MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9abeb237b284d2aee39f0c69a1042aa3dbe285aa528f23ffdaed82a0a08a229. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9abeb237b284d2aee39f0c69a1042aa3dbe285aa528f23ffdaed82a0a08a229
SHA3-384 hash: 16a55bc2d44ca86ab9139b0b51ab693cc3fa3900a78145126166a69366265f7a89a166244f9490a0961d49214971a343
SHA1 hash: 405dc75e2d9ab33723b4ddf107a98b16d3ae3cb0
MD5 hash: 0e7d49c38e45d1c993985279e08ed159
humanhash: north-march-pluto-cola
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'962'213 bytes
First seen:2023-01-16 17:46:00 UTC
Last seen:2023-01-16 17:59:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'507 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:mo51SyUlCE4JQFBpqahlYrsoITZCAx1GTj:H1S1QEvBprhOY/CAx1GTj
TLSH T18E953309D180E532F6D219B04CB3E06D82DD7DA211BE3129355C91EF2F6B16BE86F746
TrID 75.1% (.EXE) Inno Setup installer (109740/4/30)
9.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://45.12.253.74/pineapple.php?pub=mixinte

Intelligence

File Origin
# of uploads :
8
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-16 17:46:57 UTC
Tags:
installer
Link:
https://app.any.run/tasks/eefd384f-5da2-4218-8cc1-383dc6a29079

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353503/
Detection(s):
Win.Malware.Ekstak-9979943-0
Create hunting rule

SecuriteInfo.com.Trojan.Moneyinst.746.21331.248.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the Program Files subdirectory
Modifying a system file
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60719/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c58d5dafdaca54d43880eb/reports/d3158b60-53b5-4693-8ca6-6329729789fb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fe4fe1b-d678-4f38-a801-c91a49d5fc5f
Result
Threat name:
Nymaim, Raccoon Stealer v2, RedLine, Vid
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152557
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Nymaim
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 785289 Sample: file.exe Startdate: 16/01/2023 Architecture: WINDOWS Score: 100 104 45.12.253.98 CMCSUS Germany 2->104 122 Snort IDS alert for network traffic 2->122 124 Malicious sample detected (through community Yara rule) 2->124 126 Antivirus detection for URL or domain 2->126 128 17 other signatures 2->128 13 file.exe 2 2->13         started        signatures3 process4 file5 92 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 13->92 dropped 158 Obfuscated command line found 13->158 17 file.tmp 18 16 13->17         started        signatures6 process7 file8 68 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->68 dropped 70 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 17->70 dropped 72 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 17->72 dropped 74 6 other files (5 malicious) 17->74 dropped 20 finalrecovery.exe 33 17->20         started        process9 dnsIp10 114 45.12.253.56, 49682, 80 CMCSUS Germany 20->114 116 45.12.253.72, 49683, 80 CMCSUS Germany 20->116 118 45.12.253.75, 49684, 80 CMCSUS Germany 20->118 84 C:\Users\user\AppData\Roaming\...\4bMbU9O.exe, PE32 20->84 dropped 86 C:\Users\user\AppData\Roaming\...\qZrDy.exe, PE32 20->86 dropped 88 C:\Users\user\AppData\...\Kkug4Zdmp.exe, PE32+ 20->88 dropped 90 4 other malicious files 20->90 dropped 24 Kkug4Zdmp.exe 3 20->24         started        27 Kah0RecBZy.exe 5 20->27         started        30 qZrDy.exe 3 20->30         started        32 2 other processes 20->32 file11 process12 dnsIp13 142 Multi AV Scanner detection for dropped file 24->142 144 Detected unpacking (changes PE section rights) 24->144 146 Query firmware table information (likely to detect VMs) 24->146 154 5 other signatures 24->154 34 InstallUtil.exe 24->34         started        120 45.15.156.202, 15601, 49690 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 27->120 148 Detected unpacking (overwrites its own PE header) 27->148 150 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->150 152 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->152 156 2 other signatures 27->156 39 powershell.exe 30->39         started        41 conhost.exe 32->41         started        43 taskkill.exe 32->43         started        signatures14 process15 dnsIp16 106 94.131.3.70, 49689, 80 NASSIST-ASGI Ukraine 34->106 108 77.73.134.24, 49692, 80 FIBEROPTIXDE Kazakhstan 34->108 110 77.73.134.35 FIBEROPTIXDE Kazakhstan 34->110 76 C:\Users\user\AppData\Roaming\p8X6n98N.exe, PE32+ 34->76 dropped 78 C:\Users\user\AppData\Roaming\iH4cqyll.exe, PE32+ 34->78 dropped 80 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 34->80 dropped 82 6 other files (4 malicious) 34->82 dropped 130 Tries to harvest and steal browser information (history, passwords, etc) 34->130 132 DLL side loading technique detected 34->132 134 Tries to steal Crypto Currency Wallets 34->134 45 p8X6n98N.exe 34->45         started        49 iH4cqyll.exe 34->49         started        112 45.93.201.114 ASBAXETNRU Russian Federation 39->112 136 Writes to foreign memory regions 39->136 138 Hides threads from debuggers 39->138 140 Injects a PE file into a foreign processes 39->140 52 aspnet_compiler.exe 39->52         started        54 conhost.exe 39->54         started        56 aspnet_compiler.exe 39->56         started        file17 signatures18 process19 dnsIp20 94 C:\...\WlndowsDraiver-Ver3.7.2.4.exe, PE32+ 45->94 dropped 160 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 45->160 162 Uses schtasks.exe or at.exe to add and modify task schedules 45->162 58 schtasks.exe 45->58         started        96 youtube-ui.l.google.com 142.250.180.174 GOOGLEUS United States 49->96 98 www.youtube.com 49->98 164 Multi AV Scanner detection for dropped file 49->164 166 Tries to harvest and steal browser information (history, passwords, etc) 49->166 60 cmd.exe 49->60         started        100 t.me 149.154.167.99 TELEGRAMRU United Kingdom 52->100 102 91.107.158.249 HETZNER-ASDE Germany 52->102 file21 signatures22 process23 process24 62 conhost.exe 58->62         started        64 conhost.exe 60->64         started        66 choice.exe 60->66         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9abeb237b284d2aee39f0c69a1042aa3dbe285aa528f23ffdaed82a0a08a229/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-16 17:47:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgv6wi33fbgsv3rz6ddjueccvi634kc2uuupep75v3mcucqiuiuq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner family:raccoon family:vidar botnet:597 botnet:db93e0d0875ba0f35b0afd8258337565 discovery evasion loader spyware stealer themida trojan
Link:
https://tria.ge/reports/230116-wcajqaef31/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
GCleaner
Raccoon
Vidar
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
http://94.131.3.70/
https://t.me/tgdatapacks
https://steamcommunity.com/profiles/76561199469677637
Unpacked files
SH256 hash:
3f3655d58aabf9451edd533b2b233ab4b50ddc2526e82869d1b528bbd1a56e20
MD5 hash:
49fb5e99cb40319da44417f5f386a181
SHA1 hash:
3071a705843ca9ee06a8a4c4db24bc5789c78cf6
Detections:
win_nymaim_g0
Create hunting rule
Nymaim
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/9cf7c30d-76a3-42cd-bb2d-8e4492c53988/
SH256 hash:
607d5bf930f2319c66eb9f46fa2bd96c0822386d150058ad33e3bf959e9d9003
MD5 hash:
508dccf59f2ab22a57643b2a75b98cac
SHA1 hash:
c61fab2878eea5ff5f5982eb3804c99e979a9a05
Link:
https://www.unpac.me/results/9cf7c30d-76a3-42cd-bb2d-8e4492c53988/
SH256 hash:
c9abeb237b284d2aee39f0c69a1042aa3dbe285aa528f23ffdaed82a0a08a229
MD5 hash:
0e7d49c38e45d1c993985279e08ed159
SHA1 hash:
405dc75e2d9ab33723b4ddf107a98b16d3ae3cb0
Link:
https://www.unpac.me/results/9cf7c30d-76a3-42cd-bb2d-8e4492c53988/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9abeb237b28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/c9abeb237b284d2aee39f0c69a1042aa3dbe285aa528f23ffdaed82a0a08a229

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/353503/

Comments