MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40ac7d6e09f3bb208f9858055e1d528de41e0e950d655f28c3fd43f2590c0194. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40ac7d6e09f3bb208f9858055e1d528de41e0e950d655f28c3fd43f2590c0194
SHA3-384 hash: d1f204dabbb86cb30db9f745e9b414cd73d3b48b4acb788d616440f54d050d813df36eea7504502cd069ea833d58f37a
SHA1 hash: 54d853b61ea5b7a8fa12ad3615c8813781fd5d75
MD5 hash: c7ab075f902fc76b9f9f2549552faf12
humanhash: north-summer-low-freddie
File name:Launcher.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'851'752 bytes
First seen:2022-01-03 03:06:50 UTC
Last seen:2022-01-03 04:47:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f409379b65e58ef730a014c2105818c0 (6 x RedLineStealer)
ssdeep 24576:yeDmXMJSxGTs9v+W/HL8PEC0weSDMDvi9vwYVncvmyFrYz2h0OyfnSq14160pVCs:yeScOGTsR+retDvi9bZL6gXzOEhCp+YJ
Threatray 37 similar samples on MalwareBazaar
TLSH T11CD52B707EAAF2DFDE574BB495CBCD666ACC076345100801E8BC34366D67F228AE5878
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bit.ly/Tenorshare4ukey_github
Verdict:
Malicious activity
Analysis date:
2022-01-03 02:43:58 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/aaff7288-fcbf-412f-8dec-3c619947bb64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217114/
Detection(s):
SecuriteInfo.com.Trojan.Heur.GM.0000036180.1286.24400.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3711/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d2685a7837ada941a91699/reports/4257af12-d1cb-4717-8fd3-b8c1a551ca6c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6310e5e7-94b5-4685-8e96-000df7dd2521
Result
Threat name:
BitCoin Miner RedLine SilentXMRMiner Xmr
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914710
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected VMProtect packer
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547188 Sample: Launcher.exe Startdate: 03/01/2022 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Antivirus detection for URL or domain 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 12 other signatures 2->80 11 Launcher.exe 2->11         started        14 cmd.exe 2->14         started        process3 signatures4 104 Query firmware table information (likely to detect VMs) 11->104 106 Writes to foreign memory regions 11->106 108 Allocates memory in foreign processes 11->108 112 2 other signatures 11->112 16 AppLaunch.exe 15 7 11->16         started        21 WerFault.exe 23 9 11->21         started        110 Encrypted powershell cmdline option found 14->110 23 conhost.exe 14->23         started        25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        process5 dnsIp6 70 185.215.113.83, 49750, 60722 WHOLESALECONNECTIONSNL Portugal 16->70 72 188.119.112.88, 49755, 80 SERVERIUS-ASNL Russian Federation 16->72 64 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 16->64 dropped 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->82 84 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->84 86 Tries to harvest and steal browser information (history, passwords, etc) 16->86 88 Tries to steal Crypto Currency Wallets 16->88 29 build.exe 4 16->29         started        66 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->66 dropped file7 signatures8 process9 file10 68 C:\Users\user\AppData\...\services.exe, PE32+ 29->68 dropped 114 Antivirus detection for dropped file 29->114 116 Multi AV Scanner detection for dropped file 29->116 118 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->118 120 2 other signatures 29->120 33 cmd.exe 29->33         started        35 cmd.exe 1 29->35         started        38 cmd.exe 29->38         started        signatures11 process12 signatures13 40 services.exe 33->40         started        43 conhost.exe 33->43         started        90 Encrypted powershell cmdline option found 35->90 92 Uses schtasks.exe or at.exe to add and modify task schedules 35->92 45 powershell.exe 22 35->45         started        47 powershell.exe 23 35->47         started        49 conhost.exe 35->49         started        51 conhost.exe 38->51         started        53 schtasks.exe 38->53         started        process14 signatures15 96 Antivirus detection for dropped file 40->96 98 Multi AV Scanner detection for dropped file 40->98 100 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->100 102 Tries to detect virtualization through RDTSC time measurements 40->102 55 cmd.exe 40->55         started        process16 signatures17 94 Encrypted powershell cmdline option found 55->94 58 conhost.exe 55->58         started        60 powershell.exe 55->60         started        62 powershell.exe 55->62         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40ac7d6e09f3bb208f9858055e1d528de41e0e950d655f28c3fd43f2590c0194/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-03 03:07:14 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 43 (37.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=icwh23qj6o5sbd4ylacv4hksrxsb4duvbvsv6kgd7vb7ewimagka._file
Verdict:
malicious
Similar samples:
19469d26a781545bc0347ba1ef6d885744ec26c525eafd7034155b1095bab742
RedLineStealer
70abd0e56d64c9d19e81fc1f62f09b9644b00819c5a1feccfd185c168f4a2099
RedLineStealer
865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
RedLineStealer
92561a2126c31ee34edef41557d2c312a3e1f4b9909c99d8ca23d3cae19ee173
RedLineStealer
b2a5b282b91df9293450c3570495800cab173545524fed91e3f32e732ebd012e
RedLineStealer
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
RedLineStealer
c4e9742a6a418ee7366c594a4f1206d468f6147792407fcd9ac6b452369d88bb
RedLineStealer
d4142d1a7e14ae837548204e7ca53bb1b6cf293c5b0e7ff4a58e9b22246be55e
RedLineStealer
e25e21d645707e65ba0b10be9b42efcbd146602cbb222c9504a9d4ef8239bc11
RedLineStealer
edf9a12ec428525419eacd03e0e480e111dd66ec5ea75c116171e1ae6317ac3d
RedLineStealer
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware trojan
Link:
https://tria.ge/reports/220103-dmbwesahg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
a609ff9045ca6e62055eab01724e748075b39863f05198cf1420662e44982ac0
MD5 hash:
95b86da75a4f5ddc07ddf77c02f9de04
SHA1 hash:
5ea60797e9382dc1b9f6471f27f757a90acc406b
Link:
https://www.unpac.me/results/81bacf2a-3301-4115-99a5-581dcf7c9bdd/
SH256 hash:
40ac7d6e09f3bb208f9858055e1d528de41e0e950d655f28c3fd43f2590c0194
MD5 hash:
c7ab075f902fc76b9f9f2549552faf12
SHA1 hash:
54d853b61ea5b7a8fa12ad3615c8813781fd5d75
Link:
https://www.unpac.me/results/81bacf2a-3301-4115-99a5-581dcf7c9bdd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40ac7d6e09f3bb208f9858055e1d528de41e0e950d655f28c3fd43f2590c0194

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 40ac7d6e09f3bb208f9858055e1d528de41e0e950d655f28c3fd43f2590c0194

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217114/

Comments