MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1b6cd2cd50005b44743e9fa0bd7e3faaa01a02fa2e5004db6d5f47debb27b85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1b6cd2cd50005b44743e9fa0bd7e3faaa01a02fa2e5004db6d5f47debb27b85
SHA3-384 hash: 5131c5b3e1325d0b9747d59a776421fe44f88e95b13dc384ca520a71b8b73138d1c65af657020c9d903c3d8709640252
SHA1 hash: 403cca2e0d7e1f040efc44b106c37403f13c7c3d
MD5 hash: c3133f673bcd04ad8ea1fc0a9b07666a
humanhash: seven-spring-cup-fourteen
File name:c3133f673bcd04ad8ea1fc0a9b07666a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'350'144 bytes
First seen:2023-09-19 15:48:46 UTC
Last seen:2023-09-19 16:35:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 07369f734c0325aae69a2991bce41551 (15 x MysticStealer, 4 x RedLineStealer, 1 x CoinMiner)
ssdeep 24576:MSZSVF/6FDTWtPO6Je4oESy3uYZrym2WDirYf:ZS/2z0YESy3uYZem20f
Threatray 11 similar samples on MalwareBazaar
TLSH T1FE55128572D6C432CC32A53A45F583B5597DAC200B68ACDFA7A11FBE8E746D3D13029E
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c3133f673bcd04ad8ea1fc0a9b07666a.exe
Verdict:
No threats detected
Analysis date:
2023-09-19 16:42:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3ba4f26-b641-408f-8818-1a1f3bbffb98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449709/
Detection(s):
SecuriteInfo.com.Trojan.SpyBot.1299.25990.9704.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Delayed writing of the file
Launching a process
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Modifying a system executable file
Launching a service
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Infecting executable files
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/6509c2f432ffdb7a7a0c0135/reports/fdcd1db6-e7c9-43e2-9656-1b21935ae53f/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f1b6cd2cd50005b44743e9fa0bd7e3faaa01a02fa2e5004db6d5f47debb27b85
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ee9dde5-6a7a-49cc-8d26-b26889ecad82
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310883
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1310883 Sample: 8a8iq1n47K.exe Startdate: 19/09/2023 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 7 other signatures 2->102 11 8a8iq1n47K.exe 1 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 signatures4 118 Contains functionality to inject code into remote processes 11->118 120 Writes to foreign memory regions 11->120 122 Allocates memory in foreign processes 11->122 124 Injects a PE file into a foreign processes 11->124 18 AppLaunch.exe 1 4 11->18         started        22 WerFault.exe 23 9 11->22         started        24 conhost.exe 11->24         started        process5 file6 62 C:\Users\user\AppData\Local\...\x3090185.exe, PE32 18->62 dropped 64 C:\Users\user\AppData\Local\...\k4877676.exe, PE32 18->64 dropped 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->104 106 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->106 26 x3090185.exe 1 4 18->26         started        signatures7 process8 file9 70 C:\Users\user\AppData\Local\...\x2400109.exe, PE32 26->70 dropped 72 C:\Users\user\AppData\Local\...\j5026923.exe, PE32 26->72 dropped 126 Antivirus detection for dropped file 26->126 128 Machine Learning detection for dropped file 26->128 30 x2400109.exe 1 4 26->30         started        34 j5026923.exe 26->34         started        signatures10 process11 file12 74 C:\Users\user\AppData\Local\...\x8491253.exe, PE32 30->74 dropped 76 C:\Users\user\AppData\Local\...\i4372545.exe, PE32 30->76 dropped 130 Antivirus detection for dropped file 30->130 132 Machine Learning detection for dropped file 30->132 36 x8491253.exe 1 4 30->36         started        40 i4372545.exe 30->40         started        134 Writes to foreign memory regions 34->134 136 Allocates memory in foreign processes 34->136 138 Injects a PE file into a foreign processes 34->138 43 AppLaunch.exe 34->43         started        45 conhost.exe 34->45         started        47 WerFault.exe 34->47         started        signatures13 process14 dnsIp15 66 C:\Users\user\AppData\Local\...\h2134707.exe, PE32 36->66 dropped 68 C:\Users\user\AppData\Local\...\g0224749.exe, PE32 36->68 dropped 108 Antivirus detection for dropped file 36->108 110 Machine Learning detection for dropped file 36->110 49 g0224749.exe 1 36->49         started        52 h2134707.exe 4 36->52         started        80 5.42.92.211, 49732, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 40->80 112 Tries to harvest and steal browser information (history, passwords, etc) 43->112 file16 signatures17 process18 dnsIp19 82 Machine Learning detection for dropped file 49->82 84 Writes to foreign memory regions 49->84 86 Allocates memory in foreign processes 49->86 88 Injects a PE file into a foreign processes 49->88 55 AppLaunch.exe 9 1 49->55         started        58 WerFault.exe 19 9 49->58         started        60 conhost.exe 49->60         started        78 77.91.124.82, 19071, 49724, 49742 ECOTEL-ASRU Russian Federation 52->78 90 Antivirus detection for dropped file 52->90 92 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->94 signatures20 process21 signatures22 114 Disable Windows Defender notifications (registry) 55->114 116 Disable Windows Defender real time protection (registry) 55->116
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1b6cd2cd50005b44743e9fa0bd7e3faaa01a02fa2e5004db6d5f47debb27b85/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 15:49:09 UTC
File Type:
PE (Exe)
AV detection:
14 of 22 (63.64%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6g3m2lgvaac3ir2d5h5axv7d7kvadibpulsqatnw2x2h325spocq._file
Verdict:
malicious
Similar samples:
019837d3545e57da432d02ab77deb63087ac0f1367745804b305f13c3a085e40
RedLineStealer
2d140d689340ad3c89f8871fe6b9175d1b6087b11f28f527e976130c71ea4f6c
RedLineStealer
51694025b727e4281bfe73235b647a08b4d6d60e28de1a971c9bf11b08c97038
RedLineStealer
59461529137992a77c93a01b7783bc61e731937d2dcd3f58f31d668cc4bd5443
RedLineStealer
9d0e1d8959e30aab2c34d57c91e48d7208cd92a8cee92d83613ce219cba0b59b
RedLineStealer
b582c20485dc84d7544083daf9f529bd817c525e1646208fdef1826eb0309074
RedLineStealer
bf8bcbfbf024809739036776a84ed2904d754f215706c69217facb250fa1755d
RedLineStealer
e410e077c7037e5a272e536dc9d2e117520cd15af03a113bcdfbc72a7e597dd5
RedLineStealer
f3f3ed834c15925cd4af9994c27f3e8a01e50c448952cee67deeee5f5fdfcd0f
RedLineStealer
fe4a38331085f77c7bffc6c92985ca40bcbc3a429bb2831fe435926dd7d13f3d
RedLineStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:healer family:redline botnet:vasha dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230919-s9chssaa7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Malware Config
C2 Extraction:
77.91.124.82:19071
Unpacked files
SH256 hash:
cd7c31bbccfe6a95995f397fb831044129c301afd2725d2aeba42295686e8ed6
MD5 hash:
412806d4aa5619bbf6049c43481ac43c
SHA1 hash:
602236eef41974e7aeb1e2f841e04189c2ff73f7
Link:
https://www.unpac.me/results/c7dd37ab-97bb-4cd2-a5b9-46ddeda43ec3/
SH256 hash:
f1b6cd2cd50005b44743e9fa0bd7e3faaa01a02fa2e5004db6d5f47debb27b85
MD5 hash:
c3133f673bcd04ad8ea1fc0a9b07666a
SHA1 hash:
403cca2e0d7e1f040efc44b106c37403f13c7c3d
Link:
https://www.unpac.me/results/c7dd37ab-97bb-4cd2-a5b9-46ddeda43ec3/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1b6cd2cd500/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1b6cd2cd50005b44743e9fa0bd7e3faaa01a02fa2e5004db6d5f47debb27b85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/449709/

Comments