MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5222c8a377514d6a5651. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5222c8a377514d6a5651
SHA3-384 hash: 98a5123413ceac5061a9a4c641d8d0e05051805bcb7046ac1e1115fabe6c20d8d9fcb1780b31beb7f40cc4fb7cf65790
SHA1 hash: c0fc392526a0cfbb6da6d2370aa472543eb5f483
MD5 hash: 97e3c486bc9c91531aee41fc5972d330
humanhash: vermont-purple-robin-july
File name:83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'795'937 bytes
First seen:2023-08-13 11:45:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/9RZPnOGKic6QL3E2vVsjECUAQT45deRV9RY:sBuZrEU4GKIy029s4C1eH9i
Threatray 347 similar samples on MalwareBazaar
TLSH T1C485CF3FF268A13EC56A1B3245B38310997BBA51B81A8C1E47FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.142.138.167:19615

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.exe
Verdict:
No threats detected
Analysis date:
2023-08-13 11:46:54 UTC
Tags:
installer
Link:
https://app.any.run/tasks/ab3e2de1-01dc-4ea5-974e-263ac40188f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442502/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.25042.17640.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102774/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/64d8c27ba5c3e653be1891f3/reports/50c1df7c-95e0-43cf-8103-a08b025ee0f2/overview
Verdict:
Malicious
Labled as:
OffLoader.A.gen
Link:
https://www.hybrid-analysis.com/sample/83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5222c8a377514d6a5651
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/790fea56-ab12-4691-b01f-2f1ddc30ee04
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1290661
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1290661 Sample: 83cb5a6474ba3f6b38ea11c903d... Startdate: 13/08/2023 Architecture: WINDOWS Score: 78 188 www.google.com 2->188 190 collect.installeranalytics.com 2->190 192 2 other IPs or domains 2->192 234 Snort IDS alert for network traffic 2->234 236 Malicious sample detected (through community Yara rule) 2->236 238 Antivirus detection for URL or domain 2->238 240 5 other signatures 2->240 12 msiexec.exe 2->12         started        15 83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.exe 2 2->15         started        17 Windows Updater.exe 2->17         started        20 Windows Updater.exe 2->20         started        signatures3 process4 dnsIp5 142 C:\Windows\Installer\MSIF32F.tmp, PE32 12->142 dropped 144 C:\Windows\Installer\MSIF1E.tmp, PE32 12->144 dropped 146 C:\Windows\Installer\MSIED13.tmp, PE32 12->146 dropped 152 109 other malicious files 12->152 dropped 22 msiexec.exe 12->22         started        27 msiexec.exe 12->27         started        29 msiexec.exe 12->29         started        35 2 other processes 12->35 148 83cb5a6474ba3f6b38...e02122bfe7cb5b5.tmp, PE32 15->148 dropped 31 83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.tmp 3 27 15->31         started        180 allroadslimit.com 188.114.96.7, 443, 50015 CLOUDFLARENETUS European Union 17->180 150 C:\Windows\Temp\...\Windows Updater.exe, PE32 17->150 dropped 33 Windows Updater.exe 17->33         started        file6 process7 dnsIp8 204 54.160.207.153 AMAZON-AESUS United States 22->204 124 C:\Windows\Temp\shiE4EA.tmp, PE32 22->124 dropped 126 C:\Windows\Temp\shiDE13.tmp, PE32 22->126 dropped 132 2 other malicious files 22->132 dropped 242 Query firmware table information (likely to detect VMs) 22->242 37 taskkill.exe 22->37         started        39 taskkill.exe 22->39         started        41 taskkill.exe 22->41         started        206 pstbbk.com 157.230.96.32, 50004, 80 DIGITALOCEAN-ASNUS United States 27->206 214 2 other IPs or domains 27->214 134 2 other malicious files 27->134 dropped 43 taskkill.exe 27->43         started        136 2 other malicious files 29->136 dropped 208 ambasoftgroup.info 77.246.100.5 MEDIAL-ASRU Russian Federation 31->208 210 www.mildstat.com 23.106.59.52, 49796, 80 LEASEWEB-UK-LON-11GB United Kingdom 31->210 216 5 other IPs or domains 31->216 138 6 other files (5 malicious) 31->138 dropped 244 Performs DNS queries to domains with low reputation 31->244 45 s0.exe 2 31->45         started        48 s3.exe 31->48         started        52 s2.exe 67 31->52         started        212 dl.likeasurfer.com 172.67.150.192 CLOUDFLARENETUS United States 33->212 140 4 other malicious files 33->140 dropped 54 v113.exe 33->54         started        128 C:\Windows\Temp\shiB9D2.tmp, PE32 35->128 dropped 130 C:\Windows\Temp\shiB87A.tmp, PE32 35->130 dropped file9 signatures10 process11 dnsIp12 56 conhost.exe 37->56         started        58 conhost.exe 39->58         started        60 conhost.exe 41->60         started        62 conhost.exe 43->62         started        154 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 45->154 dropped 64 s0.tmp 26 23 45->64         started        172 iplogger.com 148.251.234.93 HETZNER-ASDE Germany 48->172 174 seriopoli.info 48->174 176 m10b18tu.info 48->176 166 8 other malicious files 48->166 dropped 222 Multi AV Scanner detection for dropped file 48->222 68 539516732.exe 48->68         started        178 collect.installeranalytics.com 52->178 156 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 52->156 dropped 158 C:\Users\user\AppData\...\Windows Updater.exe, PE32 52->158 dropped 168 4 other malicious files 52->168 dropped 71 msiexec.exe 52->71         started        160 C:\Windows\Temp\shi7E31.tmp, PE32+ 54->160 dropped 162 C:\Windows\Temp\MSIB5AE.tmp, PE32 54->162 dropped 164 C:\Windows\Temp\MSIB09C.tmp, PE32 54->164 dropped 170 4 other malicious files 54->170 dropped 73 msiexec.exe 54->73         started        file13 signatures14 process15 dnsIp16 102 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 64->102 dropped 104 C:\...\unins000.exe (copy), PE32 64->104 dropped 106 C:\Program Files (x86)\...\is-LK4OJ.tmp, PE32 64->106 dropped 108 11 other files (10 malicious) 64->108 dropped 224 Obfuscated command line found 64->224 75 cmd.exe 1 64->75         started        77 cmd.exe 13 64->77         started        79 cmd.exe 1 64->79         started        81 wmiprvse.exe 17 64->81         started        200 b47n300.info 77.105.136.3 PLUSTELECOM-ASRU Russian Federation 68->200 202 api.ip.sb 68->202 226 Detected unpacking (changes PE section rights) 68->226 228 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 68->228 230 Tries to detect sandboxes and other dynamic analysis tools (window names) 68->230 232 7 other signatures 68->232 file17 signatures18 process19 dnsIp20 84 expand.exe 25 75->84         started        87 conhost.exe 75->87         started        89 chrome.exe 19 77->89         started        92 conhost.exe 77->92         started        94 reg.exe 1 1 79->94         started        97 conhost.exe 79->97         started        182 familystrike.top 5.8.54.110, 1203, 49722 PINDC-ASRU Russian Federation 81->182 184 geography.netsupportsoftware.com 51.142.119.24, 49746, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 81->184 186 geo.netsupportsoftware.com 81->186 process21 dnsIp22 110 C:\ProgramData\...\wmiprvse.exe (copy), PE32 84->110 dropped 112 C:\ProgramData\...\remcmdstub.exe (copy), PE32 84->112 dropped 114 C:\ProgramData\...\pcicapi.dll (copy), PE32 84->114 dropped 122 15 other files (13 malicious) 84->122 dropped 218 192.168.2.1 unknown unknown 89->218 220 239.255.255.250 unknown Reserved 89->220 116 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 89->116 dropped 118 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 89->118 dropped 120 C:\...\pnacl_public_x86_64_ld_nexe, ELF 89->120 dropped 99 chrome.exe 89->99         started        246 Creates an undocumented autostart registry key 94->246 file23 signatures24 process25 dnsIp26 194 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49855 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 99->194 196 www.google.com 142.251.36.164, 443, 49775, 50037 GOOGLEUS United States 99->196 198 8 other IPs or domains 99->198
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5222c8a377514d6a5651/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-13 11:46:06 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qpfvuzduxi7wwohkcheqhwuh4aqsfp7hznnveiwiun3vctlkkziq._file
Verdict:
unknown
Similar samples:
036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
RedLineStealer
24a93ddf60120497dd5848ec03147621840eb5b371d81a999e8af55f959466db
RedLineStealer
489eade7becb78deb88c28f80a3fc5d22e071ef8cb629f79d5e6fdebdee8ae70
RedLineStealer
5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b
RedLineStealer
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
RedLineStealer
6b109e55911293b4e5098d3711849b85499a988385721863a01c2e0dcd9ba0a6
RedLineStealer
6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca
RedLineStealer
759e360b7e36dd9f7365f452324aafd783f2ed9c057cea4bd8d394b4e69b2e66
RedLineStealer
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
RedLineStealer
+ 337 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230813-nxaffsbe74/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
c7c404226965dad7cb9fd139e8248859f0abb4d5e3a6b1dbaacd1d5ac4d33853
MD5 hash:
17e38b2cb854159a1aa77d572bb814ff
SHA1 hash:
22e3e1594e3b6acbc2526ede1eb21e9830f4f610
Link:
https://www.unpac.me/results/43e6d256-72aa-4242-91cc-9e39c0096b1f/
SH256 hash:
92ee7e5a068c426f4659b8a9a8715fe6898ade5e5ef64e22b7ece5972aabeaea
MD5 hash:
0ba94d74ed0c254d2a5cdff61142b5e7
SHA1 hash:
d230a815e3988d0ccfc5d97cb4cad99f2f4301c6
Link:
https://www.unpac.me/results/43e6d256-72aa-4242-91cc-9e39c0096b1f/
SH256 hash:
7124bff6dc2376be312173a714ff637bfc9147e928acda7a21fd3be4d531a38c
MD5 hash:
8e2db3597dd6edca7a489d98d4ad195d
SHA1 hash:
718a9eb5d5243e19336a599aa6c90cce96bc2de1
Link:
https://www.unpac.me/results/43e6d256-72aa-4242-91cc-9e39c0096b1f/
SH256 hash:
83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5222c8a377514d6a5651
MD5 hash:
97e3c486bc9c91531aee41fc5972d330
SHA1 hash:
c0fc392526a0cfbb6da6d2370aa472543eb5f483
Link:
https://www.unpac.me/results/43e6d256-72aa-4242-91cc-9e39c0096b1f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/83cb5a6474ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5222c8a377514d6a5651

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442502/

Comments