MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5823cb418fd908d94a8c85638c0e60b16151db371c64291f26489c29f9ddaa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5823cb418fd908d94a8c85638c0e60b16151db371c64291f26489c29f9ddaa0
SHA3-384 hash: 05ce570e4ebbdead80ce842a7c170f0e1a7ad49867e12f60340502ec2e339465090cf80c05299dc895aaf3853e57cc96
SHA1 hash: fae6a858ac9f19d4588dddffea3b10dee855de76
MD5 hash: 44c96af11be3a1e83f0be5c801a8b9c4
humanhash: earth-quiet-sixteen-orange
File name:44c96af11be3a1e83f0be5c801a8b9c4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'135'040 bytes
First seen:2021-08-22 06:30:28 UTC
Last seen:2021-08-22 07:59:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 196608:I10H2BgDy98POpILqlkXmxwTitslpkt3vaGdU6d2ZYExj0jSgi1:I10H2BgDy98POpILqlkXmxwTitslpktK
TLSH T15BA67B01A7E0492AE47E53B8C4B3462D83B0FC56AF66E38F56D061AD2E33741DE2175B
dhash icon f8f8ece4ece0e4f4 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
44c96af11be3a1e83f0be5c801a8b9c4.exe
Verdict:
No threats detected
Analysis date:
2021-08-22 06:31:12 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e5941bf2-c36a-46ea-81cb-134fba9114f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181174/
Detection(s):
ditekSHen.MALWARE.Win.Trojan.NWorm.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Moving a file to the Windows subdirectory
Launching a process
Creating a process with a hidden window
Sending a UDP request
Creating a service
Launching a service
Creating a process from a recently created file
Sending an HTTP GET request
Deleting a recently created file
Creating a file
Creating a window
Running batch commands
Launching the process to change network settings
Enabling autorun for a service
Launching the process to interact with network services
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neurevt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd3329bf-4461-48e5-bda3-304c4700156c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836958
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains VNC / remote desktop functionality (version string found)
Creates files in the system32 config directory
Disables security and backup related services
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469388 Sample: MwRd87ihR4.exe Startdate: 22/08/2021 Architecture: WINDOWS Score: 100 82 clientconfig.passport.net 2->82 84 prda.aadg.msidentity.com 2->84 86 crl.thawte.com 2->86 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 .NET source code contains potential unpacker 2->98 100 4 other signatures 2->100 9 LTSVC.exe 57 41 2->9         started        14 MwRd87ihR4.exe 41 22 2->14         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 88 192.168.2.1 unknown unknown 9->88 66 C:\Windows\LTSvc\wbem-sharp.dll, PE32 9->66 dropped 68 C:\Windows\LTSvc\vnchooks.dll, PE32+ 9->68 dropped 70 C:\Windows\LTSvc\tvnserver.exe, PE32 9->70 dropped 78 17 other files (none is malicious) 9->78 dropped 110 Creates files in the system32 config directory 9->110 112 Drops executables to the windows directory (C:\Windows) and starts them 9->112 114 Uses bcdedit to modify the Windows boot settings 9->114 116 2 other signatures 9->116 20 cmd.exe 9->20         started        23 cmd.exe 9->23         started        25 cmd.exe 9->25         started        29 15 other processes 9->29 90 pcs.hostedrmm.com 54.176.153.138, 443, 49701, 49705 AMAZON-02US United States 14->90 72 C:\Windows\LTSvc\LTSVC.exe, PE32 14->72 dropped 74 C:\Windows\LTSvc\Interfaces.dll, PE32 14->74 dropped 76 C:\Users\user\AppData\...\MwRd87ihR4.exe.log, ASCII 14->76 dropped 80 10 other files (none is malicious) 14->80 dropped 27 InstallUtil.exe 4 9 14->27         started        92 127.0.0.1 unknown unknown 16->92 file6 signatures7 process8 signatures9 104 Uses netsh to modify the Windows network and firewall settings 20->104 106 Performs a network lookup / discovery via net view 20->106 31 net.exe 20->31         started        33 conhost.exe 20->33         started        46 2 other processes 23->46 35 netsh.exe 25->35         started        38 conhost.exe 25->38         started        108 DLL side loading technique detected 27->108 40 conhost.exe 27->40         started        42 net.exe 29->42         started        44 net.exe 29->44         started        48 21 other processes 29->48 process10 signatures11 50 net1.exe 31->50         started        102 Creates files in the system32 config directory 35->102 52 conhost.exe 42->52         started        54 net1.exe 42->54         started        56 net1.exe 44->56         started        58 net1.exe 46->58         started        60 net1.exe 48->60         started        62 net1.exe 48->62         started        64 net1.exe 48->64         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5823cb418fd908d94a8c85638c0e60b16151db371c64291f26489c29f9ddaa0/
Threat name:
Win32.Trojan.BetaBot
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 18:40:26 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit evasion persistence
Link:
https://tria.ge/reports/210822-rzslfn2ddn/
Behaviour
Discovers systems in the same network
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
An obfuscated cmd.exe command-line is typically used to evade detection.
Drops file in System32 directory
Modifies boot configuration data using bcdedit
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Registers COM server for autorun
Unpacked files
SH256 hash:
d64f94909d5400b760e8afbf2754d2019b3123d86d50e2d8c184c310b146c81c
MD5 hash:
b595d91f9a0d19e604d940d1bf01fbe1
SHA1 hash:
eef87d9a0f5a3ca178ebddb5a698ea860647e96a
Link:
https://www.unpac.me/results/dcfa1a3e-2b06-470f-b12c-ea9b5d85fc21/
SH256 hash:
1091fdbadf7b123fe7c748f84cc51a9042cee0fb2a8045bf2eb3779f99f761bb
MD5 hash:
e4a8898b352404a2528bd704e281eb68
SHA1 hash:
e0c36c9589c0ebcbe9de7fb2ca4a42df0e775b48
Link:
https://www.unpac.me/results/dcfa1a3e-2b06-470f-b12c-ea9b5d85fc21/
SH256 hash:
8f2620e1396782ca2de4a9ff7ea4c8b11dbd787dc0f623b6c67db7a4d3fbc69b
MD5 hash:
08b018c1606ae7bbebb2560c6b4a59e7
SHA1 hash:
b7c575b232cd4ef47e2aca4dbedbc8d5779be445
Link:
https://www.unpac.me/results/dcfa1a3e-2b06-470f-b12c-ea9b5d85fc21/
SH256 hash:
9422f6270624aafcf00f8027e0d8372e301f8e3b8c0d4a32962c949b901b7a3c
MD5 hash:
f86e1b49ecc5ed0cbadbba9d1d8f21ff
SHA1 hash:
b3cebec868ec0eec10a61fa3ac295af9b6b0a534
Link:
https://www.unpac.me/results/dcfa1a3e-2b06-470f-b12c-ea9b5d85fc21/
SH256 hash:
ff5c2a72e60dc2edbb3aa7da6b6256c62301cbd996766f67331c95af2e6e571e
MD5 hash:
7b1fac5a8837560faa564ebc651dcf7e
SHA1 hash:
a6bcc5e2a3c14c3d60bfbf31c6e2a1f3da5c30a8
Link:
https://www.unpac.me/results/dcfa1a3e-2b06-470f-b12c-ea9b5d85fc21/
SH256 hash:
3322bd0b66e00ab89dea46ca81a4661ccb6e7adffc3d5bd28fb308f950298297
MD5 hash:
45c0b448a5795df48afd0885c9d58d24
SHA1 hash:
8babdb8938ac16f2d004b8139c09eafa32420433
Link:
https://www.unpac.me/results/dcfa1a3e-2b06-470f-b12c-ea9b5d85fc21/
SH256 hash:
b0b6615378b0d12eca3631d77d11ac574a92393f82dd7d8d3e28919d013ed855
MD5 hash:
8a45ba2af38cf1a76edb3ecc39b08fdf
SHA1 hash:
207b21eccf10671400f5d632b0571d0bdc318671
Link:
https://www.unpac.me/results/dcfa1a3e-2b06-470f-b12c-ea9b5d85fc21/
SH256 hash:
c5823cb418fd908d94a8c85638c0e60b16151db371c64291f26489c29f9ddaa0
MD5 hash:
44c96af11be3a1e83f0be5c801a8b9c4
SHA1 hash:
fae6a858ac9f19d4588dddffea3b10dee855de76
Link:
https://www.unpac.me/results/dcfa1a3e-2b06-470f-b12c-ea9b5d85fc21/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5823cb418fd908d94a8c85638c0e60b16151db371c64291f26489c29f9ddaa0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181174/

Comments