MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d9dd4ae9d1ba20dbf36549110c16150525122f3aa7fdd390c66b7a6bfb752e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d9dd4ae9d1ba20dbf36549110c16150525122f3aa7fdd390c66b7a6bfb752e4
SHA3-384 hash: 3feee2be97de72c0f6d6c6add1e43c693bd99713221ed4215324491d2de9fdf4f1edb27d3094dbbc926b148465c590c5
SHA1 hash: 5ca6f5e4d5bf7d4fe9b7d0a960a0c7d646dfd50a
MD5 hash: ad859b083a2fcaa43fa370b8e1f90d99
humanhash: stairway-paris-twenty-sierra
File name:1D9DD4AE9D1BA20DBF36549110C16150525122F3AA7FD.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'248'768 bytes
First seen:2022-10-25 10:25:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash da0a8429d07681e0f845d1d4f08ae833 (28 x RedLineStealer, 2 x ArkeiStealer, 1 x PhoenixStealer)
ssdeep 24576:iObvv0YOnt1YGYBuA+UahOxMCRzd8Yt/WsOYdDFZ:f7v0pnef3zesfdDF
TLSH T11D454C3AE70615B4D7635772C58EFA7B9B14BA248032AE3FFF4AD90CA4730127C85256
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1D9DD4AE9D1BA20DBF36549110C16150525122F3AA7FD.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 10:28:13 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/7c76ef90-8aee-4778-8292-0d676635ddcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323917/
Detection(s):
Win.Packed.Redlinestealer-9968112-0
Create hunting rule

Win.Packed.Fragtor-9973135-0
Create hunting rule

Win.Packed.Fragtor-9973138-0
Create hunting rule

Win.Packed.Fragtor-9973147-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45353/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a75cb722-20db-4679-beb9-8ff15c2d0b1b
Result
Threat name:
Laplas Clipper, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097444
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Connects to many ports of the same IP (likely port scanning)
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 730094 Sample: 1D9DD4AE9D1BA20DBF36549110C... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 111 pool.hashvault.pro 2->111 123 Snort IDS alert for network traffic 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for dropped file 2->127 129 13 other signatures 2->129 11 1D9DD4AE9D1BA20DBF36549110C16150525122F3AA7FD.exe 1 2->11         started        14 updater.exe 2->14         started        17 svcupdater.exe 14 2 2->17         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 157 Writes to foreign memory regions 11->157 159 Injects a PE file into a foreign processes 11->159 22 AppLaunch.exe 15 9 11->22         started        27 conhost.exe 11->27         started        103 C:\Windows\Temp\55E7.tmp, PE32+ 14->103 dropped 105 C:\Windows\Temp\53C4.tmp, PE32+ 14->105 dropped 107 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 14->107 dropped 29 powershell.exe 14->29         started        109 clipper.guru 45.159.189.115, 49720, 49994, 80 HOSTING-SOLUTIONSUS Netherlands 17->109 161 Multi AV Scanner detection for dropped file 17->161 163 Machine Learning detection for dropped file 17->163 165 Creates files in the system32 config directory 20->165 167 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->167 31 conhost.exe 20->31         started        33 conhost.exe 20->33         started        file6 signatures7 process8 dnsIp9 113 62.204.41.141, 24758, 49695 TNNET-ASTNNetOyMainnetworkFI United Kingdom 22->113 115 gitcdn.link 104.21.234.84, 49696, 80 CLOUDFLARENETUS United States 22->115 117 104.21.234.85, 49697, 80 CLOUDFLARENETUS United States 22->117 97 C:\Users\user\AppData\Local\...\ofg.exe, PE32 22->97 dropped 99 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 22->99 dropped 101 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 22->101 dropped 147 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->147 149 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->149 151 Tries to harvest and steal browser information (history, passwords, etc) 22->151 153 Tries to steal Crypto Currency Wallets 22->153 35 chrome.exe 22->35         started        39 brave.exe 2 22->39         started        41 ofg.exe 5 22->41         started        155 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->155 43 conhost.exe 29->43         started        file10 signatures11 process12 file13 89 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 35->89 dropped 131 Multi AV Scanner detection for dropped file 35->131 133 Detected unpacking (changes PE section rights) 35->133 135 Machine Learning detection for dropped file 35->135 145 5 other signatures 35->145 45 GoogleUpdate.exe 35->45         started        49 powershell.exe 35->49         started        51 schtasks.exe 35->51         started        53 schtasks.exe 35->53         started        91 C:\Users\user\AppData\Local\Temp\9584.tmp, PE32+ 39->91 dropped 93 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 39->93 dropped 137 Writes to foreign memory regions 39->137 139 Modifies the context of a thread in another process (thread injection) 39->139 141 Found hidden mapped module (file has been removed from disk) 39->141 143 Maps a DLL or memory area into another process 39->143 55 cmd.exe 39->55         started        57 cmd.exe 39->57         started        59 powershell.exe 39->59         started        63 3 other processes 39->63 95 C:\Users\user\AppData\...\svcupdater.exe, PE32 41->95 dropped 61 cmd.exe 1 41->61         started        signatures14 process15 dnsIp16 119 141.95.93.183, 443, 49699, 49701 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 45->119 121 api.peer2profit.com 172.66.43.60, 443, 49698, 49700 CLOUDFLARENETUS United States 45->121 169 Uses netsh to modify the Windows network and firewall settings 45->169 171 Modifies the windows firewall 45->171 71 3 other processes 45->71 65 conhost.exe 49->65         started        67 conhost.exe 51->67         started        69 conhost.exe 53->69         started        73 11 other processes 55->73 173 Modifies power options to not sleep / hibernate 57->173 75 5 other processes 57->75 77 2 other processes 59->77 175 Uses cmd line tools excessively to alter registry or file data 61->175 177 Uses schtasks.exe or at.exe to add and modify task schedules 61->177 179 Uses powercfg.exe to modify the power settings 61->179 79 2 other processes 61->79 81 2 other processes 63->81 signatures17 process18 process19 83 conhost.exe 71->83         started        85 conhost.exe 71->85         started        87 conhost.exe 71->87         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d9dd4ae9d1ba20dbf36549110c16150525122f3aa7fdd390c66b7a6bfb752e4/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 12:54:29 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwo5jlu5dora3pzwksirbqlbkbjfcixtvj752oimm232np5xklsa._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer spyware upx
Link:
https://tria.ge/reports/221025-mgj5aaccfm/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
62.204.41.141:24758
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/394ca692-d6c4-4101-9001-bdf72cf14321
Unpacked files
SH256 hash:
0ba46af62e40c5612ca3609397b0caf7198afe79e66e31d8b2558db428bec4f7
MD5 hash:
0290f23317d8728a22d549e619153f0e
SHA1 hash:
e5c5fdf41df1a549d243b1e7ebd6d2228d792632
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/ae75eb8a-7551-4bca-961f-d969664eb98d/
SH256 hash:
1d9dd4ae9d1ba20dbf36549110c16150525122f3aa7fdd390c66b7a6bfb752e4
MD5 hash:
ad859b083a2fcaa43fa370b8e1f90d99
SHA1 hash:
5ca6f5e4d5bf7d4fe9b7d0a960a0c7d646dfd50a
Link:
https://www.unpac.me/results/ae75eb8a-7551-4bca-961f-d969664eb98d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d9dd4ae9d1ba20dbf36549110c16150525122f3aa7fdd390c66b7a6bfb752e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323917/

Comments