MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4
SHA3-384 hash: 7e7df642bdaad847a71581c3928310e93eb483e896ea0411a578574135a9542ea9850d517d7c364da90a72dd9ec5289d
SHA1 hash: 821a586245f977e3a6d2aae29c7a262c080cb5a2
MD5 hash: b483c722d53182cb7b35e0604b6603c7
humanhash: avocado-arizona-stairway-oscar
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'944'576 bytes
First seen:2023-11-24 09:11:09 UTC
Last seen:2023-11-24 12:38:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:vmMEPx6vQA7b0IyUWN/vgy0j3c6Byf1gTT:hHQAXtyBN/R0TE2X
TLSH T1ED95023B7A466448C12E4B71402D29C4B375ED862646C77E60DB32BC9FB22BFB74D486
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 16c8d8bcbcd8c816 (4 x DarkTortilla, 2 x RedLineStealer, 1 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://194.49.94.97/ww/ffs.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
359
Origin country :
US US
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/459979/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.20902.2334.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/656068e37485e5b1ecb985e6/reports/034ffe87-c62d-475a-adc9-ff9ead21e1fe/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ce19188-ea8d-4eef-9d90-fa3cbc08ae51
Result
Threat name:
DarkTortilla, Eternity Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347311
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Eternity Stealer
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1347311 Sample: file.exe Startdate: 24/11/2023 Architecture: WINDOWS Score: 100 42 pastebin.com 2->42 44 t.me 2->44 46 ip-api.com 2->46 64 Snort IDS alert for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 12 other signatures 2->72 9 file.exe 3 2->9         started        signatures3 70 Connects to a pastebin service (likely for C&C) 42->70 process4 signatures5 74 Writes to foreign memory regions 9->74 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->76 78 Injects a PE file into a foreign processes 9->78 12 InstallUtil.exe 15 3 9->12         started        16 InstallUtil.exe 3 9->16         started        process6 dnsIp7 50 ip-api.com 208.95.112.1, 49740, 80 TUT-ASUS United States 12->50 52 t.me 149.154.167.99, 443, 49741 TELEGRAMRU United Kingdom 12->52 54 2 other IPs or domains 12->54 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->80 82 Tries to steal Mail credentials (via file / registry access) 12->82 84 Found Tor onion address 12->84 92 2 other signatures 12->92 18 cmd.exe 12->18         started        21 cmd.exe 12->21         started        86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->88 90 Tries to harvest and steal WLAN passwords 16->90 94 3 other signatures 16->94 23 InstallUtil.exe 8 4 16->23         started        signatures8 process9 dnsIp10 56 Uses netsh to modify the Windows network and firewall settings 18->56 58 Tries to harvest and steal WLAN passwords 18->58 26 conhost.exe 18->26         started        28 chcp.com 18->28         started        30 netsh.exe 18->30         started        32 findstr.exe 18->32         started        34 conhost.exe 21->34         started        36 chcp.com 21->36         started        38 netsh.exe 21->38         started        40 findstr.exe 21->40         started        48 45.142.122.192, 16503, 49742 DE-FIRSTCOLOwwwfirst-colonetDE Russian Federation 23->48 60 Tries to harvest and steal browser information (history, passwords, etc) 23->60 62 Tries to steal Crypto Currency Wallets 23->62 signatures11 process12
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-24 09:12:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
264
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y353oarmppvtwteebs2ni2zv6i32fhxxbvweadthh3w4kvuy2pca._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:eternity family:redline collection infostealer spyware
Link:
https://tria.ge/reports/231124-k56xvahc34/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Eternity
RedLine
RedLine payload
Malware Config
C2 Extraction:
http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion
Unpacked files
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/8699109a-2f85-47cd-959e-bb4ad02a9ea9/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/8699109a-2f85-47cd-959e-bb4ad02a9ea9/
SH256 hash:
2db82e9b91b1ccb1957b4e06ec49bfb0096e973213fc1786de1bbe3162f5df5a
MD5 hash:
27dea42a70bd7e948f1171ce873878a1
SHA1 hash:
b87051d51479c093cdf3e721acea4fd8b940b1e5
Link:
https://www.unpac.me/results/8699109a-2f85-47cd-959e-bb4ad02a9ea9/
SH256 hash:
c549c482ea09598cd90c39d214451aea3c308b277ba08c5dc009b4c5727ae7e7
MD5 hash:
0f3134bbc30bdc7200d441eadb1174fc
SHA1 hash:
92d0c5712825cfec8964d296326a7b5d3a048cfe
Detections:
MALWARE_Win_JesterStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/8699109a-2f85-47cd-959e-bb4ad02a9ea9/
SH256 hash:
00ab138909c59d5abb8f3137fd0ee119ce75c0a7d9e882e2476ac9b2d5bcf711
MD5 hash:
b72c76ba5c9eb50b9f09419072df215a
SHA1 hash:
1b1e93baa2340a0f641eb99d8fb7c984010b9462
Link:
https://www.unpac.me/results/8699109a-2f85-47cd-959e-bb4ad02a9ea9/
SH256 hash:
c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4
MD5 hash:
b483c722d53182cb7b35e0604b6603c7
SHA1 hash:
821a586245f977e3a6d2aae29c7a262c080cb5a2
Link:
https://www.unpac.me/results/8699109a-2f85-47cd-959e-bb4ad02a9ea9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6fbb7022c7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6fbb7022c7beb3b4c840cb4d46b35f237a29ef70d6c400e673eedc55698d3c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/459979/
  
URLhaus
https://urlhaus.abuse.ch/url/2735034/

Comments