MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661
SHA3-384 hash: f97a293a5dd01ded2d8a4fc0855e5555d0ba155b2b3d2a58896f95455bbe3fa6988e5ce87509f8094e988b4eb2843966
SHA1 hash: 65b5c6a6c72a845d5610d82ca2aa9a301a907e43
MD5 hash: 585d78b9ffc988d345e7a2a0ee119111
humanhash: double-hotel-north-kitten
File name:585d78b9ffc988d345e7a2a0ee119111.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:25'028'096 bytes
First seen:2024-05-11 11:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 393216:849/fUrtpuKs+JINSpjQNjqsVsUzpX/Swl6YdecNbLX3IjD4BzB/RLG0jV7ZIfue:cBZs+JIgpjQosVRlKwlOq/X2EtF9IGe
Threatray 899 similar samples on MalwareBazaar
TLSH T1C5473310BF04CF21F14A4632C1AF43504775AA56A271E36B7A783BAEF9623D25C1E6C7
TrID 49.9% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 60ec9696cc9cf270 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
176.123.161.158:1337

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661.exe
Verdict:
Malicious activity
Analysis date:
2024-05-11 11:37:53 UTC
Tags:
stealer meta metastealer redline miner
Link:
https://app.any.run/tasks/fe0eb04b-f1a4-43a9-bc56-2cfba34e28a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30425.UnRegNetReactor.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

Win.Trojan.Genkryptik-10016533-0
Create hunting rule

Win.Packed.Formbook-10024438-0
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for the window
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a system file
Launching a process
Creating a service
Launching a service
Reading critical registry keys
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Setting browser functions hooks
Unauthorized injection to a recently created process
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun for a service
Stealing user critical data
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Changing the hosts file
Unauthorized injection to a browser process
Verdict:
Malicious
Labled as:
TrojanDropper.Delf
Link:
https://www.hybrid-analysis.com/sample/82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661
Result
Threat name:
DCRat, PureLog Stealer, RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439999
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DCRat
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439999 Sample: 2GAcJejuxn.exe Startdate: 11/05/2024 Architecture: WINDOWS Score: 100 130 ip-api.com 2->130 154 Snort IDS alert for network traffic 2->154 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 19 other signatures 2->160 12 2GAcJejuxn.exe 5 2->12         started        15 WinUpdater.exe 2->15         started        18 svchost.exe 2->18         started        signatures3 process4 file5 112 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 12->112 dropped 114 C:\Users\user\AppData\...\MVPInstaller.exe, PE32 12->114 dropped 116 C:\Users\user\AppData\...\DCRatBuild.exe, PE32 12->116 dropped 118 C:\Users\user\AppData\Local\Temp\323.exe, PE32 12->118 dropped 20 build.exe 1 2 12->20         started        24 DCRatBuild.exe 3 6 12->24         started        26 MVPInstaller.exe 10 12->26         started        28 323.exe 4 12->28         started        120 C:\Windows\Temp\cylgjrjrksus.sys, PE32+ 15->120 dropped 204 Multi AV Scanner detection for dropped file 15->204 206 Protects its processes via BreakOnTermination flag 15->206 208 Modifies the context of a thread in another process (thread injection) 15->208 210 2 other signatures 15->210 31 powershell.exe 15->31         started        signatures6 process7 dnsIp8 86 C:\ProgramData\WindowsUpdate\WinUpdater.exe, PE32+ 20->86 dropped 88 C:\Windows\System32\drivers\etc\hosts, ASCII 20->88 dropped 174 Modifies the context of a thread in another process (thread injection) 20->174 176 Modifies the hosts file 20->176 178 Adds a directory exclusion to Windows Defender 20->178 33 dialer.exe 20->33         started        36 powershell.exe 20->36         started        38 cmd.exe 20->38         started        49 5 other processes 20->49 90 C:\WindowsUpdate\WindowsUpdate.exe, PE32 24->90 dropped 180 Antivirus detection for dropped file 24->180 182 Multi AV Scanner detection for dropped file 24->182 184 Machine Learning detection for dropped file 24->184 40 wscript.exe 1 24->40         started        92 C:\Users\user\AppData\...\MVPInstaller.exe, PE32+ 26->92 dropped 94 C:\Users\user\AppData\Local\...\genteert.dll, PE32 26->94 dropped 96 C:\Users\user\AppData\Local\Temp\...\guig.dll, PE32 26->96 dropped 42 MVPInstaller.exe 41 26->42         started        45 cmd.exe 26->45         started        136 176.123.161.158, 1337, 49730 SPEEDYLINERU Russian Federation 28->136 186 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->186 188 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->188 190 Tries to harvest and steal browser information (history, passwords, etc) 28->190 192 Tries to steal Crypto Currency Wallets 28->192 194 Loading BitLocker PowerShell Module 31->194 47 conhost.exe 31->47         started        file9 signatures10 process11 file12 138 Injects code into the Windows Explorer (explorer.exe) 33->138 140 Drops executables to the windows directory (C:\Windows) and starts them 33->140 142 Contains functionality to inject code into remote processes 33->142 152 5 other signatures 33->152 51 gqoUPoJDbsQnk.exe 33->51         started        54 WmiPrvSE.exe 33->54         started        62 5 other processes 33->62 144 Loading BitLocker PowerShell Module 36->144 56 conhost.exe 36->56         started        64 2 other processes 38->64 146 Windows Scripting host queries suspicious COM object (likely to drop second stage) 40->146 58 cmd.exe 40->58         started        104 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32+ 42->104 dropped 106 C:\Users\user\AppData\...\flutter_windows.dll, PE32+ 42->106 dropped 108 C:\Users\...\file_selector_windows_plugin.dll, PE32+ 42->108 dropped 110 4 other files (1 malicious) 42->110 dropped 60 MVPInstaller.exe 42->60         started        148 Uses ping.exe to sleep 45->148 150 Uses ping.exe to check the status of other devices and networks 45->150 66 2 other processes 45->66 69 6 other processes 49->69 signatures13 process14 dnsIp15 162 Antivirus detection for dropped file 51->162 164 Multi AV Scanner detection for dropped file 51->164 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->166 168 Machine Learning detection for dropped file 54->168 170 Found direct / indirect Syscall (likely to bypass EDR) 54->170 71 WindowsUpdate.exe 58->71         started        76 conhost.exe 58->76         started        172 Writes to foreign memory regions 62->172 132 127.0.0.1 unknown unknown 66->132 signatures16 process17 dnsIp18 134 ip-api.com 208.95.112.1, 49733, 49743, 49748 TUT-ASUS United States 71->134 98 C:\WindowsUpdate\gqoUPoJDbsQnk.exe, PE32 71->98 dropped 100 C:\Recovery\WmiPrvSE.exe, PE32 71->100 dropped 102 C:\ProgramData\...\gqoUPoJDbsQnk.exe, PE32 71->102 dropped 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 71->196 198 Drops executables to the windows directory (C:\Windows) and starts them 71->198 200 Uses schtasks.exe or at.exe to add and modify task schedules 71->200 202 Creates processes via WMI 71->202 78 WindowsUpdate.exe 71->78         started        file19 signatures20 process21 file22 122 C:\Windows\...\gqoUPoJDbsQnk.exe, PE32 78->122 dropped 124 C:\Windows\InputMethod\...\gqoUPoJDbsQnk.exe, PE32 78->124 dropped 126 C:\WindowsUpdate\RuntimeBroker.exe, PE32 78->126 dropped 128 9 other malicious files 78->128 dropped 212 Found direct / indirect Syscall (likely to bypass EDR) 78->212 82 schtasks.exe 78->82         started        84 schtasks.exe 78->84         started        signatures23 process24
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-05-05 19:54:06 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkxfgdvstyggjgdnxuaz7bwkyxx7hwxtyh5ymf2xuybff2y6izqq._file
Verdict:
malicious
Similar samples:
3dd0a5685e10ef6d63758cafee7c651f8ae80a47664158976ace7b80c825a032
RedLineStealer
6eb5421bfa171c080165a6fd4a5d87db8f3118cf95669036d273cb16f24d566d
RedLineStealer
7fed6406da8c6fac0504f899f2d88cf18c82b40d10d28e0651d851aa8113a13b
RedLineStealer
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
RedLineStealer
+ 889 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:zgrat discovery evasion execution infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/240511-nqkylshc29/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
DCRat payload
DcRat
Detect ZGRat V1
Modifies security service
ZGRat
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82ae530eb29e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Microsoft_RAR_SFX_Combo
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious file that has a Microsoft copyright and is a RAR SFX
Reference:Internal Research
Rule name:SUSP_Microsoft_RAR_SFX_Combo_RID3154
Create hunting rule
Author:Florian Roth
Description:Detects a suspicious file that has a Microsoft copyright and is a RAR SFX
Reference:Internal Research
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments