MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1924be27896fc861692cf9247734cd87ec7b121a8a7ffdeda8d313f9d8a12981. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1924be27896fc861692cf9247734cd87ec7b121a8a7ffdeda8d313f9d8a12981
SHA3-384 hash: 977611f8cb9a7e193dc11afadf10a4364e6f41c8ab9d2d39735364e5fc1a66c3d7c0238c7169a3a32a1fee1a72f68bec
SHA1 hash: df22b2d235964e322916818bd00c82799ccfe81b
MD5 hash: 6bfc1b42014e76be8deee330ff944681
humanhash: venus-monkey-lion-equal
File name:6bfc1b42014e76be8deee330ff944681
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'201'344 bytes
First seen:2022-03-03 03:28:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dbc655057e0a381fe85e8bb055c4b9c8 (3 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 49152:ntwmLITV3dxo0SQsQIEZiPvIY2HoK4VBRYQ5ayp0YFRGraxR1b5ERWuowtXEJ+G4:tEp3dxSaszY7ijGWPER5J3v/u
Threatray 36 similar samples on MalwareBazaar
TLSH T1FB562843F99250E8D1AED1308A679722BE7034988330A7E76F5197F52B73BE43A79350
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246653/
Detection(s):
Win.Dropper.Gobot-9858609-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the process to change the firewall settings
Сreating synchronization primitives
Sending an HTTP POST request
Moving a system file
Creating a file
Enabling the 'hidden' option for analyzed file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Replacing the hosts file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7951/overview
Behaviour
MalwareBazaar
CallSleep
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/62203605b94fb38cb43e87d5/reports/495a949b-87d2-472b-9d13-55eb49f6d31e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kraken
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e151442b-c7cf-4b55-bc28-574791f54930
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949640
Signature
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Process Patterns
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: Whoami Execution Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses whoami command line tool to query computer and username
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 582121 Sample: bGjn5r8czJ Startdate: 03/03/2022 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 10 other signatures 2->84 9 bGjn5r8czJ.exe 7 2 2->9         started        14 RTDCPL.exe 2->14         started        16 RTDCPL.exe 2->16         started        process3 dnsIp4 76 193.233.48.64, 20001, 49724, 49725 NETIS-ASRU Russian Federation 9->76 72 C:\Windows\1646311075.exe, PE32 9->72 dropped 74 C:\Windows\System32\drivers\etc\hosts, ASCII 9->74 dropped 98 Creates multiple autostart registry keys 9->98 100 Creates an autostart registry key pointing to binary in C:\Windows 9->100 102 Modifies the hosts file 9->102 104 Modifies the windows firewall 9->104 18 cmd.exe 1 9->18         started        21 cmd.exe 1 9->21         started        23 cmd.exe 1 9->23         started        31 10 other processes 9->31 106 Uses cmd line tools excessively to alter registry or file data 14->106 108 Tries to harvest and steal browser information (history, passwords, etc) 14->108 110 Adds a directory exclusion to Windows Defender 14->110 33 11 other processes 14->33 112 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->112 25 cmd.exe 16->25         started        27 cmd.exe 16->27         started        29 cmd.exe 16->29         started        35 12 other processes 16->35 file5 signatures6 process7 signatures8 86 Uses cmd line tools excessively to alter registry or file data 18->86 88 Uses netsh to modify the Windows network and firewall settings 18->88 90 Uses ipconfig to lookup or modify the Windows network settings 18->90 37 conhost.exe 18->37         started        92 Adds a directory exclusion to Windows Defender 21->92 40 2 other processes 21->40 42 2 other processes 23->42 44 2 other processes 25->44 94 Uses whoami command line tool to query computer and username 27->94 46 2 other processes 27->46 48 2 other processes 29->48 50 18 other processes 31->50 52 15 other processes 33->52 54 15 other processes 35->54 process9 signatures10 96 Uses whoami command line tool to query computer and username 37->96 56 conhost.exe 40->56         started        58 conhost.exe 42->58         started        60 WMIC.exe 42->60         started        62 conhost.exe 50->62         started        64 conhost.exe 50->64         started        66 whoami.exe 50->66         started        process11 process12 68 conhost.exe 56->68         started        70 WMIC.exe 56->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1924be27896fc861692cf9247734cd87ec7b121a8a7ffdeda8d313f9d8a12981/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 03:29:15 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=desl4j4jn7egc2jm7eshongnq7whweq2rj7733ni2mj7twfbfgaq._file
Verdict:
unknown
Similar samples:
43a412dad049f412adaa3a44991fd6cef44db2ac0e2777d3c77147790e18d81c
RedLineStealer
58484d3924b8c496a925660742b55da793ec4048765edf87c3116e5fb34ebeae
RedLineStealer
5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95
RedLineStealer
5d99125b0d97ba0abfcf9916c1a05081c1cc117eb2afaaab39a6f95a60e42ab3
RedLineStealer
98ad02342614a473b078f5b12274fa3c9c78779894750fbb7af82664b9e7ffa8
RedLineStealer
cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd
RedLineStealer
f1fe5f2fd945caad71baf13e9e42544c1b2a441ea42391a3a56d2e38dcfe5f50
RedLineStealer
f6ee9ff778c9ef5511f2344d2dbf0b199578e19278426ed84c61d4704115ca34
RedLineStealer
+ 26 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:babadeda family:systembc crypter evasion loader persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220303-d1xp2sahaj/
Behaviour
Gathers network information
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Sets file to hidden
Babadeda
Babadeda Crypter
SystemBC
suricata: ET MALWARE Go/Anubis CnC Activity (POST)
suricata: ET MALWARE Go/Anubis Registration Activity
Malware Config
C2 Extraction:
5.101.78.2:4127
192.53.123.202:4127
Unpacked files
SH256 hash:
1924be27896fc861692cf9247734cd87ec7b121a8a7ffdeda8d313f9d8a12981
MD5 hash:
6bfc1b42014e76be8deee330ff944681
SHA1 hash:
df22b2d235964e322916818bd00c82799ccfe81b
Detections:
osx_retefe_g0
Create hunting rule
Link:
https://www.unpac.me/results/1a3ba33a-9882-4043-9640-d4cf80e193ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1924be27896fc861692cf9247734cd87ec7b121a8a7ffdeda8d313f9d8a12981

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1924be27896fc861692cf9247734cd87ec7b121a8a7ffdeda8d313f9d8a12981

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246653/

Comments


Avatar
zbet commented on 2022-03-03 03:28:54 UTC

url : hxxp://193.233.48.64:20001/build_dl/