MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a
SHA3-384 hash: 6f804eb7f468d4f16735da1aaab3ada1c91e1ebbfe3697ce20a7105d39ec15cade866c013b9de3b1f5f52b9e298189df
SHA1 hash: 5dd870214f5b7f4eb7c919138e50ab6e0bd44d01
MD5 hash: 5ae927de6c7cad20e431a381f12413ff
humanhash: zebra-fanta-video-magnesium
File name:setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:430'592 bytes
First seen:2023-09-13 06:48:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29c8b785823d6c11cf3aae5ebbb5f0e6 (8 x RedLineStealer, 6 x MysticStealer, 1 x Smoke Loader)
ssdeep 12288:+J85kfMfnuis006jmXuV+CYCt7SvDvb+XY4nPG4zx6:+W5kfGnbsmV+CYF
Threatray 375 similar samples on MalwareBazaar
TLSH T186946B516CD48133D1A61B3B466CBFF91929A02087F741EB7F944E2D8A631C266F1ECB
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:easyxgame-com exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-09-13 06:49:01 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/9ae5a421-36e9-4534-9871-06799177f85f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448308/
Detection(s):
Win.Malware.Exploitx-9967939-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Moving a recently created file
Searching for analyzing tools
Enabling the 'hidden' option for recently created files
Replacing files
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a system process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/65015b5f9bae8a378554e5f1/reports/2093364c-be0f-46c0-948b-831d46e777cd/overview
Verdict:
Malicious
Labled as:
TrojanS.F23C58EC
Link:
https://www.hybrid-analysis.com/sample/f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d067ddd-9e0f-4179-8164-167c72d0bf67
Result
Threat name:
MicroClip, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308375
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected MicroClip
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308375 Sample: setup.exe Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 101 Snort IDS alert for network traffic 2->101 103 Multi AV Scanner detection for domain / URL 2->103 105 Found malware configuration 2->105 107 15 other signatures 2->107 11 setup.exe 1 2->11         started        14 O.exe 2->14         started        process3 signatures4 137 Contains functionality to inject code into remote processes 11->137 139 Writes to foreign memory regions 11->139 141 Allocates memory in foreign processes 11->141 143 Injects a PE file into a foreign processes 11->143 16 AppLaunch.exe 15 7 11->16         started        21 conhost.exe 11->21         started        145 Query firmware table information (likely to detect VMs) 14->145 147 Hides threads from debuggers 14->147 149 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->149 process5 dnsIp6 93 217.196.96.130, 49717, 49725, 49726 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 16->93 95 94.142.138.4, 49715, 80 IHOR-ASRU Russian Federation 16->95 97 api.ip.sb 16->97 75 C:\Users\user\AppData\Local\...\svchost.exe, MS-DOS 16->75 dropped 77 C:\Users\user\AppData\Local\...\conhost.exe, PE32 16->77 dropped 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->109 111 Found many strings related to Crypto-Wallets (likely being stolen) 16->111 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->113 115 3 other signatures 16->115 23 svchost.exe 4 16->23         started        27 conhost.exe 8 16->27         started        file7 signatures8 process9 file10 79 C:\ProgramData\Roaming\O.exe, MS-DOS 23->79 dropped 129 Antivirus detection for dropped file 23->129 131 Multi AV Scanner detection for dropped file 23->131 133 Detected unpacking (changes PE section rights) 23->133 135 4 other signatures 23->135 29 cmd.exe 23->29         started        81 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 27->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 27->83 dropped 32 cmd.exe 2 27->32         started        signatures11 process12 signatures13 151 Encrypted powershell cmdline option found 29->151 153 Uses schtasks.exe or at.exe to add and modify task schedules 29->153 34 O.exe 29->34         started        37 conhost.exe 29->37         started        39 timeout.exe 29->39         started        41 fi932gbf8923f23.exe 32->41         started        45 7z.exe 32->45         started        47 7z.exe 3 32->47         started        49 13 other processes 32->49 process14 dnsIp15 117 Antivirus detection for dropped file 34->117 119 Multi AV Scanner detection for dropped file 34->119 121 Detected unpacking (changes PE section rights) 34->121 125 5 other signatures 34->125 51 schtasks.exe 34->51         started        99 pastebin.com 104.20.67.143, 443, 49724 CLOUDFLARENETUS United States 41->99 85 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 41->85 dropped 87 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 41->87 dropped 89 C:\ProgramData\HostData\logs.uce, ASCII 41->89 dropped 123 Sample is not signed and drops a device driver 41->123 53 cmd.exe 41->53         started        56 cmd.exe 41->56         started        58 cmd.exe 41->58         started        91 C:\Users\user\AppData\...\fi932gbf8923f23.exe, PE32 45->91 dropped file16 signatures17 process18 signatures19 60 conhost.exe 51->60         started        127 Encrypted powershell cmdline option found 53->127 62 powershell.exe 53->62         started        65 conhost.exe 53->65         started        67 conhost.exe 56->67         started        69 schtasks.exe 56->69         started        71 conhost.exe 58->71         started        73 schtasks.exe 58->73         started        process20 signatures21 155 Found many strings related to Crypto-Wallets (likely being stolen) 62->155 157 Potential dropper URLs found in powershell memory 62->157
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 03:15:54 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6u3cn32todpatt54kxcjp74qladg6pc2ddm4v2wv5zgfstrpwv5a._file
Verdict:
malicious
Similar samples:
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
RedLineStealer
35b70fc462fe02d507a58c2b5a33ddd5e26aadc7ac8fe3beae2a82666c8b17c6
RedLineStealer
4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe
RedLineStealer
52c408897aed4601f6c214b657c0652a966695d59bb0e5be2c343f0c52683be1
RedLineStealer
5c43e762e23599c29a344fabf02fe235e79c9e4697da49d0a17334979faa3920
RedLineStealer
90a8447971f2150fe9ba03d2680af7bdd33de721e9e1521166a7826ed143a2d8
RedLineStealer
c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
RedLineStealer
dd528eb464db46cd69a3a373f5cde4c4e48afb7116fb8e91eea3a1caacc800f5
RedLineStealer
e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162
RedLineStealer
+ 365 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@supplsps infostealer spyware
Link:
https://tria.ge/reports/230913-hlb71sce92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
Malware Config
C2 Extraction:
94.142.138.4:80
Unpacked files
SH256 hash:
0211755d5ba084de43fddf0069f6aa923ebea5444bb6c55a4c78777faffa8c9c
MD5 hash:
5e66a4d4d8c6effbfc2c9021802fb4b8
SHA1 hash:
2ecd413d5315771b8bc2478915983c8127be2266
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a486ecdf-ab9d-47ab-928e-3a64df62de39/
SH256 hash:
f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a
MD5 hash:
5ae927de6c7cad20e431a381f12413ff
SHA1 hash:
5dd870214f5b7f4eb7c919138e50ab6e0bd44d01
Link:
https://www.unpac.me/results/a486ecdf-ab9d-47ab-928e-3a64df62de39/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f53626ef5370/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://x.com/idclickthat/status/1701756053149376562?s=20
Cape
Cape
https://www.capesandbox.com/analysis/448308/

Comments