MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93112b749d371ad66f0f856a1c0c93d14f67960c644b6634a5d78dc33d0d8e0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93112b749d371ad66f0f856a1c0c93d14f67960c644b6634a5d78dc33d0d8e0e
SHA3-384 hash: 1122c8af732cd5e8bcbe0faa423df4d7e17c8a47da38f73be0d9294992f8b2131cc2d30c9cd9aab45f8083493cb9d800
SHA1 hash: 73c454855ad2613b223f7793397cff5b636e3511
MD5 hash: f68190d02dd017828c9e457b80a369a9
humanhash: robin-texas-south-mirror
File name:93112B749D371AD66F0F856A1C0C93D14F67960C644B6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'157'376 bytes
First seen:2023-04-02 05:40:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f540b6d6dcfc33b21d0deb0ccba24751 (3 x RedLineStealer, 2 x PrivateLoader, 2 x Amadey)
ssdeep 98304:HE1/qHZLs2db/0lTp94U7mZCvSZVdBLvuUKGzRVddpyetVjqKvuEPi4Fs:HE1/qHtrLypiU7mZCvSXWoVtRtK
TLSH T12336236721710096E4F78C36872B7DE233F2176609C36CBC74EAAEC93562590B617E93
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4d0c0e49892b2a2 (1 x PrivateLoader, 1 x LaplasClipper, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
82.115.223.9:28881

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
93112B749D371AD66F0F856A1C0C93D14F67960C644B6.exe
Verdict:
Malicious activity
Analysis date:
2023-04-02 05:43:31 UTC
Tags:
evasion opendir privateloader
Link:
https://app.any.run/tasks/d36bfc02-eb98-4cf0-aae8-48292a5a7d1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379290/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
Replacing files
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Blocking the Windows Defender launch
Query of malicious DNS domain
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed packed privateloader shell32.dll
Link:
https://www.filescan.io/uploads/64291570155a6f1443f9e2f2/reports/29b28ffb-74f0-44da-b157-0985b6e937d9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/93112b749d371ad66f0f856a1c0c93d14f67960c644b6634a5d78dc33d0d8e0e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/52bd50c9-c6b4-4174-86f3-12dcde4c0d67
Result
Threat name:
Amadey, Fabookie, Nymaim, RedLine, Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206503
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected Fabookie
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 839418 Sample: 93112B749D371AD66F0F856A1C0... Startdate: 02/04/2023 Architecture: WINDOWS Score: 100 140 45.12.253.98 CMCSUS Germany 2->140 174 Multi AV Scanner detection for domain / URL 2->174 176 Malicious sample detected (through community Yara rule) 2->176 178 Antivirus detection for URL or domain 2->178 180 23 other signatures 2->180 12 93112B749D371AD66F0F856A1C0C93D14F67960C644B6.exe 10 44 2->12         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 dnsIp5 160 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 12->160 162 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 12->162 166 16 other IPs or domains 12->166 124 C:\Users\...\pAEftml6Z9tsd6ypaHiLn9FQ.exe, PE32 12->124 dropped 126 C:\Users\...\okryAvXYj3P5pSxbI2wiFhOf.exe, PE32 12->126 dropped 128 C:\Users\...\mo8QOfyZ4ywSzIOiEHHgQtZY.exe, PE32 12->128 dropped 130 14 other malicious files 12->130 dropped 222 Creates HTML files with .exe extension (expired dropper behavior) 12->222 224 Disables Windows Defender (deletes autostart) 12->224 226 Modifies Group Policy settings 12->226 232 2 other signatures 12->232 23 J37ox0IdKUBseQZyy_xSdIUh.exe 12->23         started        26 okryAvXYj3P5pSxbI2wiFhOf.exe 12->26         started        29 hsVSuw2og20BthlHg5oWBE6z.exe 2 12->29         started        35 7 other processes 12->35 31 cmd.exe 17->31         started        33 conhost.exe 17->33         started        228 Changes security center settings (notifications, updates, antivirus, firewall) 19->228 164 192.168.2.1 unknown unknown 21->164 230 Query firmware table information (likely to detect VMs) 21->230 file6 signatures7 process8 dnsIp9 184 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 23->184 186 Maps a DLL or memory area into another process 23->186 188 Checks if the current machine is a virtual machine (disk enumeration) 23->188 190 Creates a thread in another existing process (thread injection) 23->190 38 explorer.exe 23->38 injected 110 C:\Windows\Temp\321.exe, PE32 26->110 dropped 112 C:\Windows\Temp\123.exe, PE32 26->112 dropped 43 321.exe 26->43         started        45 123.exe 26->45         started        114 C:\Users\user\AppData\Local\...\is-NF9A5.tmp, PE32 29->114 dropped 47 is-NF9A5.tmp 29->47         started        192 Uses cmd line tools excessively to alter registry or file data 31->192 57 2 other processes 31->57 142 185.11.61.125 VERTEX-ASRU Russian Federation 35->142 144 149.154.167.99 TELEGRAMRU United Kingdom 35->144 146 7 other IPs or domains 35->146 116 C:\Users\...\FPTlLjG0_Rt6ECOYMewkI3Aa.exe, MS-DOS 35->116 dropped 118 C:\Users\user\AppData\Local\...\kina4477.exe, PE32 35->118 dropped 120 C:\Users\user\AppData\Local\...\ge626508.exe, PE32 35->120 dropped 122 4 other malicious files 35->122 dropped 194 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->194 196 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->196 198 Query firmware table information (likely to detect VMs) 35->198 200 6 other signatures 35->200 49 kina4477.exe 35->49         started        51 Install.exe 35->51         started        53 AppLaunch.exe 35->53         started        55 conhost.exe 35->55         started        file10 signatures11 process12 dnsIp13 148 123.140.161.243 LGDACOMLGDACOMCorporationKR Korea Republic of 38->148 150 211.171.233.129 LGDACOMLGDACOMCorporationKR Korea Republic of 38->150 152 188.114.96.7 CLOUDFLARENETUS European Union 38->152 88 C:\Users\user\AppData\Roaming\fwiudur, PE32 38->88 dropped 90 C:\Users\user\AppData\Local\Temp\D804.exe, PE32 38->90 dropped 102 6 other malicious files 38->102 dropped 202 System process connects to network (likely due to code injection or exploit) 38->202 204 Benign windows process drops PE files 38->204 206 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->206 59 rundll32.exe 38->59         started        154 127.0.0.1 unknown unknown 43->154 92 C:\Users\user\AppData\...\DownloadMetadata, PDP-11 43->92 dropped 208 Multi AV Scanner detection for dropped file 43->208 210 Query firmware table information (likely to detect VMs) 43->210 212 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->212 214 Tries to harvest and steal browser information (history, passwords, etc) 43->214 156 51.210.161.21 OVHFR France 45->156 216 Hides threads from debuggers 45->216 218 Tries to detect sandboxes / dynamic malware analysis system (registry check) 45->218 94 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->94 dropped 96 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 47->96 dropped 104 7 other files (5 malicious) 47->104 dropped 61 FRec42.exe 47->61         started        98 C:\Users\user\AppData\Local\...\kina2967.exe, PE32 49->98 dropped 100 C:\Users\user\AppData\Local\...\en094725.exe, PE32 49->100 dropped 65 kina2967.exe 49->65         started        67 config.exe 51->67         started        158 176.123.9.142 ALEXHOSTMD Moldova Republic of 53->158 220 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 53->220 file14 signatures15 process16 dnsIp17 168 45.12.253.56 CMCSUS Germany 61->168 170 45.12.253.72 CMCSUS Germany 61->170 172 45.12.253.75 CMCSUS Germany 61->172 132 C:\Users\user\AppData\...\c1BTNdDqaq.exe, PE32 61->132 dropped 69 c1BTNdDqaq.exe 61->69         started        134 C:\Users\user\AppData\Local\...\kina1777.exe, PE32 65->134 dropped 136 C:\Users\user\AppData\Local\...\dBH10s18.exe, PE32 65->136 dropped 72 kina1777.exe 65->72         started        138 C:\Users\user\AppData\Local\...\ilFbciO.exe, PE32 67->138 dropped 75 forfiles.exe 67->75         started        77 forfiles.exe 67->77         started        file18 process19 file20 182 Multi AV Scanner detection for dropped file 69->182 106 C:\Users\user\AppData\Local\...\cor6838.exe, PE32 72->106 dropped 108 C:\Users\user\AppData\Local\...\bu258299.exe, PE32 72->108 dropped 79 bu258299.exe 72->79         started        82 cmd.exe 75->82         started        84 conhost.exe 75->84         started        signatures21 process22 signatures23 234 Multi AV Scanner detection for dropped file 79->234 236 Disable Windows Defender notifications (registry) 79->236 238 Uses cmd line tools excessively to alter registry or file data 82->238 86 reg.exe 82->86         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93112b749d371ad66f0f856a1c0c93d14f67960c644b6634a5d78dc33d0d8e0e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 14:48:25 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smisw5e5g4nnm3ypqvvbydet2fhwpfqmmrfwmnff26g4gpinryha._file
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230402-gdfd2agc2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
VMProtect packed file
PrivateLoader
Unpacked files
SH256 hash:
93112b749d371ad66f0f856a1c0c93d14f67960c644b6634a5d78dc33d0d8e0e
MD5 hash:
f68190d02dd017828c9e457b80a369a9
SHA1 hash:
73c454855ad2613b223f7793397cff5b636e3511
Link:
https://www.unpac.me/results/874d191f-91a9-49e0-9f08-c6e2fa24b6a5/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93112b749d37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93112b749d371ad66f0f856a1c0c93d14f67960c644b6634a5d78dc33d0d8e0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379290/

Comments