MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
SHA3-384 hash: 7a0228e28f044df645475f6b03de96fa92ac3f8a49d101392d81f3ee7673e11143784731c9c5aaeae7d11e382acc422f
SHA1 hash: 17104eca148dcd0e15ffb31e4c7a3defdd406d12
MD5 hash: 842ae8e819177105e1a1af934b1ee520
humanhash: quebec-sierra-winner-robert
File name:F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'186'304 bytes
First seen:2023-01-13 19:30:20 UTC
Last seen:2023-01-13 21:29:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1a0cc0d6c71b1f1abf86a8693fc16e (1 x ClipBanker, 1 x DiamondFox, 1 x RedLineStealer)
ssdeep 24576:zXdmFGXOGXlTztlj3RbjO7jlUIixAWLc7ARpTLzVONY/tx4:rdfLVTLjxwjlQntT/VO2x4
Threatray 209 similar samples on MalwareBazaar
TLSH T10E458E10F613E064DC9240B52BA97B7590AD2C38477449EFB7D43B689E762C2BB31B27
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0a8bab082828292 (8 x AgentTesla, 3 x RedLineStealer, 3 x PrivateLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://91.107.156.138/

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
Verdict:
Malicious activity
Analysis date:
2023-01-13 19:32:43 UTC
Tags:
trojan socelars stealer opendir loader rat redline evasion gcleaner
Link:
https://app.any.run/tasks/9e3f19fc-bc34-4fbf-95ec-d4c7a3437262

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352737/
Detection(s):
SecuriteInfo.com.Variant.Zusy.395690.29733.17545.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Query of malicious DNS domain
Blocking the Windows Defender launch
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60128/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
No Threat
Threat level:
  10/10
Confidence:
80%
Tags:
fingerprint greyware
Link:
https://www.filescan.io/uploads/63c1b1766e31301ffad98a46/reports/84f5a814-680f-4138-822a-48f783a81afc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ad6a746-b88d-4689-91dd-0f9de4bb0caf
Result
Threat name:
Fabookie, ManusCrypt, Nymaim, PrivateLoa
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151387
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Fabookie
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 784119 Sample: F5C67FE00B4CBEE07D5E394C87F... Startdate: 13/01/2023 Architecture: WINDOWS Score: 100 115 45.139.105.1 CMCSUS Italy 2->115 117 85.31.46.167 CLOUDCOMPUTINGDE Germany 2->117 147 Multi AV Scanner detection for domain / URL 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 Antivirus detection for URL or domain 2->151 153 22 other signatures 2->153 11 F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe 4 48 2->11         started        16 PowerControl_Svc.exe 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 dnsIp5 141 37.0.11.8 WKD-ASIE Netherlands 11->141 143 37.0.8.235 WKD-ASIE Netherlands 11->143 145 16 other IPs or domains 11->145 107 C:\Users\...\tyjUKVdg2ItnMqkwA5wECkJ6.exe, PE32+ 11->107 dropped 109 C:\Users\...\oBNwJG43xtiUQs4OwRQxa3Az.exe, PE32 11->109 dropped 111 C:\Users\...\iuZ3KuDPbz4kL8RCRCZB7PEu.exe, PE32 11->111 dropped 113 18 other malicious files 11->113 dropped 191 Drops PE files to the document folder of the user 11->191 193 Creates HTML files with .exe extension (expired dropper behavior) 11->193 195 Disable Windows Defender real time protection (registry) 11->195 20 iuZ3KuDPbz4kL8RCRCZB7PEu.exe 2 11->20         started        24 JYAd6MNOsM60jvlT_IgMLfg1.exe 11->24         started        26 GqEwmF5wp6v5KtPZzDkRw4OC.exe 20 11->26         started        31 11 other processes 11->31 197 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->197 199 Query firmware table information (likely to detect VMs) 16->199 201 Hides threads from debuggers 16->201 203 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->203 29 rundll32.exe 18->29         started        file6 signatures7 process8 dnsIp9 87 C:\Users\...\iuZ3KuDPbz4kL8RCRCZB7PEu.tmp, PE32 20->87 dropped 163 Multi AV Scanner detection for dropped file 20->163 165 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->165 167 Obfuscated command line found 20->167 169 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->169 33 iuZ3KuDPbz4kL8RCRCZB7PEu.tmp 17 23 20->33         started        89 C:\Windows\Temp\321.exe, PE32 24->89 dropped 91 C:\Windows\Temp\123.exe, PE32 24->91 dropped 36 123.exe 24->36         started        39 321.exe 24->39         started        129 149.154.167.99 TELEGRAMRU United Kingdom 26->129 131 163.123.143.4 ILIGHT-NETUS Reserved 26->131 133 49.12.226.201 HETZNER-ASDE Germany 26->133 93 C:\Users\...\IfWrIXowYFkh97AviLkFbXdB.exe, MS-DOS 26->93 dropped 95 C:\Users\...\0I3Oc7JTHushQrJkcDf8DJPP.exe, PE32 26->95 dropped 101 3 other malicious files 26->101 dropped 171 Drops PE files to the document folder of the user 26->171 173 Uses schtasks.exe or at.exe to add and modify task schedules 26->173 41 0I3Oc7JTHushQrJkcDf8DJPP.exe 26->41         started        44 schtasks.exe 26->44         started        46 schtasks.exe 26->46         started        175 Writes to foreign memory regions 29->175 177 Allocates memory in foreign processes 29->177 179 Creates a thread in another existing process (thread injection) 29->179 135 142.251.209.36 GOOGLEUS United States 31->135 137 157.240.20.35 FACEBOOKUS United States 31->137 139 4 other IPs or domains 31->139 97 C:\Users\user\AppData\Roaming\...\clippp.exe, PE32 31->97 dropped 99 C:\Users\user\AppData\Local\Temp990wawP.cpl, PE32 31->99 dropped 103 4 other malicious files 31->103 dropped 181 Detected unpacking (changes PE section rights) 31->181 183 Query firmware table information (likely to detect VMs) 31->183 185 Tries to steal Mail credentials (via file / registry access) 31->185 187 8 other signatures 31->187 48 Wb6MNRnIYbhIBInFZnt_Yoao.exe 31->48         started        50 control.exe 1 31->50         started        52 conhost.exe 31->52         started        file10 signatures11 process12 dnsIp13 77 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->77 dropped 79 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 33->79 dropped 81 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 33->81 dropped 85 4 other files (3 malicious) 33->85 dropped 54 NitFiles451.exe 33->54         started        155 Multi AV Scanner detection for dropped file 36->155 157 Writes to foreign memory regions 36->157 159 Allocates memory in foreign processes 36->159 58 conhost.exe 36->58         started        161 Injects a PE file into a foreign processes 39->161 60 Conhost.exe 39->60         started        125 172.67.34.170 CLOUDFLARENETUS United States 41->125 62 conhost.exe 44->62         started        64 conhost.exe 46->64         started        127 188.114.96.3 CLOUDFLARENETUS European Union 48->127 83 C:\Users\user\AppData\Local\Temp\db.dll, PE32 48->83 dropped 66 conhost.exe 48->66         started        68 rundll32.exe 50->68         started        file14 signatures15 process16 dnsIp17 119 107.182.129.235 META-ASUS Reserved 54->119 121 171.22.30.106 CMCSUS Germany 54->121 123 45.139.105.171 CMCSUS Italy 54->123 105 C:\Users\user\AppData\...\83ZfAjhzP0E8.exe, PE32 54->105 dropped 70 83ZfAjhzP0E8.exe 54->70         started        73 rundll32.exe 68->73         started        file18 process19 signatures20 189 Multi AV Scanner detection for dropped file 70->189 75 rundll32.exe 73->75         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 11:04:59 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xdh7yaljs7oa7k6hfgip4ggejf33ba2sikr2beed5me2vxfrmga._file
Verdict:
malicious
Similar samples:
2556187741452011a3b2a39cb9c8543e308f6d3d72fa7f5cc1112477551cce4d
RedLineStealer
2b6acbe5da6bf89913a1f541b72ce222292ed294aeba6e7178c6c748107b822b
RedLineStealer
5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10
RedLineStealer
867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e
RedLineStealer
96dc1c02350192adf0eedc559bdaadef5300332f453e9732d1f76c9698224953
RedLineStealer
9d4a5344f0cb03807c0857078c93768d2ab92ad9cd8aec51922fd80137773ee1
RedLineStealer
a88de17a29eaaaab996f32b4ddb579d5930b7d1f152bfb10018481e2b5612d70
RedLineStealer
a8d00ba550db4bb552fb9d9eebde24e740d7d11b8041b381f94f331e60514fb6
RedLineStealer
e9450c3121f962ad35052a0eb013d667116a77c29299a43047ccd19bd3abfe40
RedLineStealer
ed58b879ba33504b8994151c6bb34ce81d2b2f41645da9ffe4431375ed2328fd
RedLineStealer
+ 199 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner family:privateloader family:smokeloader backdoor discovery evasion loader main spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/230113-x8cvdscc33/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Detects Smokeloader packer
GCleaner
Modifies Windows Defender Real-time Protection settings
PrivateLoader
SmokeLoader
Malware Config
C2 Extraction:
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
Unpacked files
SH256 hash:
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
MD5 hash:
842ae8e819177105e1a1af934b1ee520
SHA1 hash:
17104eca148dcd0e15ffb31e4c7a3defdd406d12
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/3ff35f2f-cecc-4ef3-8709-3fe70bd76fb6/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5c67fe00b4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.privateloader.
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352737/

Comments