MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75fc8932ad40c76d48783b1e9042f19983d72163e82065a04b0298c37962915c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75fc8932ad40c76d48783b1e9042f19983d72163e82065a04b0298c37962915c
SHA3-384 hash: 46580f4d323254e2e6af5e033558bf369b6778e4377b1aff9d4856de25f9f73f4b0dc936dd73481b4ed907dca5a6a676
SHA1 hash: 2b63ce526925c7915191c989b5c45cccb4958d23
MD5 hash: fa0e45413ffcfb619ab488952c7d4cf3
humanhash: lake-pip-bulldog-shade
File name:fa0e45413ffcfb619ab488952c7d4cf3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:554'142 bytes
First seen:2023-07-15 14:55:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 12288:+ToPWBv/cpGrU3yDT+tjIKY1YHRfcr0ECTLx0T:+TbBv5rUlIKbXBTLx0T
Threatray 350 similar samples on MalwareBazaar
TLSH T1A2C4F103BDC2C8B2C46208335B69AB51753DBE201F658EEBB3C46A5DE9311D0E7357A6
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
213.32.110.216:23067

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/420646/
Detection(s):
Win.Malware.Fugrafa-9938779-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
82%
Tags:
anti-vm greyware lolbin overlay packed packed setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/64b2b384a09960069744ef5c/reports/1b0a05bb-19e2-46e4-8903-4a270ca219dd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/75fc8932ad40c76d48783b1e9042f19983d72163e82065a04b0298c37962915c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4ba979c-fbf9-47ac-ae7a-2c3b9a75804a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273624
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule binary from dotnet directory
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273624 Sample: iTumnbLZkA.exe Startdate: 15/07/2023 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 8 other signatures 2->96 10 iTumnbLZkA.exe 5 2->10         started        13 AppLaunch.exe 2->13         started        15 MTA1.exe 2->15         started        17 2 other processes 2->17 process3 file4 64 C:\Windows\Temp\111.exe, PE32 10->64 dropped 19 111.exe 15 7 10->19         started        process5 dnsIp6 70 213.32.110.216, 23067, 49693 OVHFR France 19->70 72 transfer.sh 144.76.136.153, 443, 49694, 49695 HETZNER-ASDE Germany 19->72 60 C:\Users\user\AppData\Local\Temp\123123.exe, PE32 19->60 dropped 62 C:\Users\user\AppData\Local\Temp\123.exe, PE32 19->62 dropped 98 Detected unpacking (changes PE section rights) 19->98 100 Detected unpacking (overwrites its own PE header) 19->100 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->102 104 3 other signatures 19->104 24 123123.exe 1 19->24         started        27 123.exe 14 68 19->27         started        file7 signatures8 process9 dnsIp10 106 Multi AV Scanner detection for dropped file 24->106 108 Writes to foreign memory regions 24->108 110 Allocates memory in foreign processes 24->110 112 Injects a PE file into a foreign processes 24->112 30 AppLaunch.exe 2 24 24->30         started        35 WerFault.exe 9 24->35         started        37 conhost.exe 24->37         started        74 127.0.0.1 unknown unknown 27->74 114 Machine Learning detection for dropped file 27->114 116 Tries to harvest and steal browser information (history, passwords, etc) 27->116 39 chrome.exe 27->39         started        signatures11 process12 dnsIp13 76 ip-api.com 208.95.112.1, 49697, 80 TUT-ASUS United States 30->76 78 185.159.129.168, 49698, 80 ITOS-ASRU Russian Federation 30->78 66 C:\ProgramData\...\MTA1.exe, PE32 30->66 dropped 82 Suspicious powershell command line found 30->82 84 Creates an autostart registry key pointing to binary in C:\Windows 30->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 30->86 88 Adds a directory exclusion to Windows Defender 30->88 41 powershell.exe 30->41         started        43 schtasks.exe 30->43         started        45 powershell.exe 30->45         started        47 schtasks.exe 30->47         started        80 192.168.2.1 unknown unknown 39->80 49 chrome.exe 39->49         started        file14 signatures15 process16 dnsIp17 52 conhost.exe 41->52         started        54 conhost.exe 43->54         started        56 conhost.exe 45->56         started        58 conhost.exe 47->58         started        68 www.google.com 172.217.16.164, 443, 49715, 49716 GOOGLEUS United States 49->68 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75fc8932ad40c76d48783b1e9042f19983d72163e82065a04b0298c37962915c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-15 14:56:07 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ox6ismvniddw2sdyhmpjaqxrtgb5oild5aqgliclakmmg6lcsfoa._file
Verdict:
malicious
Similar samples:
163db4da78af3020f61a1d98aa27be9377038f4d254bfe84f19ce9c324c849fe
RedLineStealer
301a3e665000c99ab655a74dbf9408de24875866528be4f6d28e83490c19305b
RedLineStealer
34f94d5066b7b34db54d13762f1f3b11ac1b4cdfb971cc822bc3c4d9a7394994
RedLineStealer
a6180e3db23a15c0fdc3384fbb8d15b9e92d9a97528c7058ce3cc2594f624445
RedLineStealer
dcbc00932f5016baaa92523df27c27a836f674381bb8a392f4f58781a483adbc
RedLineStealer
eda79abb4537458e8f4edeea0943ce71ede755c75061fbafe7e7a3681b1e507e
RedLineStealer
ee0fac5b1ab0a1e4c8efadea7919f8f1105d0928ca3a7c359a65af0246e06cf1
RedLineStealer
+ 340 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (bot: @logsdillabot) discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230715-sa1rcabc68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
213.32.110.216:23067
Unpacked files
SH256 hash:
9b6a5ceba55bb7dbfe7046e68c071290de5cff2daace9180b6b2d6bddeeada44
MD5 hash:
3ad387eabdf1ef6dce9edd2545541418
SHA1 hash:
bffa7bddd091b37a512196649fb3ca04f1901406
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6cc82ccd-c96d-4d68-b32b-47028407c023/
SH256 hash:
14ee06cce6c6ccef69cbfd27cf9d7c97cd0c25e6536fd6302f7f9218d770efcc
MD5 hash:
aa347b6fd0924c5a8b339d3b3d507fd9
SHA1 hash:
825c039c3886b7270ff608ee177fe76833d01961
Link:
https://www.unpac.me/results/6cc82ccd-c96d-4d68-b32b-47028407c023/
SH256 hash:
f5d9d2e0883e32d01e9d8b880eadd783fbd1a9bbf73f972bfccf61da829a48b1
MD5 hash:
af951209e62e69b0d219d45361acf557
SHA1 hash:
7142d7fa49dd421e4afc6f51be7573c5b97153e6
Link:
https://www.unpac.me/results/6cc82ccd-c96d-4d68-b32b-47028407c023/
SH256 hash:
5b83d7edc5187873b341a797ffb21cea5f41609a26402c003ba24808b6680703
MD5 hash:
1c460e280740265937275a74b14eed49
SHA1 hash:
69892edb4bca6dc7a7c808e927e7ed7ed527682a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6cc82ccd-c96d-4d68-b32b-47028407c023/
SH256 hash:
cff781705d5e34ba26363fb8bd0be22f675bdb5a4ef78a55a58eb3ec97a605c7
MD5 hash:
bf1aa58f915e2a50b2fed8d694b8c837
SHA1 hash:
bc474a39e6a2ff62c1f3d0f8b1930caffbe124d7
Link:
https://www.unpac.me/results/6cc82ccd-c96d-4d68-b32b-47028407c023/
SH256 hash:
75fc8932ad40c76d48783b1e9042f19983d72163e82065a04b0298c37962915c
MD5 hash:
fa0e45413ffcfb619ab488952c7d4cf3
SHA1 hash:
2b63ce526925c7915191c989b5c45cccb4958d23
Link:
https://www.unpac.me/results/6cc82ccd-c96d-4d68-b32b-47028407c023/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/75fc8932ad40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75fc8932ad40c76d48783b1e9042f19983d72163e82065a04b0298c37962915c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 75fc8932ad40c76d48783b1e9042f19983d72163e82065a04b0298c37962915c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2682768/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/420646/

Comments