MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8
SHA3-384 hash: 7b943f6e4c6d07733b0aa4ca39bd84b2d60b6b887168a863f2fc4445aacff042b3174e0daf2fa5cbdd4cb977f7911bc8
SHA1 hash: 4ad578096b72f376bd012d3f3ba6a6cd7f162432
MD5 hash: 209609199e47fecdd76a96dabf1f9cf5
humanhash: winter-friend-kansas-shade
File name:209609199e47fecdd76a96dabf1f9cf5
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:381'440 bytes
First seen:2022-04-12 08:25:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:8aM4riOlP2GhNTi2BsCx1wsWO34xrxafUA5VyNmMpHXrvObETLLEAmg+:Z2iNTbnWvrxasAWEsybkEAmD
Threatray 4'779 similar samples on MalwareBazaar
TLSH T19A84D0A1B51A9BD8DE5A8BF009264320127F7D0D59ADD10D38DB3EAF76B33032151E6B
File icon (PE):PE icon
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
209609199e47fecdd76a96dabf1f9cf5
Verdict:
Malicious activity
Analysis date:
2022-04-13 05:27:34 UTC
Tags:
trojan loader rat redline evasion miner
Link:
https://app.any.run/tasks/95ae375f-2ffd-4b33-a236-2b189161af76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/262913/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a window
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware obfuscated packed shell32.dll
Link:
https://www.filescan.io/uploads/6255379bffe27d5119b35256/reports/220abc8f-037f-4ca1-a156-0fbea74d1869/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1e5e67e-2053-4bdb-82b9-e5371b395070
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975179
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607666 Sample: pDIXAYcXsK Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 7 other signatures 2->61 9 pDIXAYcXsK.exe 14 5 2->9         started        process3 dnsIp4 53 107.189.6.214, 49735, 80 PONYNETUS United States 9->53 37 C:\ProgramData\1.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\...\pDIXAYcXsK.exe.log, ASCII 9->39 dropped 13 1.exe 3 9->13         started        file5 process6 file7 41 C:\Users\Public\M3gJNbpqWpct.exe, PE32 13->41 dropped 43 C:\Users\Public\BEgHvre3gJNc.exe, PE32 13->43 dropped 79 Multi AV Scanner detection for dropped file 13->79 81 Machine Learning detection for dropped file 13->81 83 Drops PE files to the user root directory 13->83 85 Contains functionality to detect sleep reduction / modifications 13->85 17 M3gJNbpqWpct.exe 5 13->17         started        21 BEgHvre3gJNc.exe 14 7 13->21         started        signatures8 process9 dnsIp10 45 188.68.205.12, 49742, 7053 ITNET33RU Russian Federation 17->45 63 Antivirus detection for dropped file 17->63 65 Multi AV Scanner detection for dropped file 17->65 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->67 75 3 other signatures 17->75 47 ip-api.com 208.95.112.1, 49737, 80 TUT-ASUS United States 21->47 49 checkip.eu-west-1.prod.check-ip.aws.a2z.com 52.19.9.35, 49736, 80 AMAZON-02US United States 21->49 51 2 other IPs or domains 21->51 33 C:\ProgramData\...\20a98133.exe, PE32 21->33 dropped 35 C:\Users\user\AppData\...\tmpE053.tmp.bat, DOS 21->35 dropped 69 May check the online IP address of the machine 21->69 71 Machine Learning detection for dropped file 21->71 73 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 21->73 24 cmd.exe 1 21->24         started        file11 signatures12 process13 process14 26 reg.exe 1 24->26         started        29 conhost.exe 24->29         started        31 timeout.exe 24->31         started        signatures15 77 Creates an undocumented autostart registry key 26->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 03:22:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=efzgl2iazzwyw52q4joj2rlaofps4wf6livksiilut4zosxhmdea._file
Verdict:
malicious
Similar samples:
15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
RedLineStealer
2032f4c705391c616308c070f4aa16aed376c18cdc1deb207e8c9048edb0cce8
RedLineStealer
2cef44b61ff47451356f3ae57bbd4d4540b856144ab8f8a2dc9fd9eb55c6cc2a
RedLineStealer
495b412404af5fc597de31a84cbddf175ea4859c9922b012cf0035406a87c29f
RedLineStealer
8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43
RedLineStealer
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
RedLineStealer
d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457
RedLineStealer
+ 4'769 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot family:redline botnet:123 discovery infostealer loader miner persistence spyware stealer
Link:
https://tria.ge/reports/220412-kbvbyscde6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
LoaderBot executable
LoaderBot
RedLine
RedLine Payload
Malware Config
C2 Extraction:
188.68.205.12:7053
Unpacked files
SH256 hash:
217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8
MD5 hash:
209609199e47fecdd76a96dabf1f9cf5
SHA1 hash:
4ad578096b72f376bd012d3f3ba6a6cd7f162432
Link:
https://www.unpac.me/results/56d3499f-808f-4a12-bfb1-e1e2edda5b34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2142358/
Cape
Cape
https://www.capesandbox.com/analysis/262913/

Comments


Avatar
zbet commented on 2022-04-12 08:25:11 UTC

url : hxxp://107.189.6.214/muP0Kakc/QuickSetDNS.exe