MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d86c70788e8597af95906106bb03ed111f0c3eb5a359dd93b6a0d7a3fdf9c3cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d86c70788e8597af95906106bb03ed111f0c3eb5a359dd93b6a0d7a3fdf9c3cc
SHA3-384 hash: 2fd9d273d6022f76aa2cfd7b34058bfa7a5c90b7f5634115f15378e7ee32310ab02ee0fda4677dcbfad42b5b3769d45d
SHA1 hash: 915a8c60bcef68d9ce606b135cb1b0f901136c53
MD5 hash: c95ae046fdb1300081c27f4c7e054d78
humanhash: mobile-chicken-connecticut-jersey
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'541'024 bytes
First seen:2023-03-09 22:47:54 UTC
Last seen:2023-03-10 09:37:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9e5f3ce5156d21424ffde8025e47b6e (1 x Adware.Generic, 1 x RedLineStealer, 1 x Rhadamanthys)
ssdeep 24576:lVppE3ZFc3U0mRqDp5XzYZ5N4z5LSYXJS+qED51+ZH6t8KE7B4AhCNaiv:lVSFcn7p5X8fNy5GYXJ7qENAZiqCLv
Threatray 253 similar samples on MalwareBazaar
TLSH T1AC65E1217203C06EF29D8CF41D15EADB34665C326FDB4BE7F68AB63A095E9809630717
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 44cc8890cc61b244 (1 x RedLineStealer, 1 x RemcosRAT)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:celsium.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-12T11:01:49Z
Valid to:2023-04-12T11:01:48Z
Serial number: 03e64d8f133275eccb9e0357d22742a7ff81
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8fb896061c5ff6dc9944adc0dbd4c97d3c3d9727e15c5c8e53705b185525cb02
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc10773776_660890717?hash=O78Z0YgqkJr5mVD4mrzD6XEEuvDAjns7kqtTJCOD4H4&dl=GEYDONZTG43TM:1678394993:YwjzZtbmyW5SOfjWWQtZJyzV9ZCrIz95WEXeFsyDlCX&api=1&no_preview=1#fy10

Intelligence

File Origin
# of uploads :
3
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-03-09 22:50:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d038c0c-8ffd-4907-817e-8de9d14cf519

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373176/
Detection(s):
SecuriteInfo.com.FileRepMalware.2067.7340.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a file in the %temp% directory
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
Detecting VM
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72412/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
AntidebugCommonApi
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
57%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/640a622379380d66a3b229fc/reports/f9752448-10ac-4169-a3ae-c92c898a40eb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d86c70788e8597af95906106bb03ed111f0c3eb5a359dd93b6a0d7a3fdf9c3cc
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4b0aba2-dcc4-4665-abb4-1b695cdecc26
Result
Threat name:
RHADAMANTHYS, RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190831
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide a thread from the debugger
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Searches for specific processes (likely to inject)
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823707 Sample: file.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 12 other signatures 2->70 10 file.exe 9 2->10         started        process3 dnsIp4 60 fpfotjbziwl5inzrou.5g0wy2ecc 10->60 50 C:\Users\user\AppData\Local\...\4716437.dll, PE32 10->50 dropped 80 Writes to foreign memory regions 10->80 82 Allocates memory in foreign processes 10->82 84 Injects a PE file into a foreign processes 10->84 15 fontview.exe 10->15         started        18 ngentask.exe 4 10->18         started        21 WerFault.exe 24 9 10->21         started        24 WerFault.exe 2 9 10->24         started        file5 signatures6 process7 dnsIp8 86 Query firmware table information (likely to detect VMs) 15->86 88 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->88 90 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->90 100 11 other signatures 15->100 26 dllhost.exe 15->26         started        58 185.244.182.218, 2027, 49700 BELCLOUDBG Russian Federation 18->58 92 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->94 96 Tries to harvest and steal browser information (history, passwords, etc) 18->96 98 Tries to steal Crypto Currency Wallets 18->98 46 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->46 dropped 48 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->48 dropped file9 signatures10 process11 signatures12 72 Early bird code injection technique detected 26->72 74 Tries to harvest and steal browser information (history, passwords, etc) 26->74 76 Maps a DLL or memory area into another process 26->76 78 Queues an APC in another process (thread injection) 26->78 29 dllhost.exe 7 27 26->29         started        process13 dnsIp14 62 185.246.220.34, 443, 49712, 49713 LVLT-10753US Germany 29->62 52 C:\Users\user\AppData\...\Dsodypuvkg.exe, PE32+ 29->52 dropped 54 C:\Users\user\AppData\...\Bzksvgjxvu.exe, PE32+ 29->54 dropped 56 C:\Users\user\AppData\...\in4qhguw.cmdline, Unicode 29->56 dropped 33 csc.exe 29->33         started        36 Dsodypuvkg.exe 29->36         started        38 Bzksvgjxvu.exe 29->38         started        file15 process16 file17 44 C:\Users\user\AppData\Local\...\in4qhguw.dll, PE32 33->44 dropped 40 conhost.exe 33->40         started        42 cvtres.exe 33->42         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d86c70788e8597af95906106bb03ed111f0c3eb5a359dd93b6a0d7a3fdf9c3cc/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 21:35:45 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3bwha6eoqwl27fmqmedlwa7ncepqypvvunm53e5wudl2h7pzypga._file
Verdict:
malicious
Similar samples:
044e62e14faf9e06d2759ac0d62b4c6cb3a103fe287e235c48ab1c64604cfe3a
RedLineStealer
07ef3c17f83a7edd9e2c820c10d1b24bb21804a734a1d6e6de9d9bcf1e9426e1
RedLineStealer
3ce93785a441fb0908cf3ceed6dd1fe76a9d5133ed52ca7b278dc5d81f8fb1f0
RedLineStealer
3dbb485f94bffbb6e070780451ccda0c651520b651ae9f2f763a8ff9fa70060e
RedLineStealer
4e206df50e3327418c6c9078b720d5faac9b3bac31998e29d1091fc2fd2418bb
RedLineStealer
4fc39495038014b3e49eb088c92c9310487beca6a027ebc72d60607a05b4f331
RedLineStealer
95df8e09db02d2956bdd6a91041e3424020e9dc1e2775bac33b6c0af30fada43
RedLineStealer
dbf5c280d8bad76b99fd8e111397df5fd03a5028ced5cabe28120017c4971a27
RedLineStealer
e09f0bd79308d5a35381b2921ca5f0f609225120157de3d093554eb4b611839e
RedLineStealer
+ 243 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:redline family:rhadamanthys botnet:@rozebalpedistall_1 infostealer spyware stealer
Link:
https://tria.ge/reports/230309-2q313scc7x/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Detect rhadamanthys stealer shellcode
RedLine
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.244.182.218:2027
Unpacked files
SH256 hash:
ae0838bc5f67c37ec65a0fb8339b5e0ba473618ec55c5d8245c065e687c20d76
MD5 hash:
ab943c34943886ce3d32022acf7469d9
SHA1 hash:
6f54dbb9abf6e63c7e886ff4e9efab0f717e5e2c
Link:
https://www.unpac.me/results/4c0076a8-4ce1-4e3d-b311-82632c25b437/
SH256 hash:
d86c70788e8597af95906106bb03ed111f0c3eb5a359dd93b6a0d7a3fdf9c3cc
MD5 hash:
c95ae046fdb1300081c27f4c7e054d78
SHA1 hash:
915a8c60bcef68d9ce606b135cb1b0f901136c53
Link:
https://www.unpac.me/results/4c0076a8-4ce1-4e3d-b311-82632c25b437/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d86c70788e85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/d86c70788e8597af95906106bb03ed111f0c3eb5a359dd93b6a0d7a3fdf9c3cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Redline_Hunter
Create hunting rule
Author:Potato
Description:Unpacked RedLine Hunter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/373176/

Comments