MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13
SHA3-384 hash: df22dba1d5064088f833b01708876d8f72ec78867799dc5eedf1626c00398f912b2b7d7430da968317d85a82c4db6add
SHA1 hash: 382650f8972ad82bddef824480086217c34c87ce
MD5 hash: 24fbc8705072bb32a6ac2fc995a66f17
humanhash: oscar-potato-four-kansas
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'867'392 bytes
First seen:2023-09-26 18:30:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee26deb5354c4489ff0dc7547168b2dc (3 x Amadey, 3 x RedLineStealer, 1 x PrivateLoader)
ssdeep 196608:1/26U9PTHjFEewj925ecIj3uauDXdeRCpParPWNZPfOvjqOe:1u6AzpE/4QnuDde05ge3PWvjI
TLSH T10A86239A2644239DC05A80388833EC26F1F65D1F5EA5F66973FF7EC27B69E20C641B05
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 78607061a0e8e022 (1 x RedLineStealer)
Reporter jstrosch
Tags:exe RedLineStealer X64

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://amimasud.com/wp-includes/wp-upl/file_p_a_s_s1234.zip
Verdict:
Malicious activity
Analysis date:
2023-09-14 22:32:35 UTC
Tags:
privateloader evasion opendir loader risepro stealer redline stealc fabookie lumma tofsee smoke adware sogou lgoogloader vidar trojan arkei ransomware stop raccoonclipper g0njxa
Link:
https://app.any.run/tasks/1dbd21b0-f4c1-42c0-b61f-fb8abf6b4e8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451339/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.6366.27367.14281.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Modifying a system file
Сreating synchronization primitives
DNS request
Replacing files
Sending a custom TCP request
Launching a service
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed packed scar vmprotect
Link:
https://www.filescan.io/uploads/65132368988a26b6d9711433/reports/6beb54d2-4969-4a7d-a8b8-42d162cbecd0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/271ffcfe-6d8e-4bc3-a61b-8fc530ab894c
Result
Threat name:
Fabookie, Glupteba, PrivateLoader, RedLi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314772
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
DNS related to crypt mining pools
Drops executables to the windows directory (C:\Windows) and starts them
Drops large PE files
Drops PE files with benign system names
Found C&C like URL pattern
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS TXT record lookups
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses STUN server to do NAT traversial
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Fabookie
Yara detected Glupteba
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1314772 Sample: file.exe Startdate: 26/09/2023 Architecture: WINDOWS Score: 100 156 z.nnnaajjjgc.com 2->156 158 xmr-eu1.nanopool.org 2->158 160 2 other IPs or domains 2->160 198 Snort IDS alert for network traffic 2->198 200 Found malware configuration 2->200 202 Malicious sample detected (through community Yara rule) 2->202 204 34 other signatures 2->204 12 file.exe 11 41 2->12         started        17 cuiddgj 2->17         started        19 svchost.exe 2->19         started        21 6 other processes 2->21 signatures3 process4 dnsIp5 180 94.142.138.113, 49786, 49832, 80 IHOR-ASRU Russian Federation 12->180 182 171.22.28.222, 49795, 80 CMCSUS Germany 12->182 184 16 other IPs or domains 12->184 148 C:\Users\...\vzGhFQt1i790lk4BnLnMP7kl.exe, PE32 12->148 dropped 150 C:\Users\...\p3cBOHQdNIbtQHAhKvpXdkZU.exe, PE32 12->150 dropped 152 C:\Users\...\dLVYBrpPYU1VYXsjndexnaPQ.exe, PE32+ 12->152 dropped 154 13 other malicious files 12->154 dropped 256 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->256 258 May check the online IP address of the machine 12->258 260 Creates HTML files with .exe extension (expired dropper behavior) 12->260 268 5 other signatures 12->268 23 _aNGExde_YsqKtC8EcOlNmbu.exe 13 12->23         started        26 3ekhqs9pVLWfM2w0MNdPlbp_.exe 12->26         started        30 vzGhFQt1i790lk4BnLnMP7kl.exe 1 12->30         started        34 6 other processes 12->34 262 Multi AV Scanner detection for dropped file 17->262 264 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->264 266 Maps a DLL or memory area into another process 17->266 270 2 other signatures 17->270 32 WerFault.exe 19->32         started        file6 signatures7 process8 dnsIp9 224 Found Tor onion address 23->224 226 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->226 36 _aNGExde_YsqKtC8EcOlNmbu.exe 23->36         started        40 powershell.exe 23->40         started        168 45.15.156.229, 49833, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 26->168 170 45.9.74.80, 49845, 49846, 80 FIRST-SERVER-EU-ASRU Russian Federation 26->170 176 4 other IPs or domains 26->176 134 C:\Users\...\u39Q8X9bUuNIob26IwpW8Cfr.exe, PE32 26->134 dropped 136 C:\Users\...\703ytzkzIyzjKg_XQtw91XEO.exe, PE32 26->136 dropped 138 C:\Users\user\AppData\Local\...\harbar[1].exe, PE32 26->138 dropped 140 C:\Users\user\AppData\...\fikim0926727[1].exe, PE32 26->140 dropped 228 Disables Windows Defender (deletes autostart) 26->228 230 Disable Windows Defender real time protection (registry) 26->230 42 703ytzkzIyzjKg_XQtw91XEO.exe 26->42         started        44 u39Q8X9bUuNIob26IwpW8Cfr.exe 26->44         started        232 Writes to foreign memory regions 30->232 234 Allocates memory in foreign processes 30->234 236 Injects a PE file into a foreign processes 30->236 46 vbc.exe 30->46         started        49 conhost.exe 30->49         started        172 app.nnnaajjjgc.com 34->172 174 185.225.73.32, 44973, 49836 MAYAKBG Germany 34->174 178 3 other IPs or domains 34->178 142 C:\Users\user\AppData\Local\...\Je5uyAd.w, PE32 34->142 dropped 144 C:\ProgramData\x64netJS\JQSZY.exe, PE32+ 34->144 dropped 146 C:\Users\...\49ff47939f049ef33ab95c6a521590b5, SQLite 34->146 dropped 238 Found many strings related to Crypto-Wallets (likely being stolen) 34->238 240 Tries to harvest and steal browser information (history, passwords, etc) 34->240 242 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->242 246 4 other signatures 34->246 51 explorer.exe 34->51 injected 53 cmd.exe 34->53         started        55 2 other processes 34->55 file10 244 Performs DNS TXT record lookups 172->244 signatures11 process12 dnsIp13 108 C:\Windows\rss\csrss.exe, PE32 36->108 dropped 206 Drops executables to the windows directory (C:\Windows) and starts them 36->206 208 Creates an autostart registry key pointing to binary in C:\Windows 36->208 57 csrss.exe 36->57         started        62 cmd.exe 36->62         started        64 powershell.exe 36->64         started        74 2 other processes 36->74 66 conhost.exe 40->66         started        110 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 42->110 dropped 112 C:\Users\user\AppData\Local\Temp\opee37.exe, PE32+ 42->112 dropped 114 C:\Users\user\AppData\Local\Temp\kos1.exe, PE32 42->114 dropped 122 2 other malicious files 42->122 dropped 116 C:\Users\user\AppData\Local\...\gqgncgleb.dat, PE32+ 44->116 dropped 68 cmd.exe 44->68         started        186 176.123.4.46, 33783, 49838 ALEXHOSTMD Moldova Republic of 46->186 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->210 212 Found many strings related to Crypto-Wallets (likely being stolen) 46->212 214 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->214 222 2 other signatures 46->222 188 187.134.55.247 UninetSAdeCVMX Mexico 51->188 190 211.171.233.126 LGDACOMLGDACOMCorporationKR Korea Republic of 51->190 192 6 other IPs or domains 51->192 118 C:\Users\user\AppData\Roaming\cuiddgj, PE32 51->118 dropped 120 C:\Users\user\AppData\Local\Temp\13D1.exe, PE32 51->120 dropped 216 System process connects to network (likely due to code injection or exploit) 51->216 218 Benign windows process drops PE files 51->218 220 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->220 70 control.exe 53->70         started        72 conhost.exe 53->72         started        file14 signatures15 process16 dnsIp17 162 server16.redhatsystems.com 57->162 164 server16.redhatsystems.com 185.82.216.64 ITL-BG Bulgaria 57->164 166 4 other IPs or domains 57->166 124 C:\Windows\windefender.exe, PE32 57->124 dropped 126 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 57->126 dropped 128 C:\Users\...128tQuerySystemInformationHook.dll, PE32+ 57->128 dropped 132 5 other malicious files 57->132 dropped 250 Uses schtasks.exe or at.exe to add and modify task schedules 57->250 76 powershell.exe 57->76         started        78 schtasks.exe 57->78         started        89 3 other processes 57->89 252 Uses netsh to modify the Windows network and firewall settings 62->252 80 netsh.exe 62->80         started        83 conhost.exe 62->83         started        85 conhost.exe 64->85         started        130 C:\Users\user\AppData\Local\...\fejwuae.exe, PE32 68->130 dropped 91 2 other processes 68->91 87 rundll32.exe 70->87         started        93 2 other processes 74->93 file18 254 Uses STUN server to do NAT traversial 162->254 signatures19 process20 signatures21 95 conhost.exe 76->95         started        97 conhost.exe 78->97         started        194 Creates files in the system32 config directory 80->194 196 Tries to detect sandboxes / dynamic malware analysis system (file name check) 87->196 99 rundll32.exe 87->99         started        101 conhost.exe 89->101         started        103 conhost.exe 89->103         started        process22 process23 105 rundll32.exe 99->105         started        signatures24 248 Tries to detect sandboxes / dynamic malware analysis system (file name check) 105->248
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 12:22:03 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhpnguwycuiueupqtbxr7hiwoaxrwmzxfqr75dpczumn3kzddyjq._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230926-w525facf7y/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
VMProtect packed file
PrivateLoader
Unpacked files
SH256 hash:
69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13
MD5 hash:
24fbc8705072bb32a6ac2fc995a66f17
SHA1 hash:
382650f8972ad82bddef824480086217c34c87ce
Link:
https://www.unpac.me/results/8679a0c7-d39f-4b6e-86bd-09a53f2062c7/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69ded352d815/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_Alfonoso
Create hunting rule
Author:ditekSHen
Description:Detects Alfonoso / Shurk / HunterStealer infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/451339/

Comments