MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e790f409e5451fc14ffd3da64747f49b17ba9b32b2b3effbba9a6597c88bfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6e790f409e5451fc14ffd3da64747f49b17ba9b32b2b3effbba9a6597c88bfb
SHA3-384 hash: 8503063826d2644d2e2da347b3e50422645b4df7899cefc7726d9ad2d36a9902fb4fc8f91f8d5e67f78a518e45fdf57a
SHA1 hash: 8f5eb4e6b3adf6fca125cd30aaf5cf8d82aa79b0
MD5 hash: dbce6bf0a4a9c1c63ce4aa1e96119c44
humanhash: stairway-burger-kilo-monkey
File name:setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'388'000 bytes
First seen:2022-05-10 19:11:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9de116a58a6964e888a644a836e6e83f (15 x RedLineStealer, 1 x Formbook, 1 x TVRat)
ssdeep 24576:XaUsX0Qy4ejLNaGjwi8v4SiDI12uPxmCDf3EYhF7DJIXLwHLADHI09VHKmJQKzX1:KUzQsH4Gjwi64SiDLuPPrJIWADHn9VHl
Threatray 372 similar samples on MalwareBazaar
TLSH T152555B939301531EE3937035C0DCAE35710A66312A3F7C976B141BAADB2B2D15978FAB
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2022-05-10 19:11:10 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/cb6c3c91-a8b9-4d81-bcf8-77be3275c620

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269531/
Detection(s):
Win.Trojan.Fragtor-9943708-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17021/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware overlay packed zusy
Link:
https://www.filescan.io/uploads/627ab912b119a5f609b84716/reports/bec27a4c-1db0-4be2-9859-3e4b11115fcf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0921ece2-6f6e-41fe-9e74-984b5107cd5d
Result
Threat name:
BitCoin Miner, RedLine, SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991346
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 623844 Sample: setup.exe Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 11 other signatures 2->73 11 setup.exe 1 2->11         started        14 services32.exe 2->14         started        process3 signatures4 95 Writes to foreign memory regions 11->95 97 Allocates memory in foreign processes 11->97 99 Injects a PE file into a foreign processes 11->99 16 AppLaunch.exe 15 7 11->16         started        21 conhost.exe 11->21         started        101 Antivirus detection for dropped file 14->101 103 Multi AV Scanner detection for dropped file 14->103 105 Machine Learning detection for dropped file 14->105 107 Adds a directory exclusion to Windows Defender 14->107 process5 dnsIp6 63 185.189.167.123, 37360, 49777 SELECTELRU Russian Federation 16->63 65 dl.uploadgram.me 176.9.247.226, 443, 49790 HETZNER-ASDE Germany 16->65 57 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 16->57 dropped 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->75 77 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->77 79 Tries to harvest and steal browser information (history, passwords, etc) 16->79 81 Tries to steal Crypto Currency Wallets 16->81 23 fl.exe 4 16->23         started        file7 signatures8 process9 file10 61 C:\Windows\System32\services32.exe, PE32+ 23->61 dropped 87 Antivirus detection for dropped file 23->87 89 Multi AV Scanner detection for dropped file 23->89 91 Machine Learning detection for dropped file 23->91 93 Adds a directory exclusion to Windows Defender 23->93 27 cmd.exe 23->27         started        30 cmd.exe 1 23->30         started        32 cmd.exe 1 23->32         started        signatures11 process12 signatures13 109 Drops executables to the windows directory (C:\Windows) and starts them 27->109 34 services32.exe 27->34         started        38 conhost.exe 27->38         started        111 Uses schtasks.exe or at.exe to add and modify task schedules 30->111 113 Adds a directory exclusion to Windows Defender 30->113 40 powershell.exe 23 30->40         started        42 conhost.exe 30->42         started        44 powershell.exe 30->44         started        46 conhost.exe 32->46         started        48 schtasks.exe 1 32->48         started        process14 file15 59 C:\Windows\System32\...\sihost32.exe, PE32+ 34->59 dropped 85 Adds a directory exclusion to Windows Defender 34->85 50 cmd.exe 34->50         started        signatures16 process17 signatures18 83 Adds a directory exclusion to Windows Defender 50->83 53 conhost.exe 50->53         started        55 powershell.exe 50->55         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6e790f409e5451fc14ffd3da64747f49b17ba9b32b2b3effbba9a6597c88bfb/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 19:12:08 UTC
File Type:
PE (Exe)
AV detection:
15 of 41 (36.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43tzb5aj4vcr7qkp7u62mr2h6snrpou3gkzlh373xknglf6irp5q._file
Verdict:
malicious
Similar samples:
27e097f778ff901a6ab3ec22ab871e5185328dd9243654087fa52926337d012f
RedLineStealer
2b53e9bdbd7d04eb75bbe1c56658627aa70b718d1213d81e2e73e0681e2fc6cc
RedLineStealer
4b02abd00d897adf05a71a2b6bd6af5abe00908fb7a7267eba6affb2cd598b13
RedLineStealer
5d913dfaea341540468e089d54d3a903f95c3e177db7a4f8a96c91ae8e2bde9a
RedLineStealer
a866fa02bf6f9324d6f3713ed1533e4f0262a29a50ab0734e03fe6ed52df11fd
RedLineStealer
be1b5944f22b04374338b38f5abb922a0ea51a01305e2fdf5ef6c34a3dc026a5
RedLineStealer
d447b892b3a86c24049ef7d69b92bf8ae770eb661fe8b02b168ef86f95339068
RedLineStealer
+ 362 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@mnogoznaika22 infostealer spyware vmprotect
Link:
https://tria.ge/reports/220510-xwg9cagba5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
VMProtect packed file
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.189.167.123:37360
Unpacked files
SH256 hash:
3f5b6a6aeb8f8fecd405bf5aa27fa324c8ec732581785e31efb4c82ad3bf0604
MD5 hash:
320f0f1a7a4ff826f9797b7b694aa388
SHA1 hash:
dcf9c40c7817ff58b3fe6028476d37a903128fef
Link:
https://www.unpac.me/results/d96c8f6c-9cb2-413a-a63b-b1ac5b85de60/
SH256 hash:
e6e790f409e5451fc14ffd3da64747f49b17ba9b32b2b3effbba9a6597c88bfb
MD5 hash:
dbce6bf0a4a9c1c63ce4aa1e96119c44
SHA1 hash:
8f5eb4e6b3adf6fca125cd30aaf5cf8d82aa79b0
Link:
https://www.unpac.me/results/d96c8f6c-9cb2-413a-a63b-b1ac5b85de60/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6e790f409e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6e790f409e5451fc14ffd3da64747f49b17ba9b32b2b3effbba9a6597c88bfb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e6e790f409e5451fc14ffd3da64747f49b17ba9b32b2b3effbba9a6597c88bfb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/269531/

Comments