MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e
SHA3-384 hash: d08c8be011c92d51d4ffc1812860535e4041376e0e109810dde41425f0769347265b9617f5f2d277a25213ed8bb601de
SHA1 hash: 647722280956067d09d262120776a954b64d4fa2
MD5 hash: 6e75d28e8c62737302435c206d401ecc
humanhash: oxygen-yankee-kansas-oklahoma
File name:6e75d28e8c62737302435c206d401ecc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'084'056 bytes
First seen:2024-06-03 13:55:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 49152:VIfblo986T2njmZHDIkduvYcg9/YyCBGQPDK2z3fANo7+VnAeRq8HBaegPzcxCn4:VIXdiZvdPf2DGQ7L3gR7HBaegPzcxCn4
Threatray 995 similar samples on MalwareBazaar
TLSH T185E53302AFD58472E43224314526D79178BE7920BF1CDF9EF7E46E6DB9B10A072349A3
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
147.45.47.36:27667

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e.exe
Verdict:
Malicious activity
Analysis date:
2024-06-03 13:56:41 UTC
Tags:
stealer meta metastealer redline miner xmrig
Link:
https://app.any.run/tasks/bfa310a8-dcf2-401a-8310-cb620b1b8aaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.DarkKomet-10027799-0
Create hunting rule

SecuriteInfo.com.LuheRARDropper.19200.30796.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665e02b4ab69e84d6a2f4454win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Static Stealth Heur Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Deleting a system file
Running batch commands
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Creating a service
Launching a service
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug coinminer confuserex epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc miner net overlay packed packed packed setupapi sfx shdocvw shell32 zusy
Link:
https://www.filescan.io/uploads/665dcb77ce78046c1aad22b2/reports/75ee86e6-c896-4595-a79c-bdb634d055bb/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1937fdba-8cda-4a78-a424-d4a56a9aab21
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1451120
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Reads the System eventlog
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1451120 Sample: Sj6RXNl1qf.exe Startdate: 03/06/2024 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected RedLine Stealer 2->70 72 9 other signatures 2->72 8 Sj6RXNl1qf.exe 9 2->8         started        11 gfqyepapamry.exe 2->11         started        14 svchost.exe 1 1 2->14         started        process3 dnsIp4 58 C:\Users\user\AppData\Roaming\svhost.exe, PE32 8->58 dropped 60 C:\Users\user\AppData\Roaming\3.exe, PE32 8->60 dropped 62 C:\Users\user\AppData\Roaming\123.exe, PE32+ 8->62 dropped 17 123.exe 1 2 8->17         started        21 3.exe 4 8->21         started        23 svhost.exe 1 8->23         started        25 conhost.exe 8->25         started        92 Multi AV Scanner detection for dropped file 11->92 64 127.0.0.1 unknown unknown 14->64 file5 signatures6 process7 file8 56 C:\ProgramData\...\gfqyepapamry.exe, PE32+ 17->56 dropped 74 Multi AV Scanner detection for dropped file 17->74 76 Uses powercfg.exe to modify the power settings 17->76 78 Adds a directory exclusion to Windows Defender 17->78 80 Modifies power options to not sleep / hibernate 17->80 27 powershell.exe 23 17->27         started        30 cmd.exe 1 17->30         started        32 sc.exe 1 17->32         started        36 12 other processes 17->36 82 Antivirus detection for dropped file 21->82 84 Machine Learning detection for dropped file 21->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->86 88 Reads the System eventlog 21->88 34 conhost.exe 21->34         started        90 Queries memory information (via WMI often done to detect virtual machines) 23->90 signatures9 process10 signatures11 94 Loading BitLocker PowerShell Module 27->94 38 WmiPrvSE.exe 27->38         started        40 conhost.exe 27->40         started        42 conhost.exe 30->42         started        44 wusa.exe 30->44         started        46 conhost.exe 32->46         started        48 conhost.exe 36->48         started        50 conhost.exe 36->50         started        52 conhost.exe 36->52         started        54 8 other processes 36->54 process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-05-30 21:04:51 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5utfrpjysffgoghc4tyj43jdyk3moy7jb6jwi3cyboc4gp6sywpa._file
Verdict:
malicious
Similar samples:
5715421db87e90b962c061ed1a9e6af443f012ddd61d0a0a3450212063416c4d
RedLineStealer
792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
RedLineStealer
7ff666b15df670047eaa593d038013a5ad809aaef174abe50e85bf4962a1366b
RedLineStealer
9cd5a28728147661323d8ff925112d951db1bd04764620c08cd2aeba1392d958
RedLineStealer
a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6
RedLineStealer
c54eb244078dcaf2472c85bcce337b152dc24154d6a03004a29e4f4069d49d71
RedLineStealer
ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e
RedLineStealer
ed32f2ebfc103f4c81e6e0bf07c269eba45692bb061b9cb28402a74f57871831
RedLineStealer
+ 985 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig discovery evasion execution infostealer miner persistence spyware stealer upx
Link:
https://tria.ge/reports/240603-q8ntbsaa93/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
XMRig Miner payload
RedLine
RedLine payload
xmrig
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e68d74a-9cf5-49d7-ae7b-0e5232cb07f3
Unpacked files
SH256 hash:
35072f69afb28b2784468ae8d830df9075b582ff186fe72f6fc820c65dba28c1
MD5 hash:
d766ac3d3c2710f9eb1bfb493c2a7db3
SHA1 hash:
7a94bf0e6380f931e4491ebda4cc2a65a399622f
Detections:
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/e1d8ffe2-6ec2-43fc-86a5-b4714c68a92f/
SH256 hash:
a57574886778cb9a3056e81aabb0c6ea749907a9668284ba7ef1069c666e7659
MD5 hash:
08441a201c1a475c1fc82ff072e3d442
SHA1 hash:
91152d11325137c52e9a38f5944b3a1030b81e56
Detections:
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/e1d8ffe2-6ec2-43fc-86a5-b4714c68a92f/
SH256 hash:
ce51ed0339a350243bc1576fcfa76e1b589908055f24123c9816f0dc8bf8c22a
MD5 hash:
90212c985d978d490e394a941976c5ee
SHA1 hash:
31f546d1390e53760515482ecd719b6b008aca91
Link:
https://www.unpac.me/results/e1d8ffe2-6ec2-43fc-86a5-b4714c68a92f/
SH256 hash:
52c8c92f79183a354c5ee59653426b0f97209c37eec39fe5077ef43666eaf8a1
MD5 hash:
b0601c9443dd3b7a6b02ee764791c9ad
SHA1 hash:
8ed01f29022ce752408bae7ff961edc06872413a
Link:
https://www.unpac.me/results/e1d8ffe2-6ec2-43fc-86a5-b4714c68a92f/
SH256 hash:
ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e
MD5 hash:
6e75d28e8c62737302435c206d401ecc
SHA1 hash:
647722280956067d09d262120776a954b64d4fa2
Link:
https://www.unpac.me/results/e1d8ffe2-6ec2-43fc-86a5-b4714c68a92f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ed2658bd38914a6718e2e4f09e6d23c2b6c763e90f93646c580b85c33fd2c59e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2873258/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments