MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9
SHA3-384 hash: e4473bfa53b46f859393f6e13d5a17aff9854802773d26cddf7218068b16c4a465644f2e73a3cbeb031e2484c11729f4
SHA1 hash: d1026c5402523e2ce23a7b7855ce2b2d36d8316a
MD5 hash: d20008051ebd536e50d34dcc4e718804
humanhash: pizza-zulu-ceiling-avocado
File name:d20008051ebd536e50d34dcc4e718804.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'335'616 bytes
First seen:2023-03-09 04:00:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5720bd0cee3ab34ad6694631cdea7f20 (2 x RedLineStealer)
ssdeep 98304:ShSlPgpqvGXI30baIvyatgFiw/+TMmoiN3cwbMtnb5hJ7iPDi7Og:Sh7pqvqvwUwYpNMwbeb5hSDi7O
Threatray 28 similar samples on MalwareBazaar
TLSH T131163307B609C149D8E518390526E9FE56B6BC427E0A0E97B5A07F4FFC303497C16EBA
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon fce4e0e4e4e4e4e4 (2 x PrivateLoader, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.244.182.218:2027

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d20008051ebd536e50d34dcc4e718804.exe
Verdict:
Malicious activity
Analysis date:
2023-03-09 04:03:36 UTC
Tags:
evasion opendir
Link:
https://app.any.run/tasks/e35a4f75-21a6-4d4e-afeb-80243e70d0ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372814/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65751621.30330.26579.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
DNS request
Replacing files
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/640959ff8b48bcea611f7b5b/reports/86cc5481-9438-413a-b4bc-c49bbfd29d2c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37e8076d-219d-40c4-9fbd-14d7a48778d1
Result
Threat name:
Glupteba, ManusCrypt, Nymaim, PrivateLoa
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190024
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Schedule binary from dotnet directory
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Glupteba
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 822899 Sample: oCT5AFWeqz.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 149 45.12.253.98 CMCSUS Germany 2->149 179 Snort IDS alert for network traffic 2->179 181 Multi AV Scanner detection for domain / URL 2->181 183 Malicious sample detected (through community Yara rule) 2->183 185 29 other signatures 2->185 11 oCT5AFWeqz.exe 10 46 2->11         started        16 rundll32.exe 2->16         started        18 svchost.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 157 91.215.85.15, 49705, 80 PINDC-ASRU Russian Federation 11->157 159 94.142.138.113, 49695, 80 IHOR-ASRU Russian Federation 11->159 161 16 other IPs or domains 11->161 117 C:\Users\...\yYIWS83YO4xxZmZrtI2PPYMT.exe, PE32 11->117 dropped 119 C:\Users\...\uaDschYQuxAn_FRxSuiDlJH4.exe, PE32 11->119 dropped 121 C:\Users\...\tAIUbL0d8JSTtd5K1Dr0wn4V.exe, PE32 11->121 dropped 123 18 other malicious files 11->123 dropped 225 Detected unpacking (changes PE section rights) 11->225 227 May check the online IP address of the machine 11->227 229 Creates HTML files with .exe extension (expired dropper behavior) 11->229 231 4 other signatures 11->231 22 yYIWS83YO4xxZmZrtI2PPYMT.exe 11->22         started        25 R1FiAuj1ffEOOzVv031TWaj9.exe 11->25         started        28 tAIUbL0d8JSTtd5K1Dr0wn4V.exe 11->28         started        40 9 other processes 11->40 30 rundll32.exe 16->30         started        32 WerFault.exe 18->32         started        34 WerFault.exe 18->34         started        36 WerFault.exe 18->36         started        38 conhost.exe 20->38         started        file6 signatures7 process8 dnsIp9 101 C:\Windows\Temp\321.exe, PE32 22->101 dropped 103 C:\Windows\Temp\1234.exe, PE32 22->103 dropped 105 C:\Windows\Temp\123.exe, PE32 22->105 dropped 43 123.exe 22->43         started        46 1234.exe 22->46         started        48 321.exe 22->48         started        187 Injects a PE file into a foreign processes 25->187 51 R1FiAuj1ffEOOzVv031TWaj9.exe 25->51         started        107 C:\Users\user\AppData\Local\...\is-LSGA6.tmp, PE32 28->107 dropped 53 is-LSGA6.tmp 28->53         started        189 Writes to foreign memory regions 30->189 191 Allocates memory in foreign processes 30->191 193 Creates a thread in another existing process (thread injection) 30->193 56 svchost.exe 30->56 injected 195 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->195 151 185.11.61.125 VERTEX-ASRU Russian Federation 40->151 153 t.me 149.154.167.99 TELEGRAMRU United Kingdom 40->153 155 15 other IPs or domains 40->155 109 C:\Users\...\6fl4nGhTk5tmmbZsSsUlgp32.exe, PE32 40->109 dropped 111 C:\Users\user\AppData\Local\...\5051796.dll, PE32 40->111 dropped 113 C:\Users\user\AppData\Local\...\WWW14[1].bmp, PE32 40->113 dropped 115 3 other malicious files 40->115 dropped 197 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->197 199 Tries to steal Mail credentials (via file / registry access) 40->199 201 Tries to steal Crypto Currency Wallets 40->201 58 3cNXAOPUdfVL6F9Mcb_gtfpn.exe 40->58         started        60 ngentask.exe 40->60         started        62 WerFault.exe 40->62         started        file10 signatures11 process12 dnsIp13 203 Multi AV Scanner detection for dropped file 43->203 205 Writes to foreign memory regions 43->205 207 Allocates memory in foreign processes 43->207 64 RegSvcs.exe 43->64         started        68 conhost.exe 43->68         started        70 WerFault.exe 43->70         started        209 Injects a PE file into a foreign processes 46->209 72 RegSvcs.exe 46->72         started        74 conhost.exe 46->74         started        76 WerFault.exe 46->76         started        129 127.0.0.1 unknown unknown 48->129 211 Tries to harvest and steal browser information (history, passwords, etc) 48->211 213 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->213 215 Maps a DLL or memory area into another process 51->215 217 Checks if the current machine is a virtual machine (disk enumeration) 51->217 219 Creates a thread in another existing process (thread injection) 51->219 78 explorer.exe 51->78 injected 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->91 dropped 93 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 53->93 dropped 95 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 53->95 dropped 99 7 other files (5 malicious) 53->99 dropped 81 FRec39.exe 53->81         started        221 Sets debug register (to hijack the execution of another thread) 56->221 223 Modifies the context of a thread in another process (thread injection) 56->223 131 xv.yxzgamen.com 188.114.96.3 CLOUDFLARENETUS European Union 58->131 133 192.168.2.1 unknown unknown 58->133 97 C:\Users\user\AppData\Local\Temp\db.dll, PE32 58->97 dropped 135 185.244.182.218 BELCLOUDBG Russian Federation 60->135 file14 signatures15 process16 dnsIp17 137 51.89.204.181 OVHFR France 64->137 163 Suspicious powershell command line found 64->163 165 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 64->165 167 Uses schtasks.exe or at.exe to add and modify task schedules 64->167 139 ip-api.com 208.95.112.1 TUT-ASUS United States 72->139 141 46.173.218.172 GARANT-PARK-INTERNETRU Russian Federation 72->141 169 Creates an autostart registry key pointing to binary in C:\Windows 72->169 171 Adds a directory exclusion to Windows Defender 72->171 83 powershell.exe 72->83         started        85 schtasks.exe 72->85         started        125 C:\Users\user\AppData\Roaming\sjgabts, PE32 78->125 dropped 173 System process connects to network (likely due to code injection or exploit) 78->173 175 Benign windows process drops PE files 78->175 177 Hides that the sample has been downloaded from the Internet (zone.identifier) 78->177 143 45.12.253.56 CMCSUS Germany 81->143 145 45.12.253.72 CMCSUS Germany 81->145 147 45.12.253.75 CMCSUS Germany 81->147 127 C:\Users\user\AppData\...\qCFr1JeARuD.exe, PE32 81->127 dropped file18 signatures19 process20 process21 87 conhost.exe 83->87         started        89 conhost.exe 85->89         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-02 18:56:00 UTC
File Type:
PE (Exe)
Extracted files:
173
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrfzfuicg6mzb6ln24jld2zk32il5ycbemz2cgtu653sh72psh4q._file
Verdict:
malicious
Similar samples:
147b5d6c844bd5f6962ca6ab96a0ce8103eac401ec77a61f3632e14757c199c2
RedLineStealer
23c07eb780fc204fc9a5affdb4247fe72d1fdf10e081bf8095a5e2fd597422c4
RedLineStealer
3e8ac08892d633b002ebe862b10025b870e33a7a69435886c2203aa352fd2025
RedLineStealer
3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373
RedLineStealer
49d4689b5641b161f0ab00aa490ea276fcab2128cb33d802fab9154b83516569
RedLineStealer
5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419
RedLineStealer
67a95e8478140adae734fd001ef1604be1370201df0c7897c42fae643730c7c3
RedLineStealer
d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a
RedLineStealer
de905b4833434a3f8065f6b05b28b0d44465386052f86223fbdacd53b0278986
RedLineStealer
+ 18 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230309-ek72hshd21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
007c892abac0762045e1db3df7ef290bb3f02c6ae2c14df7ac2fc02c317f8ede
MD5 hash:
9d6b608cf8754863214a9f20fa1fdb08
SHA1 hash:
5c3b0fa6f01d748b8f7f5efb02e0b25ebfa40942
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/fb2fd4b9-49b8-4970-bd94-03482fcdd528/
SH256 hash:
844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9
MD5 hash:
d20008051ebd536e50d34dcc4e718804
SHA1 hash:
d1026c5402523e2ce23a7b7855ce2b2d36d8316a
Link:
https://www.unpac.me/results/fb2fd4b9-49b8-4970-bd94-03482fcdd528/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/844b92d10237/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:Privateloader_Main_Component
Create hunting rule
Description:Detects PrivateLoader Main Component
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:Windows_Trojan_PrivateLoader_96ac2734
Create hunting rule
Author:Elastic Security
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372814/

Comments