MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e100d262ff4cd2a62a8d08244336c4d68044d00c57117833280ae2e3d8f22341. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e100d262ff4cd2a62a8d08244336c4d68044d00c57117833280ae2e3d8f22341
SHA3-384 hash: 355a5add98cf1adb5b32f65907d5fa2bcf2c3719912d03cea28aa2dcf2631d205c07d563b1c0a31bcf89e46a3785c756
SHA1 hash: be10e918245e495e5f8cd87f76678da10b57c935
MD5 hash: 22afd800d93438a0f43daa7c7ce48d60
humanhash: music-vermont-beryllium-johnny
File name:22afd800d93438a0f43daa7c7ce48d60
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'118'088 bytes
First seen:2022-12-02 01:08:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8cba43c1bf0bf3e468808ba9c060bbfd (1 x RedLineStealer, 1 x SystemBC)
ssdeep 49152:GxRlFrn2KFvfGk69VEI+Rpx6Bb8SXc0Y2e2DBEJNR8Ym1wsNiYp78pPY1JeV:KtWk69Opx6aSs0TeMExQwMi2SA4V
TLSH T159A5238273D2A9FAD4CA0131561BB732927EF234A763828753C857B92EB33C5CD61365
TrID 52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon dcdcdcdc8ccccccc (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer signed

Code Signing Certificate

Organisation:singers.com
Issuer:ZeroSSL RSA Domain Secure Site CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-21T00:00:00Z
Valid to:2023-01-19T23:59:59Z
Serial number: 2ad2b2a05dc11b1ae7835f1cdfc6d71b
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0a5153cbc45ba08fa9b621f6eb433b5158f2a91395ca4a44e24af5e123961bab
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22afd800d93438a0f43daa7c7ce48d60
Verdict:
Malicious activity
Analysis date:
2022-12-02 01:09:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d0492d13-4f81-41b5-a0ee-9db3bde79eb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341686/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a window
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6389502fba2a5a5de1802b61/reports/226d1baa-0f67-4174-b49c-55222574225f/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/326c50df-6897-453f-be36-7311c9e51875
Result
Threat name:
RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126159
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 758882 Sample: GVgM7HCX5X.exe Startdate: 02/12/2022 Architecture: WINDOWS Score: 100 50 www.sealicensing.com 2->50 52 v8zyi2as7cq1zbx4lw0gkiclc.lrg9voadzfzccb8t5b 2->52 54 2 other IPs or domains 2->54 64 Snort IDS alert for network traffic 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 11 other signatures 2->70 8 GVgM7HCX5X.exe 10 2->8         started        12 Weboma degef wepe depodot xetoya gitelabi hak gihi.exe 17 2->12         started        signatures3 process4 dnsIp5 42 Weboma degef wepe ...telabi hak gihi.exe, PE32 8->42 dropped 44 Weboma degef wepe ...exe:Zone.Identifier, ASCII 8->44 dropped 72 Self deletion via cmd or bat file 8->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 15 Weboma degef wepe depodot xetoya gitelabi hak gihi.exe 14 8->15         started        18 cmd.exe 1 8->18         started        20 schtasks.exe 1 8->20         started        62 sealicensing.com 198.23.62.100, 443, 49883, 49885 STEADFASTUS United States 12->62 46 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 12->46 dropped 76 Writes to foreign memory regions 12->76 78 Allocates memory in foreign processes 12->78 80 Injects a PE file into a foreign processes 12->80 22 ngentask.exe 15 4 12->22         started        25 fontview.exe 12->25         started        file6 signatures7 process8 dnsIp9 82 Writes to foreign memory regions 15->82 84 Allocates memory in foreign processes 15->84 86 Injects a PE file into a foreign processes 15->86 27 ngentask.exe 2 15->27         started        29 ngentask.exe 15->29         started        31 fontview.exe 15->31         started        88 Uses ping.exe to check the status of other devices and networks 18->88 33 PING.EXE 1 18->33         started        36 conhost.exe 18->36         started        38 chcp.com 1 18->38         started        40 conhost.exe 20->40         started        56 65.109.85.189, 15648, 49884, 49887 ALABANZA-BALTUS United States 22->56 58 eth0.me 5.132.162.27, 49888, 80 INTERNEX-ASAT Austria 22->58 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->90 92 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->92 94 Tries to harvest and steal browser information (history, passwords, etc) 22->94 60 109.206.243.58, 49889, 49890, 49894 AWMLTNL Germany 25->60 signatures10 process11 dnsIp12 48 127.0.0.1 unknown unknown 33->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e100d262ff4cd2a62a8d08244336c4d68044d00c57117833280ae2e3d8f22341/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-02 01:09:11 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4eaneyx7jtjkmkunbasegnwe22aejuamk4ixqmziblrohwhsenaq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221202-bht54acg8v/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Loads dropped DLL
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8a2484bc-f12b-423b-84fe-dc25912a876c
Unpacked files
SH256 hash:
ac7cbb787c2b1c7165f197251b76614a196a0aad70e93b850b601994f8195372
MD5 hash:
48ab8bb66525f31749ddcc65e8b5741c
SHA1 hash:
f56269f3ce6e0e86364253eab1c945ef8cdb8463
Link:
https://www.unpac.me/results/e039a40b-6979-420d-936c-58757fa1e709/
SH256 hash:
e100d262ff4cd2a62a8d08244336c4d68044d00c57117833280ae2e3d8f22341
MD5 hash:
22afd800d93438a0f43daa7c7ce48d60
SHA1 hash:
be10e918245e495e5f8cd87f76678da10b57c935
Link:
https://www.unpac.me/results/e039a40b-6979-420d-936c-58757fa1e709/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e100d262ff4cd2a62a8d08244336c4d68044d00c57117833280ae2e3d8f22341

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e100d262ff4cd2a62a8d08244336c4d68044d00c57117833280ae2e3d8f22341

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2441294/
Cape
Cape
https://www.capesandbox.com/analysis/341686/

Comments


Avatar
zbet commented on 2022-12-02 01:08:38 UTC

url : hxxp://jonnyomar.xyz/umciavi32.exe