cbd6df4e5b395344be05e4c3f9c49 (1 x LaplasClipper, 1 x RedLineStealer)
ssdeep 393216:X3XK3jPzFh71BIfQyWTTQqWBT28dV0hG1:X3X8zb1BuQAqX8dVR
Threatray 9 similar samples on MalwareBazaar
TLSH T1B0D6330E2A997AF4F5C92830101B9D8B66F6AEB7CD508830FAD177FF6176DE8405109E
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d0c4e0e0e0f0c4c0 (2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7ac147ffab23481724ecac11c4e81acf
Verdict:
Malicious activity
Analysis date:
2023-02-20 21:48:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/afb3a996-0187-43e9-b848-0602d2509712

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368530/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.16925.18244.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63f3e9e101b99ad33e7eb714/reports/25374dae-28fe-4735-98be-bf05fdcc2404/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/65664a51ce820349f70735c1ec9e5d1134263c911c858308a61aba0c6d8ec227
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b1b74ee4-0989-455c-afb9-369875b91e41
Result
Threat name:
RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179472
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 812298 Sample: E6pGZcsLjc.exe Startdate: 20/02/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 7 other signatures 2->44 7 E6pGZcsLjc.exe 5 2->7         started        11 cacadonay.exe 2->11         started        process3 file4 30 C:\ProgramData\sedinamike\cacadonay.exe, PE32 7->30 dropped 32 C:\...\cacadonay.exe:Zone.Identifier, ASCII 7->32 dropped 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->52 54 Query firmware table information (likely to detect VMs) 7->54 56 Self deletion via cmd or bat file 7->56 58 Tries to evade analysis by execution special instruction (VM detection) 7->58 13 cacadonay.exe 7->13         started        16 cmd.exe 1 7->16         started        18 InstallUtil.exe 2 11->18         started        20 InstallUtil.exe 11->20         started        signatures5 process6 signatures7 60 Antivirus detection for dropped file 13->60 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->62 64 Query firmware table information (likely to detect VMs) 13->64 66 Tries to evade analysis by execution special instruction (VM detection) 13->66 22 InstallUtil.exe 4 13->22         started        68 Uses ping.exe to sleep 16->68 70 Uses ping.exe to check the status of other devices and networks 16->70 26 PING.EXE 1 16->26         started        28 conhost.exe 16->28         started        process8 dnsIp9 34 162.55.188.246, 15647, 49702, 49703 ACPCA United States 22->34 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->46 48 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->48 50 Tries to harvest and steal browser information (history, passwords, etc) 22->50 36 127.0.0.1 unknown unknown 26->36 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65664a51ce820349f70735c1ec9e5d1134263c911c858308a61aba0c6d8ec227/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-20 21:46:36 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
11 of 25 (44.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvteuuooqibut5yhgxa6zhs5ce2cmperdscygcfgdk5ay3moyitq._file
Verdict:
malicious
Similar samples:
104645c74843e385754502a80a935156b585c6969fba1be83efe9b554a746560
RedLineStealer
22b8eea77c280d8bbfe86c7a3acac4e60f11bfeb5fa03cfef44678513af49600
RedLineStealer
73df61e5b857a42a63edb57a71aba2892a731048fe91c8b9d3e40d989a8fdcc1
RedLineStealer
a3121fab9f7c1c304bfed15b404e718b0008705073bedb8ddd90dbd6f3b35f5a
RedLineStealer
b86a7f4e904243a5018bbc43d55bcf47d8157ce6c22df7800cff0fbca0859d39
RedLineStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230220-1l23jsed81/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
3effad6bb127e3434acc243e8172f4c267663742807a0b8fb03265bbbc12c376
MD5 hash:
13768f87e1c24967e416c4847131149b
SHA1 hash:
6448f5d7b5f2a9d50916585f28105e4e017715f6
Link:
https://www.unpac.me/results/94a20df6-fb25-4672-a5a9-5d644ed90263/
SH256 hash:
65664a51ce820349f70735c1ec9e5d1134263c911c858308a61aba0c6d8ec227
MD5 hash:
7ac147ffab23481724ecac11c4e81acf
SHA1 hash:
26fb820c55b5f58528cecad293eae5aac5f8433a
Link:
https://www.unpac.me/results/94a20df6-fb25-4672-a5a9-5d644ed90263/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/65664a51ce820349f70735c1ec9e5d1134263c911c858308a61aba0c6d8ec227

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 65664a51ce820349f70735c1ec9e5d1134263c911c858308a61aba0c6d8ec227

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368530/
  
URLhaus
https://urlhaus.abuse.ch/url/2546180/

Comments