MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c84e4d5d3ac98cdd585879d317c0570d2a40bfa817b3f1e0ffe78645a8b093df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c84e4d5d3ac98cdd585879d317c0570d2a40bfa817b3f1e0ffe78645a8b093df
SHA3-384 hash: 687ba6e2697e779a7ec08ec3f9b2f19ee411cc95cc8b3b7d9853b28f34a6a54f2cdac2eb8865ab7f041f9b541196356d
SHA1 hash: b3d807a54dbbda52c6501db3cf1c557f63b060a2
MD5 hash: 36c04502fffecb0d1e9af6cdd72455d4
humanhash: don-coffee-six-mobile
File name:36C04502FFFECB0D1E9AF6CDD72455D4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'673'236 bytes
First seen:2023-08-13 13:00:13 UTC
Last seen:2023-08-13 13:39:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/abhKic6QL3E2vVsjECUAQT45deRV9Rk:sBuZrEUgKIy029s4C1eH9y
Threatray 17 similar samples on MalwareBazaar
TLSH T13375BF3FF268A13EC56A1B3245B38320997BBA51B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.142.138.167:19615

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36C04502FFFECB0D1E9AF6CDD72455D4.exe
Verdict:
No threats detected
Analysis date:
2023-08-13 13:01:24 UTC
Tags:
installer
Link:
https://app.any.run/tasks/89e04024-1c00-4111-95b5-dcf05e05dd22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442506/
Detection(s):
SecuriteInfo.com.Generic.Adware.Campaignz.A.A1543E14.2978.10099.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102777/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/64d8d4102a1db2a88acd651f/reports/48546416-0134-48e5-b1a5-88ebaad242bb/overview
Verdict:
Malicious
Labled as:
TR/Downloader.Generic
Link:
https://www.hybrid-analysis.com/sample/c84e4d5d3ac98cdd585879d317c0570d2a40bfa817b3f1e0ffe78645a8b093df
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/411b1f1e-fbfb-48d1-b5b0-92e57ac19cd9
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1290667
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Infects executable files (exe, dll, sys, html)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290667 Sample: 6zDHRCEqdN.exe Startdate: 13/08/2023 Architecture: WINDOWS Score: 48 189 Antivirus detection for URL or domain 2->189 191 Antivirus detection for dropped file 2->191 193 Antivirus / Scanner detection for submitted sample 2->193 195 2 other signatures 2->195 12 msiexec.exe 2->12         started        16 6zDHRCEqdN.exe 2 2->16         started        18 DigitalPulseUpdate.exe 6 2->18         started        21 11 other processes 2->21 process3 dnsIp4 121 C:\Windows\System32\vcruntime140_1.dll, PE32+ 12->121 dropped 123 C:\Windows\System32\vcruntime140.dll, PE32+ 12->123 dropped 125 C:\Windows\System32\vcomp140.dll, PE32+ 12->125 dropped 137 62 other malicious files 12->137 dropped 201 Infects executable files (exe, dll, sys, html) 12->201 23 msiexec.exe 12->23         started        28 msiexec.exe 12->28         started        30 msiexec.exe 12->30         started        127 C:\Users\user\AppData\...\6zDHRCEqdN.tmp, PE32 16->127 dropped 32 6zDHRCEqdN.tmp 23 19 16->32         started        155 3.97.187.4 AMAZON-02US United States 18->155 157 54.231.136.9 AMAZON-02US United States 18->157 165 2 other IPs or domains 18->165 129 C:\Users\user\...\DigitalPulseService.exe, PE32+ 18->129 dropped 131 C:\Users\user\...\DigitalPulseService.exe, PE32+ 18->131 dropped 133 C:\Users\user\...\DigitalPulseService.exe, PE32+ 18->133 dropped 34 tasklist.exe 18->34         started        36 taskkill.exe 18->36         started        38 tasklist.exe 18->38         started        40 taskkill.exe 18->40         started        159 20.54.24.69 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->159 161 188.114.97.7 CLOUDFLARENETUS European Union 21->161 163 2.20.212.212 AKAMAI-ASUS European Union 21->163 135 C:\Windows\Temp\...\Windows Updater.exe, PE32 21->135 dropped 203 Changes security center settings (notifications, updates, antivirus, firewall) 21->203 file5 signatures6 process7 dnsIp8 167 157.230.96.32 DIGITALOCEAN-ASNUS United States 23->167 169 54.160.207.153 AMAZON-AESUS United States 23->169 171 192.168.2.1 unknown unknown 23->171 97 C:\Users\user\AppData\Local\...\shi8459.tmp, PE32 23->97 dropped 99 C:\Users\user\AppData\Local\...\shi838D.tmp, PE32 23->99 dropped 199 Query firmware table information (likely to detect VMs) 23->199 42 taskkill.exe 23->42         started        101 C:\Users\user\AppData\Local\...\shi771A.tmp, PE32 28->101 dropped 103 C:\Users\user\AppData\Local\...\shi765E.tmp, PE32 28->103 dropped 173 8.8.8.8 GOOGLEUS United States 32->173 175 172.67.134.52 CLOUDFLARENETUS United States 32->175 177 188.114.96.7 CLOUDFLARENETUS European Union 32->177 105 C:\Users\user\AppData\...\setup.exe (copy), PE32 32->105 dropped 107 C:\Users\user\AppData\Local\...\is-DS0LH.tmp, PE32 32->107 dropped 109 C:\...\unins000.exe (copy), PE32 32->109 dropped 111 2 other files (1 malicious) 32->111 dropped 44 setup.exe 2 32->44         started        47 conhost.exe 34->47         started        49 conhost.exe 36->49         started        51 conhost.exe 38->51         started        53 conhost.exe 40->53         started        file9 signatures10 process11 file12 55 conhost.exe 42->55         started        139 C:\Users\user\AppData\Local\...\setup.tmp, PE32 44->139 dropped 57 setup.tmp 3 27 44->57         started        process13 dnsIp14 179 18.67.246.110 MIT-GATEWAYSUS United States 57->179 181 104.18.212.25 CLOUDFLARENETUS United States 57->181 183 4 other IPs or domains 57->183 113 C:\Users\user\AppData\Local\Temp\...\s3.exe, PE32 57->113 dropped 115 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 57->115 dropped 117 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 57->117 dropped 119 4 other files (3 malicious) 57->119 dropped 61 s0.exe 2 57->61         started        64 s1.exe 57->64         started        file15 process16 dnsIp17 141 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 61->141 dropped 68 s0.tmp 31 22 61->68         started        151 8.238.130.254 LEVEL3US United States 64->151 153 192.229.221.95 EDGECASTUS United States 64->153 143 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 64->143 dropped 145 C:\Users\user\AppData\...\Windows Updater.exe, PE32 64->145 dropped 147 C:\Users\user\AppData\Local\...\shi73BF.tmp, PE32+ 64->147 dropped 149 3 other malicious files 64->149 dropped 187 Multi AV Scanner detection for dropped file 64->187 72 msiexec.exe 64->72         started        file18 signatures19 process20 file21 89 C:\Users\user\AppData\...\unins000.exe (copy), PE32 68->89 dropped 91 C:\Users\user\AppData\...\is-OH4OK.tmp, PE32 68->91 dropped 93 C:\Users\user\AppData\...\is-CJJ18.tmp, PE32+ 68->93 dropped 95 4 other files (3 malicious) 68->95 dropped 197 Uses schtasks.exe or at.exe to add and modify task schedules 68->197 74 DigitalPulseService.exe 68->74         started        77 _setup64.tmp 1 68->77         started        79 schtasks.exe 1 68->79         started        81 schtasks.exe 1 68->81         started        signatures22 process23 dnsIp24 185 3.98.219.138 AMAZON-02US United States 74->185 83 conhost.exe 77->83         started        85 conhost.exe 79->85         started        87 conhost.exe 81->87         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c84e4d5d3ac98cdd585879d317c0570d2a40bfa817b3f1e0ffe78645a8b093df/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-12 04:38:00 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbhe2xj2zggn2wcyphjrpqcxbuvebp5ic6z7dyh746delkfqsppq._file
Verdict:
unknown
Similar samples:
07999a5e3c1019be2d430d0b2fef1c7e2b1b38a96c3bfd9886506bc4f1bf2df7
RedLineStealer
1062b856e7580e1d5b19bdbe87a233343c39c5a41860358c854586f52dbf906f
RedLineStealer
5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f
RedLineStealer
5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b
RedLineStealer
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
RedLineStealer
6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca
RedLineStealer
82e3523dc7d162e55eaa4f69c2dba9555592661eadcc6807898da7196e57289a
RedLineStealer
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
RedLineStealer
8fc055b97e29323ef0f570ef76b2bacdceb4f8d1b8a2eb62bb974f0abf03e5c0
RedLineStealer
aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7
RedLineStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230813-p872jaed5t/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a611722e2c7ca5b59bf93d0d149c747a93417fa32ac3262bb3efd235a4d0cb9f
MD5 hash:
b60631dea9f2930a33b0493584512f85
SHA1 hash:
3c76c1249af9adf8107d3c1bd7a7f60360e90ac7
Link:
https://www.unpac.me/results/2ed44649-7f29-4469-8c3e-022db5ed5191/
SH256 hash:
c84e4d5d3ac98cdd585879d317c0570d2a40bfa817b3f1e0ffe78645a8b093df
MD5 hash:
36c04502fffecb0d1e9af6cdd72455d4
SHA1 hash:
b3d807a54dbbda52c6501db3cf1c557f63b060a2
Link:
https://www.unpac.me/results/2ed44649-7f29-4469-8c3e-022db5ed5191/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c84e4d5d3ac98cdd585879d317c0570d2a40bfa817b3f1e0ffe78645a8b093df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442506/

Comments