MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b109e55911293b4e5098d3711849b85499a988385721863a01c2e0dcd9ba0a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b109e55911293b4e5098d3711849b85499a988385721863a01c2e0dcd9ba0a6
SHA3-384 hash: 8a59cf57308544ff1933f875552ae9e2b71cba032a600186bd4b1687babbb6792a5c0eeb063d9148414396c16d39edf9
SHA1 hash: 9705f679c7759915deb931474f8d6a92b53cf4f3
MD5 hash: b680e316d61626cb9b6a35e2c80e09b7
humanhash: berlin-texas-fillet-south
File name:6b109e55911293b4e5098d3711849b85499a988385721.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'795'973 bytes
First seen:2023-08-13 05:40:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/lRZPnBniKic6QL3E2vVsjECUAQT45deRV9RM:sBuZrEUXniKIy029s4C1eH9q
Threatray 66 similar samples on MalwareBazaar
TLSH T16485CF3FF268A13EC56A1B3245B38320997BBA51B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.142.138.167:19615

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6b109e55911293b4e5098d3711849b85499a988385721.exe
Verdict:
No threats detected
Analysis date:
2023-08-13 05:42:52 UTC
Tags:
installer
Link:
https://app.any.run/tasks/20f60805-3c0f-47f7-853a-070898625f18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442436/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.2982.15062.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102725/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Gathering data
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332545
Link:
https://www.hybrid-analysis.com/sample/6b109e55911293b4e5098d3711849b85499a988385721863a01c2e0dcd9ba0a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6d5d96d5-c2fd-425c-89fc-fa0909b0bdb2
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.troj
Score:
90 / 100
Link:
https://www.joesandbox.com/analysis/1290575
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1290575 Sample: 6b109e55911293b4e5098d37118... Startdate: 13/08/2023 Architecture: WINDOWS Score: 90 148 www.google.com 2->148 182 Snort IDS alert for network traffic 2->182 184 Multi AV Scanner detection for domain / URL 2->184 186 Malicious sample detected (through community Yara rule) 2->186 188 8 other signatures 2->188 12 6b109e55911293b4e5098d3711849b85499a988385721.exe 2 2->12         started        15 msiexec.exe 2->15         started        signatures3 process4 file5 106 6b109e55911293b4e5...85499a988385721.tmp, PE32 12->106 dropped 17 6b109e55911293b4e5098d3711849b85499a988385721.tmp 3 27 12->17         started        108 C:\Windows\Installer\MSI5482.tmp, PE32 15->108 dropped 110 C:\Windows\Installer\MSI5452.tmp, PE32 15->110 dropped 112 C:\Windows\Installer\MSI42EB.tmp, PE32 15->112 dropped 114 14 other malicious files 15->114 dropped 22 msiexec.exe 15->22         started        24 msiexec.exe 15->24         started        26 msiexec.exe 15->26         started        process6 dnsIp7 138 ambasoftgroup.info 77.246.100.5, 50087, 80 MEDIAL-ASRU Russian Federation 17->138 140 www.mildstat.com 23.106.59.52, 49767, 80 LEASEWEB-UK-LON-11GB United Kingdom 17->140 146 4 other IPs or domains 17->146 82 C:\Users\user\AppData\Local\Temp\...\s3.exe, PE32+ 17->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 17->84 dropped 86 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 17->86 dropped 96 3 other files (2 malicious) 17->96 dropped 190 Performs DNS queries to domains with low reputation 17->190 28 s0.exe 2 17->28         started        31 s3.exe 17->31         started        35 s2.exe 65 17->35         started        142 pstbbk.com 157.230.96.32, 49998, 80 DIGITALOCEAN-ASNUS United States 22->142 144 collect.installeranalytics.com 52.71.211.199, 443, 49997, 49999 AMAZON-AESUS United States 22->144 88 C:\Users\user\AppData\Local\...\shi3521.tmp, PE32 22->88 dropped 90 C:\Users\user\AppData\Local\...\shi3494.tmp, PE32 22->90 dropped 192 Query firmware table information (likely to detect VMs) 22->192 37 taskkill.exe 22->37         started        92 C:\Users\user\AppData\Local\...\shi1EEA.tmp, PE32 24->92 dropped 94 C:\Users\user\AppData\Local\...\shi1DEF.tmp, PE32 24->94 dropped file8 signatures9 process10 dnsIp11 116 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 28->116 dropped 39 s0.tmp 26 23 28->39         started        168 m10b18tu.info 31->168 170 iplogger.com 148.251.234.93 HETZNER-ASDE Germany 31->170 118 C:\Users\user\AppData\Local\...\143177294.exe, PE32 31->118 dropped 120 C:\Users\user\AppData\Local\...\file[1].exe, PE32 31->120 dropped 180 Multi AV Scanner detection for dropped file 31->180 43 143177294.exe 31->43         started        172 collect.installeranalytics.com 35->172 122 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 35->122 dropped 124 C:\Users\user\AppData\...\Windows Updater.exe, PE32 35->124 dropped 126 C:\Users\user\AppData\Local\...\shi1A66.tmp, PE32+ 35->126 dropped 128 3 other malicious files 35->128 dropped 46 msiexec.exe 35->46         started        48 conhost.exe 37->48         started        file12 signatures13 process14 dnsIp15 98 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 39->98 dropped 100 C:\...\unins000.exe (copy), PE32 39->100 dropped 102 C:\Program Files (x86)\...\is-U2R2R.tmp, PE32 39->102 dropped 104 11 other files (10 malicious) 39->104 dropped 198 Obfuscated command line found 39->198 50 cmd.exe 1 39->50         started        52 wmiprvse.exe 17 39->52         started        56 cmd.exe 1 39->56         started        58 cmd.exe 13 39->58         started        164 api.ip.sb 43->164 166 b47n300.info 77.105.136.3 PLUSTELECOM-ASRU Russian Federation 43->166 200 Multi AV Scanner detection for dropped file 43->200 202 Detected unpacking (changes PE section rights) 43->202 204 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->204 206 8 other signatures 43->206 60 chrome.exe 43->60         started        file16 signatures17 process18 dnsIp19 62 expand.exe 25 50->62         started        65 conhost.exe 50->65         started        150 familystrike.top 5.8.54.110, 1203, 49732 PINDC-ASRU Russian Federation 52->150 152 geography.netsupportsoftware.com 51.142.119.24, 49757, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 52->152 154 geo.netsupportsoftware.com 52->154 196 Contains functionality to modify clipboard data 52->196 67 reg.exe 1 1 56->67         started        70 conhost.exe 56->70         started        72 chrome.exe 30 58->72         started        75 conhost.exe 58->75         started        77 chrome.exe 60->77         started        signatures20 process21 dnsIp22 130 C:\ProgramData\...\wmiprvse.exe (copy), PE32 62->130 dropped 132 C:\ProgramData\...\remcmdstub.exe (copy), PE32 62->132 dropped 134 C:\ProgramData\...\pcicapi.dll (copy), PE32 62->134 dropped 136 15 other files (13 malicious) 62->136 dropped 194 Creates an undocumented autostart registry key 67->194 156 192.168.2.1 unknown unknown 72->156 158 239.255.255.250 unknown Reserved 72->158 79 chrome.exe 72->79         started        160 www.google.com 77->160 162 accounts.google.com 77->162 file23 signatures24 process25 dnsIp26 174 axsboe-campaign.com 172.67.213.153, 443, 49735 CLOUDFLARENETUS United States 79->174 176 aefd.nelreports.net 79->176 178 10 other IPs or domains 79->178
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b109e55911293b4e5098d3711849b85499a988385721863a01c2e0dcd9ba0a6/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmij4vmrckj3jzijru3rdbe3qvezvgedqvzbqy5adqxa3tm3ucta._file
Verdict:
malicious
Similar samples:
036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
RedLineStealer
24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db
RedLineStealer
5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f
RedLineStealer
5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b
RedLineStealer
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
RedLineStealer
6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca
RedLineStealer
759e360b7e36dd9f7365f452324aafd783f2ed9c057cea4bd8d394b4e69b2e66
RedLineStealer
82e3523dc7d162e55eaa4f69c2dba9555592661eadcc6807898da7196e57289a
RedLineStealer
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
RedLineStealer
+ 56 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230813-gde39shc75/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b078a42cb6f385f8f1eca1edfbf46f05b2b59cd08175ca4099d41a6f9d48f892
MD5 hash:
6aaa26553e3a555481aba17427de452d
SHA1 hash:
119c6d244040273bf1beff3524c9aa928f3aa9fd
Link:
https://www.unpac.me/results/0cb9014c-8ea8-4dd8-985a-bfe8d21c55a2/
SH256 hash:
436a25c983007772462dbeaa5dd5a48d88f233c96bfb84414e7567e02d124ed2
MD5 hash:
8d60e9c31f23dd2109121de2e8a62726
SHA1 hash:
f7ee438acecbafb2d9862911ce3cfac029f701c9
Link:
https://www.unpac.me/results/0cb9014c-8ea8-4dd8-985a-bfe8d21c55a2/
SH256 hash:
f91eeb4307e4d504d03952523f662e265a5ea5ae256823fef391c247de32dda4
MD5 hash:
4c4876b27490e57ecbc445203536ed77
SHA1 hash:
d891ff0d92f6c72a1fb085d949485974cde3f9ed
Link:
https://www.unpac.me/results/0cb9014c-8ea8-4dd8-985a-bfe8d21c55a2/
SH256 hash:
6b109e55911293b4e5098d3711849b85499a988385721863a01c2e0dcd9ba0a6
MD5 hash:
b680e316d61626cb9b6a35e2c80e09b7
SHA1 hash:
9705f679c7759915deb931474f8d6a92b53cf4f3
Link:
https://www.unpac.me/results/0cb9014c-8ea8-4dd8-985a-bfe8d21c55a2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b109e559112/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b109e55911293b4e5098d3711849b85499a988385721863a01c2e0dcd9ba0a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442436/

Comments