MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b
SHA3-384 hash: 1556df32ec0a43bcc7b8ffa4556f59fceb90ff01aa21b16f6a5ef9aecc3523d9462b90c7ae08fe45f0d661369d18a3fd
SHA1 hash: cb74b3dba0e3ef8073f03810a0232da641b8a587
MD5 hash: 58a250aeb22f0040185210402d4243b3
humanhash: kilo-twelve-quebec-whiskey
File name:9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'604'096 bytes
First seen:2022-06-04 19:15:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:73Az+jwa8Jnkqbr5yT073RmbaLpYEywZiPiM9jzoCaYN:73AzoiLBBBO0pnyZPhgCaY
TLSH T144757CA423B42F8EC1EFCA3DF0284550B6B8E85B5335A28697722DF91D177C64F40EA5
TrID 53.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
12.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.6% (.SCR) Windows screen saver (13101/52/3)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon d4e0f0e8d8f0e8c4 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
18.193.6.177:17044

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
18.193.6.177:17044 https://threatfox.abuse.ch/ioc/654557/

Intelligence

File Origin
# of uploads :
1
# of downloads :
387
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe
Verdict:
Malicious activity
Analysis date:
2022-06-04 19:17:06 UTC
Tags:
trojan rat redline evasion stealer phishing quasar
Link:
https://app.any.run/tasks/412a47dd-d164-4d3d-a58d-dc0a90f206ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276639/
Detection(s):
Win.Malware.Ursu-9794593-0
Create hunting rule

Win.Packed.Ulise-9865923-0
Create hunting rule

Win.Packed.Generic-9873203-0
Create hunting rule

Win.Malware.Bulz-9880537-0
Create hunting rule

Win.Packed.Bulz-9883367-0
Create hunting rule

Win.Packed.Generickdz-9885340-0
Create hunting rule

Win.Packed.Bulz-9891195-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.NWorm.UNOFFICIAL
Create hunting rule

Win.Trojan.Razy-6794929-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Searching for the window
Creating a window
Creating a file in the %temp% directory
Reading critical registry keys
Setting a keyboard event handler
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd.exe coinminer confuserex control.exe evasive fingerprint netsh.exe obfuscated orcus packed quasar quasarrat rat razy redline remcos schtasks.exe stealer update.exe xrat
Link:
https://www.filescan.io/uploads/629baf742acbe6fdfb5de32c/reports/9ae583e8-c482-47f6-b856-1ee95b9067c2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3269c94-26f3-4923-8cba-fa8bb677ff49
Result
Threat name:
RedLine, Vermin Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1006686
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Vermin Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 639182 Sample: 9C78846071126D7F29A8B82B699... Startdate: 04/06/2022 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic 2->87 89 Multi AV Scanner detection for domain / URL 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 22 other signatures 2->93 9 9C78846071126D7F29A8B82B699903031D7D2CD837DF9.exe 7 2->9         started        12 Start Process.exe 2->12         started        process3 file4 55 Steam Accounts Che...0.4 By X-SLAYER.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...\Start Process.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\...\Software Check.exe, PE32 9->59 dropped 61 9C78846071126D7F29...7D2CD837DF9.exe.log, ASCII 9->61 dropped 14 Start Process.exe 16 7 9->14         started        19 Software Check.exe 14 47 9->19         started        21 Steam Accounts Checker v0.4 By X-SLAYER.exe 9->21         started        process5 dnsIp6 71 ip-api.com 208.95.112.1, 49760, 49762, 80 TUT-ASUS United States 14->71 73 91.134.207.16, 80 OVHFR France 14->73 79 2 other IPs or domains 14->79 63 C:\Users\user\AppData\...\Start Process.exe, PE32 14->63 dropped 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->81 23 Start Process.exe 4 14->23         started        27 powershell.exe 14->27         started        29 schtasks.exe 1 14->29         started        35 7 other processes 14->35 75 siyatermi.duckdns.org 18.193.6.177, 1518, 17044, 49761 AMAZON-02US United States 19->75 77 api.ip.sb 19->77 83 Tries to harvest and steal browser information (history, passwords, etc) 19->83 85 Tries to steal Crypto Currency Wallets 19->85 31 conhost.exe 19->31         started        33 WerFault.exe 21->33         started        file7 signatures8 process9 dnsIp10 65 192.168.2.1 unknown unknown 23->65 67 siyatermi.duckdns.org 23->67 69 ip-api.com 23->69 95 Protects its processes via BreakOnTermination flag 23->95 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->97 99 Installs a global keyboard hook 23->99 37 schtasks.exe 23->37         started        101 Query firmware table information (likely to detect VMs) 27->101 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        signatures11 process12 process13 51 conhost.exe 37->51         started        53 conhost.exe 41->53         started       
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b/
Threat name:
ByteCode-MSIL.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 22:46:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
41
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tr4iiydrcjwx6knixavwtgidamox2lgyg7pzcwcp2hxh5n5yze5q._file
Verdict:
malicious
Result
Malware family:
venomrat
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:redline family:venomrat botnet:awsr botnet:v/r/b discovery evasion infostealer persistence rat rootkit spyware stealer suricata trojan
Link:
https://tria.ge/reports/220604-xysg4agchq/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Quasar Payload
Quasar RAT
RedLine
RedLine Payload
VenomRAT
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
Malware Config
C2 Extraction:
siyatermi.duckdns.org:17044
siyatermi.duckdns.org:1518
Unpacked files
SH256 hash:
c7dc5a7a62122ced9fec12735f786d28e3f7f287a11f0bee6f916862ecff7716
MD5 hash:
7f4af2d3bf91dc8a94e87b95080fabe4
SHA1 hash:
fc6bb41d63785e1bdaa4a64ba99a5f283135548c
Link:
https://www.unpac.me/results/2e3c3bbc-b87a-48cd-a8ad-ffa08d18afe1/
SH256 hash:
563ed0f56464506cc3a90359446094bc48342614694042bac55e6c55f6605572
MD5 hash:
0954bc6f55eb9c5cf0e28308618bd99d
SHA1 hash:
a013a40906fe66de7c43d6b6763abf28d5bbd08b
Link:
https://www.unpac.me/results/2e3c3bbc-b87a-48cd-a8ad-ffa08d18afe1/
SH256 hash:
bcac81c69094ea47c3a00cae028ac4c64dd6cbd4fe85e11363e3e35b48c04842
MD5 hash:
27c2436f6a1c111bef78597d37751138
SHA1 hash:
f1dabacffc82bbfc7d8db578f0a5653d7fe84bca
Link:
https://www.unpac.me/results/2e3c3bbc-b87a-48cd-a8ad-ffa08d18afe1/
SH256 hash:
74f157d228b19efbe878feb76a5be3caeb1cdd11c59ee3ec9622dbd994081310
MD5 hash:
025e2ffb735be017523af9c9a2fbbe87
SHA1 hash:
e5fa2a222098a73ac23644675947816ca14cb1aa
Link:
https://www.unpac.me/results/2e3c3bbc-b87a-48cd-a8ad-ffa08d18afe1/
SH256 hash:
1bb6f045a9218bacd2c0f35f2e9fb3f0a92f5bdd7efd207b070c47707a6ae82d
MD5 hash:
1634b36bb54a876f818712d1f105fe00
SHA1 hash:
deaa950169f13bd1f07103e5aff7932547962e04
Link:
https://www.unpac.me/results/2e3c3bbc-b87a-48cd-a8ad-ffa08d18afe1/
SH256 hash:
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
MD5 hash:
4d97786ab8047ad6c08532ed7a017573
SHA1 hash:
a64d07233d813f9a085722295dca62ca726e291a
Link:
https://www.unpac.me/results/2e3c3bbc-b87a-48cd-a8ad-ffa08d18afe1/
SH256 hash:
9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b
MD5 hash:
58a250aeb22f0040185210402d4243b3
SHA1 hash:
cb74b3dba0e3ef8073f03810a0232da641b8a587
Link:
https://www.unpac.me/results/2e3c3bbc-b87a-48cd-a8ad-ffa08d18afe1/
Malware family:
Quasar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c7884607112/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/9c78846071126d7f29a8b82b699903031d7d2cd837df91584fd1ee7eb7b8c93b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_mem
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276639/

Comments