MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39f5b13c60418f4bcefdd1df075a6fe9e8bd879340c42d12c8a5e636aa035e6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39f5b13c60418f4bcefdd1df075a6fe9e8bd879340c42d12c8a5e636aa035e6d
SHA3-384 hash: 1853e4abc03bf0f83948a1dbc6345938f3c4ba673629c809b27a31fd48bd7f5ff736b5b39c63aa0a9a6ed9ac551f208f
SHA1 hash: 7312731a66c51e8c51f680aed1aee90c397b8282
MD5 hash: aa50acd8116fddaaeec779efeab5555a
humanhash: one-undress-wyoming-coffee
File name:aa50acd8116fddaaeec779efeab5555a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'688'513 bytes
First seen:2021-09-20 13:59:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 49152:ZPBt+n3sc03YZ7afGhCrgNgvgRkJthP81:N+n337AECENXathPs
Threatray 7'662 similar samples on MalwareBazaar
TLSH T10475F00D6113B39EDCA0333B9A3AEF16D6F45C658962416D39C0BE37EAB5E52023C746
File icon (PE):PE icon
dhash icon f0ccc8eab292ccf0 (18 x RedLineStealer, 1 x Vidar)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa50acd8116fddaaeec779efeab5555a.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 14:04:03 UTC
Tags:
trojan evasion rat redline
Link:
https://app.any.run/tasks/865ba122-0c45-4ea9-81d1-bbf13d024abe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189469/
Detection(s):
Win.Packed.Razy-9894224-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0d98f46-aabf-4b94-982e-82e4142f9931
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854139
Signature
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Check external IP via Powershell
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486571 Sample: Z9xV26jovu.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 42 iplogger.org 2->42 44 google.vrthcobj.com 2->44 46 8 other IPs or domains 2->46 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected RedLine Stealer 2->84 86 7 other signatures 2->86 9 Z9xV26jovu.exe 18 2->9         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\wwi.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\Temp\f.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\...\ZL8P5I40CNY8J.dll, PE32 9->36 dropped 12 cmd.exe 1 9->12         started        process6 process7 14 wwi.exe 14 34 12->14         started        19 f.exe 15 5 12->19         started        21 powershell.exe 14 18 12->21         started        23 conhost.exe 12->23         started        dnsIp8 54 demner.site 80.66.87.32, 26062, 49763 WORLDSTREAMNL Russian Federation 14->54 56 123456789009876.ru 37.140.192.191, 49835, 80 AS-REGRU Russian Federation 14->56 58 api.ip.sb 14->58 38 C:\Users\user\AppData\Local\Temp\vss.exe, PE32 14->38 dropped 66 Multi AV Scanner detection for dropped file 14->66 68 Detected unpacking (changes PE section rights) 14->68 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->70 78 7 other signatures 14->78 25 conhost.exe 14->25         started        27 vss.exe 14->27         started        60 iplogger.org 88.99.66.31, 443, 49749, 49770 HETZNER-ASDE Germany 19->60 62 pastebin.com 104.23.99.190, 443, 49747, 49748 CLOUDFLARENETUS United States 19->62 64 cryptorelated.net 31.31.198.223, 443, 49750, 49751 AS-REGRU Russian Federation 19->64 40 C:\Users\user\AppData\Local\237843444.exe, PE32 19->40 dropped 72 Antivirus detection for dropped file 19->72 74 May check the online IP address of the machine 19->74 76 Machine Learning detection for dropped file 19->76 29 237843444.exe 2 19->29         started        file9 signatures10 process11 dnsIp12 48 api.pro.coinbase.com 104.18.15.237, 443, 49767 CLOUDFLARENETUS United States 29->48 50 104.18.7.10, 443, 49766, 49839 CLOUDFLARENETUS United States 29->50 52 api.coinbase.com 29->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39f5b13c60418f4bcefdd1df075a6fe9e8bd879340c42d12c8a5e636aa035e6d/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 12:00:11 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
RedLineStealer
26ea2034c89f020f380b719bff22992688ff3bf953b6313a925139c5b668ad53
RedLineStealer
3b3af3c0c0ccff93c1f62d0e00a25e76b856392c604e209f93e987a7a913a727
RedLineStealer
4aadef23f11dd8fdc214bea41b6f7819bf723f20f581fec84d38e3ab1d08ad94
RedLineStealer
4d04f5f44c21f9ccda28433bddea30ce2fba7a548d7d40a46332e0d2b70079d0
RedLineStealer
5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
RedLineStealer
6647ec66a0bc49efe7b873499aeb5feb9abe8c18e0ab078e40d6eb7f00654244
RedLineStealer
7263fbdb7378bb2a4522bae58a388d74b193bd2d73a8669f901d11e1481a1595
RedLineStealer
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
RedLineStealer
f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
RedLineStealer
+ 7'652 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210920-rad2xaghhm/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/46253aca-bf68-49e8-914f-5e0674eec177/
SH256 hash:
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
MD5 hash:
293165db1e46070410b4209519e67494
SHA1 hash:
777b96a4f74b6c34d43a4e7c7e656757d1c97f01
Link:
https://www.unpac.me/results/46253aca-bf68-49e8-914f-5e0674eec177/
SH256 hash:
9ee589a37c4a1347fc2d6410aba4239e5b647e1e80ea69ece09378380d4b795a
MD5 hash:
229a4e934956f6e73f92e24f21a3b526
SHA1 hash:
d509e92da3346c47e25df2b9c906e4dc805f8e97
Link:
https://www.unpac.me/results/46253aca-bf68-49e8-914f-5e0674eec177/
SH256 hash:
a6fe62d19b2b0f608fe3367ba5612742b9ff248b91a32b13fe189c891a22a00d
MD5 hash:
729168d16501390f6b7d92edb38886c4
SHA1 hash:
d244dc2a6325b22a02372c2b8e01ef4a3e51d10c
Link:
https://www.unpac.me/results/46253aca-bf68-49e8-914f-5e0674eec177/
SH256 hash:
39f5b13c60418f4bcefdd1df075a6fe9e8bd879340c42d12c8a5e636aa035e6d
MD5 hash:
aa50acd8116fddaaeec779efeab5555a
SHA1 hash:
7312731a66c51e8c51f680aed1aee90c397b8282
Link:
https://www.unpac.me/results/46253aca-bf68-49e8-914f-5e0674eec177/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39f5b13c60418f4bcefdd1df075a6fe9e8bd879340c42d12c8a5e636aa035e6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 39f5b13c60418f4bcefdd1df075a6fe9e8bd879340c42d12c8a5e636aa035e6d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1627245/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189469/

Comments