MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 490bac101a8b84015429e88a48fe064672835fffa5a34ec67b03970d6321ba2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 490bac101a8b84015429e88a48fe064672835fffa5a34ec67b03970d6321ba2a
SHA3-384 hash: a37f14b49e2e890b21f11e2a2662e72b7b4ec4f0a509cc023b87493b793f19ec46ba24f1f8835b119c410a21e8d55cd7
SHA1 hash: 69ed6e9a61ceb71eee81236be915a974ec199349
MD5 hash: 74c3f98314f49248d22340f8dd830aee
humanhash: vegan-utah-three-december
File name:74c3f98314f49248d22340f8dd830aee.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:32'768 bytes
First seen:2021-09-13 00:30:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cd10cd5bf36398679bac98b0095b0f8 (1 x RedLineStealer)
ssdeep 384:pOe0ciqTpjgWi7jRgSOFckOFKN37WG2SCllKJnnUOFKNjOFc:pFcrFK17n7FKIFc
TLSH T18EE2FD3DA188F092E075A67387A2D3B87B172D2279720D465DC11F2FBC3D6827D9096E
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.70.184.89:52823

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.70.184.89:52823 https://threatfox.abuse.ch/ioc/220800/

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fl_studio_20_6_keygen_by_KeygenSumo.zip
Verdict:
Malicious activity
Analysis date:
2021-09-12 19:21:12 UTC
Tags:
evasion trojan rat azorult stealer fareit pony raccoon loader redline opendir vidar unwanted netsupport
Link:
https://app.any.run/tasks/e64c6959-0260-489f-8113-79fd1a4a2a31

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187163/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6174f9289a5a1e91c5d1f665/reports/32a50c62-12ee-416f-8c1f-b312edb78eb6/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d576c51-b9bc-4525-b503-b0bec1cb47ee
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/849418
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Found C&C like URL pattern
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: CrackMapExec PowerShell Obfuscation
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481849 Sample: LYgkO009MS.exe Startdate: 13/09/2021 Architecture: WINDOWS Score: 72 51 manorakus.top 2->51 53 ipinfo.io 2->53 55 google.com 2->55 61 Multi AV Scanner detection for submitted file 2->61 63 May check the online IP address of the machine 2->63 65 Found C&C like URL pattern 2->65 67 Sigma detected: CrackMapExec PowerShell Obfuscation 2->67 10 LYgkO009MS.exe 1 2->10         started        13 wscript.exe 1 2->13         started        15 wscript.exe 2->15         started        signatures3 process4 signatures5 73 Very long command line found 10->73 17 powershell.exe 16 23 10->17         started        75 Wscript starts Powershell (via cmd or directly) 13->75 22 powershell.exe 13->22         started        24 powershell.exe 15->24         started        process6 dnsIp7 47 manorakus.top 46.29.163.15, 443, 49737, 49745 ASBAXETRU Russian Federation 17->47 49 192.168.2.1 unknown unknown 17->49 43 C:\Users\user\AppData\Roaming\...\Desktop.vbs, ASCII 17->43 dropped 45 C:\Users\user\AppData\Roaming\...\Desktop.ps1, ASCII 17->45 dropped 69 Creates autostart registry keys with suspicious values (likely registry only malware) 17->69 26 powershell.exe 14 17->26         started        28 conhost.exe 17->28         started        71 May check the online IP address of the machine 22->71 30 powershell.exe 22->30         started        33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        37 powershell.exe 24->37         started        file8 signatures9 process10 dnsIp11 57 manorakus.top 30->57 59 ipinfo.io 34.117.59.81, 49773, 49782, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 30->59 39 cmd.exe 30->39         started        process12 process13 41 conhost.exe 39->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/490bac101a8b84015429e88a48fe064672835fffa5a34ec67b03970d6321ba2a/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jef2yea2rocacvbj5cfer7qgizzigx77uwru5rt3aolq2yzbxiva._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/210913-at3qyafgbk/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Blocklisted process makes network request
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Unpacked files
SH256 hash:
490bac101a8b84015429e88a48fe064672835fffa5a34ec67b03970d6321ba2a
MD5 hash:
74c3f98314f49248d22340f8dd830aee
SHA1 hash:
69ed6e9a61ceb71eee81236be915a974ec199349
Link:
https://www.unpac.me/results/957d0d43-4f6d-4b1d-80b3-fd4016ab0b74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/490bac101a8b84015429e88a48fe064672835fffa5a34ec67b03970d6321ba2a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 490bac101a8b84015429e88a48fe064672835fffa5a34ec67b03970d6321ba2a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1559356/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187163/

Comments