MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be9699ddb8ef8ff9e1fffc01543472334e84ace9eade7a09d8a011ff597e1eb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be9699ddb8ef8ff9e1fffc01543472334e84ace9eade7a09d8a011ff597e1eb9
SHA3-384 hash: f78a48f000b13cc7e605dd6987b1e902fa2ac434afe391e8b9c1591a0dd43b2ae90af5e379e128836eb2a953736a7ffe
SHA1 hash: 55448f1a7a3b6c35f9ff8f0314095b33c89afe47
MD5 hash: fe7d9ebf03d231b3efe82fc9afa5b970
humanhash: fourteen-seven-six-black
File name:fe7d9ebf03d231b3efe82fc9afa5b970.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'312'596 bytes
First seen:2023-05-05 05:15:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:2TbBv5rUyXVFj3jyKa/fWSP9MQ1xun3YceYMT/NQ0a5GoOW0:IBJFLmnWSN1xunIEL0Fw0
Threatray 12 similar samples on MalwareBazaar
TLSH T11D5512027BC598B2C4622D321A355B21B97CBE602F768EDF63C4651DEA225C0E6357B3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.217.63.153:21969

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
fe7d9ebf03d231b3efe82fc9afa5b970.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 05:18:42 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/8363ea9e-ecf2-48ed-8648-5cb65f025333

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386686/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82591/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cmd.exe greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/645491159c0e029c4bdd66d0/reports/8ada876a-e9dc-429f-9d34-6378ee186edd/overview
Verdict:
Malicious
Labled as:
BScope.Trojan.VBS
Link:
https://www.hybrid-analysis.com/sample/be9699ddb8ef8ff9e1fffc01543472334e84ace9eade7a09d8a011ff597e1eb9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34aa83b9-ff50-4ba0-83df-c87c83177937
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226663
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
DNS related to crypt mining pools
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 859626 Sample: ex6KGPBGCC.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 101 xmr-eu1.nanopool.org 2->101 103 pastebin.com 2->103 127 Snort IDS alert for network traffic 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 Antivirus detection for URL or domain 2->131 133 15 other signatures 2->133 13 ex6KGPBGCC.exe 11 2->13         started        16 cmd.exe 2->16         started        18 cmd.exe 2->18         started        20 7 other processes 2->20 signatures3 process4 file5 89 C:\Users\user\AppData\Local\...\k8moka.exe, PE32 13->89 dropped 91 C:\Users\user\AppData\Local\...\ft67kqbwu.exe, PE32 13->91 dropped 22 cmd.exe 1 13->22         started        25 winlogson.exe 16->25         started        27 conhost.exe 16->27         started        29 chcp.com 16->29         started        31 conhost.exe 18->31         started        37 2 other processes 18->37 33 conhost.exe 20->33         started        35 chcp.com 20->35         started        39 12 other processes 20->39 process6 signatures7 137 Encrypted powershell cmdline option found 22->137 139 Uses schtasks.exe or at.exe to add and modify task schedules 22->139 41 k8moka.exe 1 22->41         started        44 ft67kqbwu.exe 1 22->44         started        46 conhost.exe 22->46         started        48 cmd.exe 1 22->48         started        141 Antivirus detection for dropped file 25->141 143 Multi AV Scanner detection for dropped file 25->143 145 Machine Learning detection for dropped file 25->145 process8 signatures9 147 Antivirus detection for dropped file 41->147 149 Machine Learning detection for dropped file 41->149 151 Writes to foreign memory regions 41->151 50 RegSvcs.exe 1 41->50         started        53 WerFault.exe 41->53         started        153 Contains functionality to inject code into remote processes 44->153 155 Allocates memory in foreign processes 44->155 157 Injects a PE file into a foreign processes 44->157 55 RegSvcs.exe 4 44->55         started        58 WerFault.exe 24 9 44->58         started        process10 dnsIp11 115 Writes to foreign memory regions 50->115 117 Injects a PE file into a foreign processes 50->117 60 AppLaunch.exe 50->60         started        65 conhost.exe 50->65         started        105 95.217.63.153, 21969, 49722 HETZNER-ASDE Germany 55->105 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->119 121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 55->121 123 Tries to harvest and steal browser information (history, passwords, etc) 55->123 125 Tries to steal Crypto Currency Wallets 55->125 107 192.168.2.1 unknown unknown 58->107 signatures12 process13 dnsIp14 109 github.com 140.82.121.4, 443, 49715, 49716 GITHUBUS United States 60->109 111 raw.githubusercontent.com 185.199.109.133, 443, 49718, 49719 FASTLYUS Netherlands 60->111 113 pastebin.com 104.20.67.143, 443, 49714, 49723 CLOUDFLARENETUS United States 60->113 93 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 60->93 dropped 95 C:\ProgramData\Dllhost\dllhost.exe, PE32 60->95 dropped 97 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 60->97 dropped 99 C:\ProgramData\HostData\logs.uce, ASCII 60->99 dropped 161 Sample is not signed and drops a device driver 60->161 67 cmd.exe 60->67         started        70 cmd.exe 60->70         started        72 cmd.exe 60->72         started        file15 signatures16 process17 signatures18 135 Encrypted powershell cmdline option found 67->135 74 powershell.exe 67->74         started        77 conhost.exe 67->77         started        79 conhost.exe 70->79         started        81 schtasks.exe 70->81         started        83 conhost.exe 72->83         started        85 schtasks.exe 72->85         started        process19 signatures20 159 Query firmware table information (likely to detect VMs) 74->159 87 wermgr.exe 74->87         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be9699ddb8ef8ff9e1fffc01543472334e84ace9eade7a09d8a011ff597e1eb9/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 05:16:10 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2ljtxny56h7typ77qavindsgnhijlhj5lphucoyuai76wl6d24q._file
Verdict:
malicious
Similar samples:
274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6
RedLineStealer
6df58f4dde905b78e0ce80d0bb41792004f9ac39efec4acbfb4f54c342ac6dcb
RedLineStealer
6f17df45dd876aaedc0551c4acd7f22d26195fecff94c86aa38f68a823e4ed1b
RedLineStealer
7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315
RedLineStealer
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
RedLineStealer
b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3
RedLineStealer
e40fead052850b5d2c4ef6d699c15af82eaee437784b0f359abf5dcc78852b8a
RedLineStealer
f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
RedLineStealer
fc32960a5086c544352213357c9282a408bda484da273e5148b4018826e8459f
RedLineStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/230505-fx5btsge38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
5b842b4ddc7329d31be2616f85a8ab7304114c00b029277e2dc49ae6e8acd91c
MD5 hash:
ac8b7b600b45334b35125f20175852ff
SHA1 hash:
f0ca0188f165e1311cedbd7912ff70b61afb8be2
Link:
https://www.unpac.me/results/1ad97a22-c303-4f64-95a5-6f66ff6db1f9/
SH256 hash:
4d1bc458db107f0a458ab22f11298900bdd339c4c965070261f8b4eed37fe347
MD5 hash:
0e0f04673d8f1ff573774afc69a74784
SHA1 hash:
4f6b9336a677bdea805dd50970a3bf892557ef87
Link:
https://www.unpac.me/results/1ad97a22-c303-4f64-95a5-6f66ff6db1f9/
SH256 hash:
800bd44676a9d7698874b5013fa0cd21c635726784b7fc549699a01bbb295299
MD5 hash:
f103a612daa1ae8e22a9fb908cac0ec8
SHA1 hash:
47e455547feffe5ae316eae8821d3bcbb9b01b6c
Link:
https://www.unpac.me/results/1ad97a22-c303-4f64-95a5-6f66ff6db1f9/
SH256 hash:
be9699ddb8ef8ff9e1fffc01543472334e84ace9eade7a09d8a011ff597e1eb9
MD5 hash:
fe7d9ebf03d231b3efe82fc9afa5b970
SHA1 hash:
55448f1a7a3b6c35f9ff8f0314095b33c89afe47
Link:
https://www.unpac.me/results/1ad97a22-c303-4f64-95a5-6f66ff6db1f9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be9699ddb8ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be9699ddb8ef8ff9e1fffc01543472334e84ace9eade7a09d8a011ff597e1eb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386686/

Comments