MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d
SHA3-384 hash: 706837ff353eed60575cc080fe43218247ce0a6ee653b25de00ecfade41bb37f561458efc8081339a1ebab304d9dd068
SHA1 hash: 8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f
MD5 hash: 68658cac51a3ee725891799aac339613
humanhash: alabama-coffee-fifteen-cola
File name:68658cac51a3ee725891799aac339613
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:156'160 bytes
First seen:2022-02-04 18:42:33 UTC
Last seen:2022-02-04 20:58:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 814f7fd30adaf5f4c13577b5442db364 (2 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 3072:57IuMJuuw/nEmsvs6sgErUV9pWCEoevUHuvAHL+fg5WH96R1c/KlO:FDGw/nEHqgW6ptEocUHuvAHLtjcSY
Threatray 556 similar samples on MalwareBazaar
TLSH T101E35C11BAD1D0B2D676067628F1DBB1D52DFE300F608D5737422B3A6F312D29A25B2E
File icon (PE):PE icon
dhash icon 92aae8c8e8f2b29a (3 x RedLineStealer, 2 x GCleaner, 2 x PrivateLoader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup_x32_x64.exe
Verdict:
Malicious activity
Analysis date:
2022-02-04 20:03:25 UTC
Tags:
evasion trojan rat redline loader stealer vidar miner amadey opendir tofsee raccoon
Link:
https://app.any.run/tasks/e77b8096-9f3e-4c43-948e-d9110f70bf35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/233217/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48244414.7252.1835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6009/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pioneer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e42f9810-8549-47c8-888e-7dd7f237201d
Result
Threat name:
RedLine Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934200
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 566680 Sample: iBgkQQwVxE Startdate: 04/02/2022 Architecture: WINDOWS Score: 100 73 195.189.226.81 OMNILANCEhttpomnilancecomUA Ukraine 2->73 75 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->75 77 5 other IPs or domains 2->77 91 Multi AV Scanner detection for domain / URL 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for URL or domain 2->95 97 10 other signatures 2->97 9 iBgkQQwVxE.exe 4 31 2->9         started        signatures3 process4 dnsIp5 83 212.193.30.21 SPD-NETTR Russian Federation 9->83 85 212.193.30.45 SPD-NETTR Russian Federation 9->85 87 8 other IPs or domains 9->87 47 C:\Users\...\oTPiB6DG_gBe6sWwVKjIsrU9.exe, PE32+ 9->47 dropped 49 C:\Users\...\lV1Yipb6J7bwoiZIcQuqLr7g.exe, PE32 9->49 dropped 51 C:\Users\...\bhyt8fw0GWgjOK9FueOXme2k.exe, PE32 9->51 dropped 53 6 other files (4 malicious) 9->53 dropped 113 Detected unpacking (creates a PE file in dynamic memory) 9->113 115 Tries to harvest and steal browser information (history, passwords, etc) 9->115 117 Disable Windows Defender real time protection (registry) 9->117 14 bhyt8fw0GWgjOK9FueOXme2k.exe 15 9->14         started        17 G1cjdKz7InF_tm_w2tawv103.exe 7 9->17         started        19 lV1Yipb6J7bwoiZIcQuqLr7g.exe 9->19         started        22 4 other processes 9->22 file6 signatures7 process8 dnsIp9 59 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 14->59 dropped 61 C:\Users\user\AppData\Local\Temp\inst1.exe, PE32 14->61 dropped 63 C:\Users\user\AppData\Local\...\bearvpn3.exe, PE32 14->63 dropped 71 10 other files (6 malicious) 14->71 dropped 25 LightCleaner2352312.exe 14->25         started        30 Proxypub.exe 14->30         started        65 C:\Users\user\AppData\Local\...\Install.exe, PE32 17->65 dropped 32 Install.exe 4 17->32         started        99 Writes to foreign memory regions 19->99 101 Allocates memory in foreign processes 19->101 103 Injects a PE file into a foreign processes 19->103 34 AppLaunch.exe 19->34         started        79 91.238.104.145 BYTES-ASCZ Czech Republic 22->79 67 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 22->67 dropped 69 C:\Users\user\AppData\Local\...\PdSIHzlf.cpl, PE32 22->69 dropped 36 WerFault.exe 20 9 22->36         started        file10 signatures11 process12 dnsIp13 89 104.21.76.213 CLOUDFLARENETUS United States 25->89 55 e4edb0e6-eb80-4e19-8203-916eed342d8f.exe, MS-DOS 25->55 dropped 119 Tries to evade analysis by execution special instruction which cause usermode exception 25->119 57 C:\Users\user\AppData\Local\...\Install.exe, PE32 32->57 dropped 121 Multi AV Scanner detection for dropped file 32->121 123 Machine Learning detection for dropped file 32->123 38 Install.exe 32->38         started        file14 signatures15 process16 dnsIp17 81 192.168.2.1 unknown unknown 38->81 43 C:\Users\user\AppData\Local\...\nGDUOMW.exe, PE32 38->43 dropped 45 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 38->45 dropped 105 Antivirus detection for dropped file 38->105 107 Multi AV Scanner detection for dropped file 38->107 109 Machine Learning detection for dropped file 38->109 111 Modifies Group Policy settings 38->111 file18 signatures19
Gathering data
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-01-27 16:10:36 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
31 of 43 (72.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5fv77l2hizwl45o46quomzccslcjv6g3sgn7xt3nk6l4wdxo6noq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
10c760b38e37d7df4fdb3caa56328e51943ac422018b1261fbd4820cdaa046d3
RedLineStealer
15cea3c23e9d0f1ec3a748746bd425d642ae25b042b1b36c8364f721235f0f0d
RedLineStealer
1e4b2af07cb9e6478dbf5051e1839a1f944e950a6f2dbadc94446928e46e7d45
RedLineStealer
7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
RedLineStealer
9e719c4dd5e1086d5197fded7b8cdb0d3d592c0636b0d469fcda22c9723e8e7c
RedLineStealer
e00ddba4fd34c7b0f0f2e547ee9e3ff4c0cb4d906f1ca26b17ba2e3f459c59bd
RedLineStealer
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
RedLineStealer
+ 546 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220204-xcw86adha4/
Unpacked files
SH256 hash:
e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d
MD5 hash:
68658cac51a3ee725891799aac339613
SHA1 hash:
8a00543b1af0d4ab8f130bc66d2a4a0b2d33cb0f
Link:
https://www.unpac.me/results/3a69981d-1c7a-46a1-aad5-d28d566cff59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e96bffaf47466cbe75dcf428e6644292c49af8db919bfbcf6d5797cb0eeef35d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2029145/
Cape
Cape
https://www.capesandbox.com/analysis/233217/

Comments


Avatar
zbet commented on 2022-02-04 18:42:33 UTC

url : hxxp://212.193.30.45/WW14.bmp