MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69bf2937bb27a92245b10fddafe7a4d46b8d53be94f930a5b3cf76b9cb51853c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69bf2937bb27a92245b10fddafe7a4d46b8d53be94f930a5b3cf76b9cb51853c
SHA3-384 hash: 59ed553f85c797b0e330eea3063e4210f456c2b0cfec156d6cc54653caf64895122c77b104f239385b70df019b679012
SHA1 hash: 0ede994354d9bd1d384781fde96b02ea8285a7f7
MD5 hash: 5999a3f15fb4127a8e0c5f1b787482e7
humanhash: three-california-whiskey-mockingbird
File name:69BF2937BB27A92245B10FDDAFE7A4D46B8D53BE94F93.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'366'016 bytes
First seen:2022-02-06 08:32:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 148d482ece6903c9871bc6044bd1df9b (1 x CoinMiner.XMRig, 1 x GCleaner, 1 x Tofsee)
ssdeep 12288:i0Djqk+hA0uMmj4a0DudXezE09Si/ckGHt6pshsPSGkYl2XIQCb+Lk1TWbPXQnAf:dDj/v0gXe4i7ojhsP5Lgrk1TWb4AN5
Threatray 66 similar samples on MalwareBazaar
TLSH T13B5512A3B8C2C4B3E297467752E5DF64D92BF9121B148EE723901C374E701C26E36D6A
File icon (PE):PE icon
dhash icon aab292b2b2c8e0ae (1 x CoinMiner.XMRig, 1 x GCleaner, 1 x Tofsee)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.127.178.245:31789

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.127.178.245:31789 https://threatfox.abuse.ch/ioc/378396/

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
69BF2937BB27A92245B10FDDAFE7A4D46B8D53BE94F93.exe
Verdict:
No threats detected
Analysis date:
2022-02-06 09:50:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3defc17b-72a0-4343-899e-51ac5a265a14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/233753/
Detection(s):
Win.Malware.Lazy-9918569-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying an executable file
Launching a service
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system executable file
Launching a process
DNS request
Loading a system driver
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Modifying a system file
Creating a window
Searching for the window
Enabling autorun for a service
Query of malicious DNS domain
Blocking the Windows Defender launch
Infecting executable files
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer.exe greyware
Link:
https://www.filescan.io/uploads/61ff87c6a72f86da69612891/reports/84ebce93-087a-4da8-968a-e1cb21bf724a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bc24717-9c72-48d7-a0b5-5501a270304f
Result
Threat name:
RedLine Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934683
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disable Windows Defender real time protection (registry)
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567161 Sample: 69BF2937BB27A92245B10FDDAFE... Startdate: 06/02/2022 Architecture: WINDOWS Score: 100 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 11 other signatures 2->81 7 69BF2937BB27A92245B10FDDAFE7A4D46B8D53BE94F93.exe 4 33 2->7         started        12 armsvc.exe 1 2->12         started        14 FXSSVC.exe 14 5 2->14         started        16 7 other processes 2->16 process3 dnsIp4 61 212.193.30.21 SPD-NETTR Russian Federation 7->61 63 212.193.30.45 SPD-NETTR Russian Federation 7->63 69 11 other IPs or domains 7->69 45 C:\Windows\System32\msiexec.exe, PE32+ 7->45 dropped 47 C:\Windows\System32\msdtc.exe, PE32+ 7->47 dropped 49 C:\Windows\System32\alg.exe, PE32+ 7->49 dropped 57 14 other files (11 malicious) 7->57 dropped 85 Tries to harvest and steal browser information (history, passwords, etc) 7->85 87 Disable Windows Defender real time protection (registry) 7->87 89 Drops executable to a common third party application directory 7->89 18 z1f4iMy7NKZCpb6L67clmEvH.exe 7->18         started        21 eU8bXkSpiojGIJFqC8wztZoh.exe 7->21         started        24 MTI5BDQqmOTS6lVIOlaXDSJy.exe 1 7->24         started        26 4 other processes 7->26 65 173.231.184.124 VOXEL-DOT-NETUS United States 12->65 67 85.17.31.122 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 12->67 71 4 other IPs or domains 12->71 51 C:\Program Files (x86)\...\OSE.EXE, PE32 12->51 dropped 53 C:\Windows\System32\snmptrap.exe, PE32+ 12->53 dropped 55 C:\Windows\System32\Spectrum.exe, PE32+ 12->55 dropped 59 4 other files (none is malicious) 12->59 dropped 91 Infects executable files (exe, dll, sys, html) 12->91 file5 signatures6 process7 dnsIp8 31 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 18->31 dropped 33 C:\Users\user\AppData\Local\Temp\inst1.exe, PE32 18->33 dropped 35 C:\Users\user\AppData\Local\...\bearvpn3.exe, PE32 18->35 dropped 43 10 other files (7 malicious) 18->43 dropped 83 Injects a PE file into a foreign processes 21->83 37 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 24->37 dropped 73 176.123.2.161 ALEXHOSTMD Moldova Republic of 26->73 39 C:\Users\user\AppData\Local\...\Install.exe, PE32 26->39 dropped 41 C:\Users\user\AppData\Local\...\PdSIHzlf.cpl, PE32 26->41 dropped 29 WerFault.exe 20 9 26->29         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69bf2937bb27a92245b10fddafe7a4d46b8d53be94f930a5b3cf76b9cb51853c/
Threat name:
Win32.Virus.Vitro
Create hunting rule
Status:
Malicious
First seen:
2021-12-30 12:45:20 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
31 of 43 (72.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ng7ssn53e6usernrb7o27z5e2rvy2u56st4tbjntz53lts2rqu6a._file
Verdict:
malicious
Similar samples:
1201c943fabde039739daecfd658863ed78a2d11b316e0b1ad88d7ef8f55327f
RedLineStealer
20fdea0c17ffb565895491b930cc6ad3df6ca3cc85780ddda1dad5a0ecd1983b
RedLineStealer
23522a7ef91b6ce63bc20377743fdc98d50ba4dc3593f3ca60e8439f029c21f9
RedLineStealer
2354e7fd52d87c3f556dc959da33343c3a00c62a192d7aaceb53053373d2f880
RedLineStealer
3e76e7feb262d38688d3e47c2e422083fd892144ac3a1a85c6db8c7e610bc65e
RedLineStealer
a2648c0044dd0c910d9176445c297fd3c6f457478c2a4492ab4e504566c053a3
RedLineStealer
b1516cc28d0e6e3f77a8eadd2a7fda7daf746e0a7b27088e016519baf8de0338
RedLineStealer
d5c6ab08bce43bca4fe80a18f0b48b42ca027eeefd17050e1d346abcc182fb21
RedLineStealer
f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158
RedLineStealer
+ 56 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner spyware stealer trojan
Link:
https://tria.ge/reports/220206-kg8frsghc8/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
xmrig
Unpacked files
SH256 hash:
69bf2937bb27a92245b10fddafe7a4d46b8d53be94f930a5b3cf76b9cb51853c
MD5 hash:
5999a3f15fb4127a8e0c5f1b787482e7
SHA1 hash:
0ede994354d9bd1d384781fde96b02ea8285a7f7
Link:
https://www.unpac.me/results/6a36a6e2-dc0a-4ab8-a5af-3247a1dd3bc2/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/233753/

Comments