MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0befbf3bc4aab1422ef8653f2a85d6ffa0f1eba7f9cecb5a5279600a6daabee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0befbf3bc4aab1422ef8653f2a85d6ffa0f1eba7f9cecb5a5279600a6daabee
SHA3-384 hash: a28e77ba381cc6517efd1c3dae9031880671f19dee3c3f44f79042b0fbe85014b80dbd17338057dc1d8f60a88248fa88
SHA1 hash: ff121cf608f16c2d94c5d0c6709f48867b38c7e8
MD5 hash: 4424f388edd82621e6dc3dc264ec0c99
humanhash: avocado-kentucky-venus-crazy
File name:SecuriteInfo.com.Trojan.GenericKD.65039023.31886.8045
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'422'944 bytes
First seen:2023-01-19 03:28:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f540b6d6dcfc33b21d0deb0ccba24751 (3 x RedLineStealer, 2 x PrivateLoader, 2 x Amadey)
ssdeep 98304:mX4pysMFV/PUWdAKXO0LkVNgVmDQcdV61A2kFCPlAA:m1s0U6e0LoNgkE6VFw
Threatray 2'506 similar samples on MalwareBazaar
TLSH T18A2623B3A2245141D4F7887AC967FC9031F74E6A9691A87C34E2FEC62C72A59D31BC43
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b282a88e8eaab692 (26 x CryptBot, 2 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Acer Nitro EU AN517-57 [AN517-75-77M3]
Issuer:Acer Nitro EU AN517-57 [AN517-75-77M3]
Algorithm:sha1WithRSAEncryption
Valid from:2023-01-16T13:46:51Z
Valid to:2033-01-17T13:46:51Z
Serial number: 588a8b2b0c6d2cb645fa2056593e4aab
Thumbprint Algorithm:SHA256
Thumbprint: 303828502aed13ed3287bb1195019a47d7369f1ba18077ac2efb5190ebecc07f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8787309728.zip
Verdict:
Malicious activity
Analysis date:
2023-01-18 16:18:02 UTC
Tags:
evasion opendir
Link:
https://app.any.run/tasks/a8f130ed-c0c3-48ff-8e2c-2f3f44b7aff9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354338/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65039023.31886.8045.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Replacing files
DNS request
Sending an HTTP GET request
Launching a service
Launching a process
Sending a custom TCP request
Reading critical registry keys
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Blocking the Windows Defender launch
Query of malicious DNS domain
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c8b8c4e40648ad3ece5560/reports/89b2ca8b-d15d-46a3-8770-e57525fe89b4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/574e1064-28ea-4a95-aec9-c337dcff4405
Result
Threat name:
Amadey, Fabookie, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154370
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787102 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for URL or domain 2->144 146 Antivirus detection for dropped file 2->146 148 17 other signatures 2->148 11 SecuriteInfo.com.Trojan.GenericKD.65039023.31886.8045.exe 10 40 2->11         started        16 nbveek.exe 2->16         started        process3 dnsIp4 130 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->130 132 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->132 134 13 other IPs or domains 11->134 102 C:\Users\...\lxHJN9LQ2IYl_BP0z1r2_NZn.exe, PE32 11->102 dropped 104 C:\Users\...\jVrOapx2LYM72im9SB0EeAGt.exe, PE32 11->104 dropped 106 C:\Users\...\ZWEYBpkQgkc_PGfLEBMOHOsP.exe, PE32+ 11->106 dropped 108 13 other malicious files 11->108 dropped 176 Creates HTML files with .exe extension (expired dropper behavior) 11->176 178 Disables Windows Defender (deletes autostart) 11->178 180 Modifies Group Policy settings 11->180 182 2 other signatures 11->182 18 XNOGzlb5Md_htT2fP5y46aQH.exe 3 11->18         started        21 F2OXMJiaQKcvNjBGUn8DUlSG.exe 11->21         started        23 6pbOxtyIH9odgqH8M_AXOITc.exe 17 11->23         started        27 6 other processes 11->27 file5 signatures6 process7 dnsIp8 88 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 18->88 dropped 29 nbveek.exe 18->29         started        90 C:\Windows\Temp\321.exe, PE32 21->90 dropped 92 C:\Windows\Temp\123.exe, PE32 21->92 dropped 34 321.exe 21->34         started        36 123.exe 21->36         started        124 149.154.167.99 TELEGRAMRU United Kingdom 23->124 94 C:\Users\...\LvLVUIctgUV1bZJGWZK9dQ5I.exe, MS-DOS 23->94 dropped 96 C:\Users\user\AppData\Local\...\WW14[1].bmp, MS-DOS 23->96 dropped 98 C:\...\PowerControl_Svc.exe, MS-DOS 23->98 dropped 160 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->160 162 Query firmware table information (likely to detect VMs) 23->162 164 Hides threads from debuggers 23->164 166 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->166 126 157.240.253.35 FACEBOOKUS United States 27->126 128 45.66.159.142 ENZUINC-US Russian Federation 27->128 100 C:\Users\user\AppData\Local\...\Zt76vTE.cpl, PE32 27->100 dropped 168 Writes to foreign memory regions 27->168 170 Allocates memory in foreign processes 27->170 172 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->172 174 4 other signatures 27->174 38 WerFault.exe 27->38         started        40 control.exe 27->40         started        42 vbc.exe 27->42         started        44 conhost.exe 27->44         started        file9 signatures10 process11 dnsIp12 136 62.204.41.27 TNNET-ASTNNetOyMainnetworkFI United Kingdom 29->136 110 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 29->110 dropped 112 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 29->112 dropped 114 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 29->114 dropped 116 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 29->116 dropped 184 Multi AV Scanner detection for dropped file 29->184 186 Creates an undocumented autostart registry key 29->186 188 Machine Learning detection for dropped file 29->188 202 2 other signatures 29->202 46 rundll32.exe 29->46         started        48 cmd.exe 29->48         started        50 schtasks.exe 29->50         started        52 rundll32.exe 29->52         started        190 Writes to foreign memory regions 34->190 192 Allocates memory in foreign processes 34->192 194 Injects a PE file into a foreign processes 34->194 54 vbc.exe 34->54         started        58 conhost.exe 34->58         started        60 vbc.exe 36->60         started        64 2 other processes 36->64 138 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->138 196 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 38->196 198 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 38->198 200 Queries memory information (via WMI often done to detect virtual machines) 38->200 62 rundll32.exe 40->62         started        140 185.244.181.112 BELCLOUDBG Russian Federation 42->140 file13 signatures14 process15 dnsIp16 66 rundll32.exe 46->66         started        70 conhost.exe 48->70         started        72 cmd.exe 48->72         started        74 cacls.exe 48->74         started        80 4 other processes 48->80 76 conhost.exe 50->76         started        120 65.21.213.208 CP-ASDE United States 54->120 158 Tries to harvest and steal browser information (history, passwords, etc) 54->158 122 51.210.137.6 OVHFR France 60->122 78 rundll32.exe 62->78         started        signatures17 process18 dnsIp19 118 192.168.2.1 unknown unknown 66->118 150 System process connects to network (likely due to code injection or exploit) 66->150 152 Tries to steal Instant Messenger accounts or passwords 66->152 154 Tries to harvest and steal ftp login credentials 66->154 156 Tries to harvest and steal browser information (history, passwords, etc) 66->156 82 tar.exe 66->82         started        84 rundll32.exe 78->84         started        signatures20 process21 process22 86 conhost.exe 82->86         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0befbf3bc4aab1422ef8653f2a85d6ffa0f1eba7f9cecb5a5279600a6daabee/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 15:12:26 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6c7px454jkvriixpqzj7fkc5n75a6hv2p6ooznnfe6labjw2vpxa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
04eb9c0c5c32ffa314f68d6208a1e0dd8a660cdf9cab99ec728187fb31a7c649
RedLineStealer
2b6acbe5da6bf89913a1f541b72ce222292ed294aeba6e7178c6c748107b822b
RedLineStealer
6d17c9629d39d317e000a48b9d9fb59ec31e3bc97b84b114170d6b62c3ba1cfc
RedLineStealer
6fb65aaabd2d911fb31722cbd1d41399ded20e0e1dfef8907b7c9317727d398f
RedLineStealer
72612ef9ccc1353aefdef49fb59c8149744c199000827573beafb76535feda2e
RedLineStealer
dd6591db098a249805d23dea1f8c3bb79e2cb9a40a27cfaffaaf7b81042af622
RedLineStealer
ed58b879ba33504b8994151c6bb34ce81d2b2f41645da9ffe4431375ed2328fd
RedLineStealer
+ 2'496 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230119-d1b4caea72/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
VMProtect packed file
PrivateLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/53cd7082-6bcb-4747-b342-71291532ba4b
Unpacked files
SH256 hash:
f0befbf3bc4aab1422ef8653f2a85d6ffa0f1eba7f9cecb5a5279600a6daabee
MD5 hash:
4424f388edd82621e6dc3dc264ec0c99
SHA1 hash:
ff121cf608f16c2d94c5d0c6709f48867b38c7e8
Link:
https://www.unpac.me/results/d7468c3f-1898-4abb-bd25-5d124624dda5/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0befbf3bc4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0befbf3bc4aab1422ef8653f2a85d6ffa0f1eba7f9cecb5a5279600a6daabee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354338/

Comments