MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e748d0654f213eb61a27174cf40a102b38d241185d49cb348cde07350b85c50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e748d0654f213eb61a27174cf40a102b38d241185d49cb348cde07350b85c50
SHA3-384 hash: 496ef9cecf7169516959e7c3043a926cf8ee94618f4495f33c28a144a91adabe38568787e63303ecf9bae1567106ffa4
SHA1 hash: 0c21824af3d762fd474816735b3b549360faafd3
MD5 hash: 8600b46a68c9b6b1389a1f0de6acbc47
humanhash: pip-vegan-lake-west
File name:0E748D0654F213EB61A27174CF40A102B38D241185D49.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:98'304 bytes
First seen:2022-03-04 11:15:17 UTC
Last seen:2022-03-04 12:54:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:zTCV6yxFa7osePCtjlFN3RjHhg7i0WVITtUKtwvge/+1wMWYe+vzH8ms4x428TDU:fS6yxFa7osePCtxFhg7i0WVITbeIo+4O
Threatray 2'212 similar samples on MalwareBazaar
TLSH T165A385805DFE40D5E03B8E7187FCF9BA0BDAC57568AEB276521056884F33992CA33974
File icon (PE):PE icon
dhash icon 324db2f0cc691741 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
172.83.152.87:17677

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.83.152.87:17677 https://threatfox.abuse.ch/ioc/392359/

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247328/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38778351.15462.3299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a window
Running batch commands
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Moving a file to the %AppData% subdirectory
Downloading the file
Forced shutdown of a system process
Setting a single autorun event
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5e9f834-e128-4dcb-a43c-cf536124161e
Result
Threat name:
AsyncRAT DCRat RedLine
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950703
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DCRat
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583184 Sample: 0E748D0654F213EB61A27174CF4... Startdate: 04/03/2022 Architecture: WINDOWS Score: 100 71 zerocool888.duckdns.org 2->71 89 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 20 other signatures 2->95 15 0E748D0654F213EB61A27174CF40A102B38D241185D49.exe 1 2->15         started        signatures3 process4 file5 69 0E748D0654F213EB61...8D241185D49.exe.log, ASCII 15->69 dropped 79 Malicious encrypted Powershell command line found 15->79 81 Very long command line found 15->81 83 Encrypted powershell cmdline option found 15->83 19 powershell.exe 17 22 15->19         started        signatures6 process7 dnsIp8 73 2.56.57.147, 49782, 49785, 80 GBTCLOUDUS Netherlands 19->73 65 WindowNbydvys7iroweKKMiofdsoioe3rsg.vbs, ASCII 19->65 dropped 105 Potential evasive VBS script found (sleep loop) 19->105 24 wscript.exe 1 19->24         started        27 conhost.exe 19->27         started        file9 signatures10 process11 signatures12 107 Wscript starts Powershell (via cmd or directly) 24->107 109 Very long command line found 24->109 29 cmd.exe 1 24->29         started        32 cmd.exe 24->32         started        process13 signatures14 113 Wscript starts Powershell (via cmd or directly) 29->113 115 Very long command line found 29->115 117 Encrypted powershell cmdline option found 29->117 34 powershell.exe 14 29->34         started        37 conhost.exe 29->37         started        39 conhost.exe 32->39         started        process15 signatures16 85 Writes to foreign memory regions 34->85 87 Injects a PE file into a foreign processes 34->87 41 InstallUtil.exe 34->41         started        45 reg.exe 34->45         started        48 RegSvcs.exe 34->48         started        50 RegSvcs.exe 34->50         started        process17 dnsIp18 75 zerocool888.duckdns.org 172.83.152.87, 49788, 49790, 8848 SPARTANHOSTGB United States 41->75 67 C:\Users\user\AppData\Local\Temp\rline.vbs, ASCII 41->67 dropped 52 cmd.exe 41->52         started        119 Creates autostart registry keys with suspicious values (likely registry only malware) 45->119 77 212.193.30.224, 80 SPD-NETTR Russian Federation 48->77 file19 signatures20 process21 signatures22 97 Suspicious powershell command line found 52->97 99 Wscript starts Powershell (via cmd or directly) 52->99 101 Encrypted powershell cmdline option found 52->101 103 Bypasses PowerShell execution policy 52->103 55 powershell.exe 52->55         started        57 conhost.exe 52->57         started        process23 process24 59 wscript.exe 55->59         started        signatures25 111 Wscript starts Powershell (via cmd or directly) 59->111 62 cmd.exe 59->62         started        process26 signatures27 121 Wscript starts Powershell (via cmd or directly) 62->121 123 Encrypted powershell cmdline option found 62->123
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e748d0654f213eb61a27174cf40a102b38d241185d49cb348cde07350b85c50/
Threat name:
ByteCode-MSIL.Backdoor.DcRat
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 21:58:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bz2i2bsu6ij6wyncof2m6qfbakzy2jarqxkjzm2izxqhgufylria._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
35e366b4c3acb7b4539e83cb0a489a8b31872193183084b1099f9ec638a70f34
RedLineStealer
4e7105da7face5917f66842ba73810d29826cb971140f9da2b0efb7a37de3c0e
RedLineStealer
51e4dce11e58aa2be5d3c73056bf45652de5032dcb29636b28f2c1659df135db
RedLineStealer
7da096df4561ecc9169365841e2f024e40165377384e25e82922b2d1f16b8aa0
RedLineStealer
97f116891027a9cb8a2c59d5a0de5bd169ae05829b9b4e034bdb9326a54c8dd6
RedLineStealer
aa56a644af0010b6d464f52c4409bd09361c20aad28b1400b4e543905f48b798
RedLineStealer
d04e92c836e2332eb7140720eef09fb85e0a797880a8afbff729244f69c8b46d
RedLineStealer
ec1773386924814a953850ec438551a133c27541b156e6d685d9eda1477a65b4
RedLineStealer
f63561d5a1e218408d76c24a79ea9053cb0f5a1dddf386c795c587c2c8acd6cf
RedLineStealer
+ 2'202 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline botnet:ale botnet:default infostealer persistence rat spyware suricata
Link:
https://tria.ge/reports/220304-nc6yxsgaem/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Async RAT payload
AsyncRat
RedLine
RedLine Payload
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
Malware Config
C2 Extraction:
zerocool888.duckdns.org:8848
zerocool888.duckdns.org:17677
Dropper Extraction:
http://2.56.57.147/2dll/07.01.22.installutil.txt
http://2.56.57.147/2dll/07.01.22.regsvcs.txt
Unpacked files
SH256 hash:
0e748d0654f213eb61a27174cf40a102b38d241185d49cb348cde07350b85c50
MD5 hash:
8600b46a68c9b6b1389a1f0de6acbc47
SHA1 hash:
0c21824af3d762fd474816735b3b549360faafd3
Link:
https://www.unpac.me/results/b1c828fc-5a16-4f5d-a268-6769f472278b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0e748d0654f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e748d0654f213eb61a27174cf40a102b38d241185d49cb348cde07350b85c50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MALWARE_Win_DCRat
Create hunting rule
Author:ditekSHen
Description:DCRat payload
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247328/

Comments