MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42
SHA3-384 hash: e931fa3a25f15a3f681257ef384a4c50464ae192c53e58ca36416bcbd8487addfe4128672b06c5fb949be1d6f427a4e4
SHA1 hash: b35bda59573f498892ce62e527b3646ef095fa0f
MD5 hash: 2888f09527270a001e069c9a6e1c72b1
humanhash: oscar-uranus-nine-winter
File name:NiggaExecutor.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'040'640 bytes
First seen:2025-03-13 23:41:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:eo1aiQ5+ci9GC4bFs/vBRAwQTtAitvZ97ZLq40367JwYTYqK7bV9iQ:VwiUst/vBRWTWith9dzVwYE9Z9iQ
TLSH T14886331673D88192C7DA87BED1E21B84E7F0B5126B03D39B66BD4AB62D133E04E15363
TrID 40.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
21.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.4% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
dhash icon 64319c6169697214 (1 x RedLineStealer)
Reporter 2huMarisa
Tags:exe RAT RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
488
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NiggaExecutor.exe
Verdict:
No threats detected
Analysis date:
2025-03-13 23:42:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d7023d27-06b3-4400-9194-af4ee1fe88be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d384293962f1a6f4710e73
Tags:
vmprotect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt obfuscated overlay packed packed packer_detected powershell reconnaissance threat vbnet
Link:
https://www.filescan.io/uploads/67d36d4fd2c4beeae925024c/reports/e58ebf5c-842d-4c6e-a0dc-51885e933b77/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94b7b494-f101-4e85-b6c9-a8e264ad1755
Result
Threat name:
Babadeda, ETHCoinMiner
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1637830
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Drops PE files to the startup folder
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Yara detected Babadeda
Yara detected Defender Control Hacktool
Yara detected ETHCoinMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637830 Sample: NiggaExecutor.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 78 spookier-shifts.000webhostapp.com 2->78 80 api64.ipify.org 2->80 82 198.187.3.20.in-addr.arpa 2->82 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 7 other signatures 2->92 11 NiggaExecutor.exe 15 4 2->11         started        16 Defender.exe 2->16         started        18 Bypass.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 84 api64.ipify.org 104.237.62.213, 443, 49713, 49714 WEBNXUS United States 11->84 72 C:\Users\user\AppData\...\KernelUpdate1.exe, PE32+ 11->72 dropped 114 Query firmware table information (likely to detect VMs) 11->114 116 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->116 22 KernelUpdate1.exe 11 11->22         started        26 WerFault.exe 19 16 11->26         started        74 C:\Users\user\AppData\Local\...\Defender.exe, PE32+ 16->74 dropped 28 cmd.exe 16->28         started        30 Defender.exe 18->30         started        32 WerFault.exe 18->32         started        file6 signatures7 process8 file9 66 C:\Users\user\AppData\Roaming\Process.exe, PE32 22->66 dropped 68 C:\Users\user\AppData\Roaming\Defender.exe, PE32+ 22->68 dropped 70 C:\Users\user\AppData\Roaming\Bypass.exe, PE32 22->70 dropped 108 Antivirus detection for dropped file 22->108 110 Multi AV Scanner detection for dropped file 22->110 34 cmd.exe 4 22->34         started        38 Defender.exe 28->38         started        40 conhost.exe 28->40         started        112 Allocates memory in foreign processes 30->112 42 Defender.exe 30->42         started        signatures10 process11 file12 58 C:\Users\user\AppData\Roaming\...\Process.exe, PE32 34->58 dropped 60 C:\Users\user\AppData\...\Defender.exe, PE32+ 34->60 dropped 62 C:\Users\user\AppData\Roaming\...\Bypass.exe, PE32 34->62 dropped 94 Drops PE files to the startup folder 34->94 44 Bypass.exe 1 34->44         started        48 conhost.exe 34->48         started        96 Antivirus detection for dropped file 38->96 98 Multi AV Scanner detection for dropped file 38->98 signatures13 process14 file15 76 C:\Users\user\AppData\Local\...\Defender.exe, PE32 44->76 dropped 118 Antivirus detection for dropped file 44->118 120 Multi AV Scanner detection for dropped file 44->120 50 Defender.exe 6 44->50         started        54 WerFault.exe 21 16 44->54         started        signatures16 process17 file18 64 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 50->64 dropped 100 Multi AV Scanner detection for dropped file 50->100 102 Found stalling execution ending in API Sleep call 50->102 104 Allocates memory in foreign processes 50->104 106 2 other signatures 50->106 56 Defender.exe 1 2 50->56         started        signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Malicious
First seen:
2021-06-20 09:22:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yinkppq65gzs3uort6clsapxxtkbawcorg2xabi2syb6kryvrvba._file
Verdict:
malicious
Label(s):
admintool_powerrun
Create hunting rule
Similar samples:
error
RedLineStealer
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/250313-3p2x3aymz6/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Modifies Windows Defender DisableAntiSpyware settings
Modifies security service
Verdict:
Malicious
Tags:
Win.Malware.Trojanx-9937146-0
YARA:
n/a
Link:
https://app.threat.zone/submission/6d7aa88f-282b-4fda-ab96-884c51750402
Unpacked files
SH256 hash:
c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42
MD5 hash:
2888f09527270a001e069c9a6e1c72b1
SHA1 hash:
b35bda59573f498892ce62e527b3646ef095fa0f
Link:
https://www.unpac.me/results/75022ac8-e46e-4934-b3c4-eef8888dcee6/
SH256 hash:
789f8ed4b4b523c7cb39f4b59bdbb3b7c4e59666bce44512bf88540c4eaacf42
MD5 hash:
cafbcf5e0458b458b7578a7fe8511bc6
SHA1 hash:
4da49012a513021722f930106da799abb1af138b
Link:
https://www.unpac.me/results/75022ac8-e46e-4934-b3c4-eef8888dcee6/
SH256 hash:
966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
MD5 hash:
02c63f568e598aad85dd401d7b26e82a
SHA1 hash:
2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
Link:
https://www.unpac.me/results/75022ac8-e46e-4934-b3c4-eef8888dcee6/
SH256 hash:
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
MD5 hash:
17ed442e8485ac3f7dc5b3c089654a61
SHA1 hash:
d3a17c1fdd6d54951141053f88bf8238dea0b937
Link:
https://www.unpac.me/results/75022ac8-e46e-4934-b3c4-eef8888dcee6/
SH256 hash:
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
MD5 hash:
0bd34aa29c7ea4181900797395a6da78
SHA1 hash:
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/75022ac8-e46e-4934-b3c4-eef8888dcee6/
Parent samples :
c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42
e723709ebd1439aa76c850f99d7843b0125f5c8456a53ade128da884e650382e
ee5b17af1bea3ce53b9a6bb09c21f634b9465fe505a01177b9eb33943f3021d3
4e90fa3f4197c83ee858b522e2a99a8145da5e0f972f06a9b825e4a2781dc550
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments