MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc999e372d1a938956bd8130512bf13be780ebbddfc42d4bb085587ba10f4c2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc999e372d1a938956bd8130512bf13be780ebbddfc42d4bb085587ba10f4c2a
SHA3-384 hash: 749ee57ec93954b3ff376f2e7e87f0635a44d05d34a86a29a57762a7e51e1b05929530ffb95b1162f8614d6cd1ea62c1
SHA1 hash: f8b139a66d1d837789b7276d4f0a2d62e75363a1
MD5 hash: 4722419008f15b5f46f7e6228a7eb1e0
humanhash: triple-vegan-four-thirteen
File name:EngineChromium.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'790'613 bytes
First seen:2023-10-13 05:20:12 UTC
Last seen:2023-10-13 05:37:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6011984d7c1f1b97a34d7517a498bff8 (8 x RedLineStealer, 5 x STRRAT, 3 x LummaStealer)
ssdeep 196608:4eOl5FS4DZLTk6VoTVHJack+YlGlSRRbCvN:SrCacJYlTFo
Threatray 9 similar samples on MalwareBazaar
TLSH T117A60273F0DA2071F9731A36B8A25432393E189CE0872DA929B49BD7F572D484F4B791
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f062eae6b696c6cc (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.91.124.80:46502

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
EngineChromium.exe
Verdict:
Malicious activity
Analysis date:
2023-10-13 05:21:43 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/133cbe3c-3ab0-4996-aa49-d7753af5243e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454036/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Win32.Stealer.ewjw.2999.23584.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6528d3c03b921285dcdd80ca/reports/1ae53ac9-d168-470a-bfe8-dd83b7890be9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fc999e372d1a938956bd8130512bf13be780ebbddfc42d4bb085587ba10f4c2a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OWASP
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7f79d214-019b-4fab-bc20-c81bd0f7ee07
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325114
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1325114 Sample: EngineChromium.exe Startdate: 13/10/2023 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Found malware configuration 2->61 63 Antivirus detection for URL or domain 2->63 65 6 other signatures 2->65 8 explorer.exe 2->8         started        10 EngineChromium.exe 2->10         started        process3 signatures4 13 knowscientificpro.exe 4 8->13         started        85 Checks if browser processes are running 10->85 17 javaw.exe 27 10->17         started        process5 dnsIp6 45 C:\Users\user\AppData\...\knowscientiific.exe, PE32+ 13->45 dropped 47 C:\Users\user\AppData\...\knowscientific.exe, PE32 13->47 dropped 87 Multi AV Scanner detection for dropped file 13->87 89 Machine Learning detection for dropped file 13->89 20 knowscientific.exe 15 3 13->20         started        23 knowscientiific.exe 13->23         started        51 95.181.173.155, 49719, 49720, 49726 QWARTARU Russian Federation 17->51 49 C:\Users\user\...\knowscientificpro.exe, PE32+ 17->49 dropped 25 cmd.exe 1 17->25         started        27 icacls.exe 1 17->27         started        29 explorer.exe 1 17->29         started        file7 signatures8 process9 signatures10 67 Multi AV Scanner detection for dropped file 20->67 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->69 71 Machine Learning detection for dropped file 20->71 83 2 other signatures 20->83 31 knowscientific.exe 20->31         started        35 knowscientific.exe 20->35         started        73 Writes to foreign memory regions 23->73 75 Modifies the context of a thread in another process (thread injection) 23->75 77 Injects a PE file into a foreign processes 23->77 37 InstallUtil.exe 23->37         started        79 Bypasses PowerShell execution policy 25->79 81 Adds a directory exclusion to Windows Defender 25->81 39 powershell.exe 22 25->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        process11 dnsIp12 53 77.91.124.80, 46502, 49724 ECOTEL-ASRU Russian Federation 31->53 57 Tries to harvest and steal browser information (history, passwords, etc) 31->57 55 31.222.238.209, 7702 GIGALIS-ASFR unknown 37->55 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc999e372d1a938956bd8130512bf13be780ebbddfc42d4bb085587ba10f4c2a/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7smz4nzndkjysvv5qeyfck7rhptyb25537cc2s5qqvmhxiipjqva._file
Verdict:
malicious
Similar samples:
1c79f52740094f054147fc0d0c09258f8e99b3b678f9f69c592ade3ddcae0e84
RedLineStealer
21708c6374a6eb8422c9eae984bd00a8b8f436a27ef5e1946aab706fa38f30e1
RedLineStealer
2cfd30a7982b90be60f83fe5f4132999ac50d0d63d9681d8d50c3c8271faa34b
RedLineStealer
5c521ac354b4f665c9e5dd53bb28e77da262fda86ddabbd850f67e9c4deb0b3b
RedLineStealer
6a053f5c71b94d17a8603accc98bdeeb5b82008c6b5794a12be2ccd6f1f143a5
RedLineStealer
75d7d46ed7d193c249f6f1d7e309b6986f1303e772599d90d65467b4a7d5f80a
RedLineStealer
afea8e29447ebe85480428e2ad947457d515968694dcb5d721886ad1d5945459
RedLineStealer
c19e44f612b1b11dacfbed23b9de1b2af9035fe080438615d8f38f2ed079e93c
RedLineStealer
ee39d49c013a847632ab6390a6ef70d33699f5b8865a769f8a74a1a7f0af2a75
RedLineStealer
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/231013-f1z7aafa5v/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
fc999e372d1a938956bd8130512bf13be780ebbddfc42d4bb085587ba10f4c2a
MD5 hash:
4722419008f15b5f46f7e6228a7eb1e0
SHA1 hash:
f8b139a66d1d837789b7276d4f0a2d62e75363a1
Link:
https://www.unpac.me/results/b0f293e1-3832-4270-89c2-94abf81c4559/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MinGWGCC3x
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/454036/

Comments