MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ca6d5674dde3941aab3788a17b3612c0a1f085a2c1c5dfde04dbbc9bb82138d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ca6d5674dde3941aab3788a17b3612c0a1f085a2c1c5dfde04dbbc9bb82138d
SHA3-384 hash: e2bbcc81d22e4780fb74805a9c3a325d1f444dabf900d9ac23aaa1b8682e3c6f253c4bce96a9fcce70a4a526624bafd2
SHA1 hash: ed071d9d00b1dd0924e20c708d2543fe0afc69f7
MD5 hash: 72f6e0f5e094d14a587672fa3e98ead1
humanhash: princess-alanine-sweet-leopard
File name:72f6e0f5e094d14a587672fa3e98ead1
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'611'623 bytes
First seen:2021-12-27 07:14:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 196608:kaPKmEnN6k4oTxU4tabw/6tjhSz+VK2UcjNbsBR:kQe6LwUsaS6MyUkhsBR
Threatray 2'010 similar samples on MalwareBazaar
TLSH T14F76332085B1C720C463BDB88EB8E5339875BA9C9895425EB7D59F0521F3BE1C06DFA3
File icon (PE):PE icon
dhash icon 8696e8cccce89686 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
72f6e0f5e094d14a587672fa3e98ead1
Verdict:
Malicious activity
Analysis date:
2021-12-27 12:05:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6613b260-eada-40df-9152-39a2fa94adeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216505/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending an HTTP GET request
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3319/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed packed
Link:
https://www.filescan.io/uploads/61c967fa8991ba72b39a8510/reports/c7bc1889-c7e4-4a0d-a400-d957b7355561/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab319d8c-0b73-402b-ad92-82db530d1975
Result
Threat name:
BitCoin Miner RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913038
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected VMProtect packer
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545516 Sample: qUvEf1bfnl Startdate: 27/12/2021 Architecture: WINDOWS Score: 100 114 Multi AV Scanner detection for domain / URL 2->114 116 Found malware configuration 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 11 other signatures 2->120 12 qUvEf1bfnl.exe 9 2->12         started        15 cmd.exe 2->15         started        process3 file4 76 C:\Users\user\...\InstallDriverASM.exe, PE32 12->76 dropped 78 C:\Users\user\AppData\...\@sellfortya.exe, PE32 12->78 dropped 18 @sellfortya.exe 12->18         started        21 InstallDriverASM.exe 8 12->21         started        142 Encrypted powershell cmdline option found 15->142 24 conhost.exe 15->24         started        26 powershell.exe 15->26         started        28 powershell.exe 15->28         started        signatures5 process6 file7 122 Multi AV Scanner detection for dropped file 18->122 124 Machine Learning detection for dropped file 18->124 126 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 18->126 128 4 other signatures 18->128 30 AppLaunch.exe 15 7 18->30         started        72 C:\Users\user\AppData\...\InstallDriver.exe, PE32+ 21->72 dropped 35 InstallDriver.exe 11 4 21->35         started        signatures8 process9 dnsIp10 82 vataeagene.xyz 94.140.115.160, 49769, 81 NANO-ASLV Latvia 30->82 84 api.ip.sb 30->84 92 3 other IPs or domains 30->92 80 C:\Users\user\AppData\...\AppLauncher.exe, PE32+ 30->80 dropped 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->94 96 Performs DNS queries to domains with low reputation 30->96 98 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->98 104 2 other signatures 30->104 37 AppLauncher.exe 30->37         started        86 api.telegram.org 149.154.167.220, 443, 49779 TELEGRAMRU United Kingdom 35->86 88 www.google.com 142.250.74.196, 49775, 80 GOOGLEUS United States 35->88 90 icanhazip.com 104.18.114.97, 443, 49778 CLOUDFLARENETUS United States 35->90 100 Multi AV Scanner detection for dropped file 35->100 102 May check the online IP address of the machine 35->102 file11 signatures12 process13 file14 74 C:\Users\user\AppData\...\services.exe, PE32+ 37->74 dropped 130 Antivirus detection for dropped file 37->130 132 Multi AV Scanner detection for dropped file 37->132 134 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 37->134 136 2 other signatures 37->136 41 cmd.exe 37->41         started        43 cmd.exe 37->43         started        46 cmd.exe 37->46         started        signatures15 process16 signatures17 48 services.exe 41->48         started        51 conhost.exe 41->51         started        138 Encrypted powershell cmdline option found 43->138 140 Uses schtasks.exe or at.exe to add and modify task schedules 43->140 53 conhost.exe 43->53         started        55 powershell.exe 43->55         started        57 powershell.exe 43->57         started        59 conhost.exe 46->59         started        61 schtasks.exe 46->61         started        process18 signatures19 106 Antivirus detection for dropped file 48->106 108 Multi AV Scanner detection for dropped file 48->108 110 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 48->110 112 Tries to detect virtualization through RDTSC time measurements 48->112 63 cmd.exe 48->63         started        process20 signatures21 144 Encrypted powershell cmdline option found 63->144 66 conhost.exe 63->66         started        68 powershell.exe 63->68         started        70 powershell.exe 63->70         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ca6d5674dde3941aab3788a17b3612c0a1f085a2c1c5dfde04dbbc9bb82138d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-25 20:56:01 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jstnkz2n3y4udkvtpcfbpm3bfqfb6cc2fqof37pajw54to4ccogq._file
Verdict:
malicious
Similar samples:
367fe3f35e2c9c0e04a821cbc35ef8bcd174aaca7bd9650af414bd00dcf83138
RedLineStealer
44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d
RedLineStealer
7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca
RedLineStealer
96283ef1de41a1a5c4e7e0fa5ead383995198c25ae71d19d0a4138333ce88dfb
RedLineStealer
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
RedLineStealer
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
RedLineStealer
ff96c1b6af7f067e0ffe1d90c7d91dd39ac01f22ebb7868eb54f2d414951a728
RedLineStealer
+ 2'000 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211227-h287paccg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
e10fe0feab8dfcce3ef279a06cde3c6e47ea973e21c21ebe8b1c0a5d2465c928
MD5 hash:
ed35d395cbd7586a10db12e73996b2ed
SHA1 hash:
51751d535d24f9c30cc882b5a6a52fca8b8be5a8
Link:
https://www.unpac.me/results/48aa5783-86df-4760-b0e4-23aef0b50f72/
SH256 hash:
a0c853efa57c7847d19ccb524017b89542a0fed36ab7fb49ae53c7b0e71044e9
MD5 hash:
ab3278a027e05644eafeda8b9d36c19f
SHA1 hash:
89f97c341801784dfb9d08d4d461aac103892d55
Link:
https://www.unpac.me/results/48aa5783-86df-4760-b0e4-23aef0b50f72/
SH256 hash:
f8df695c2c2e2c225c9bba408ee4cf3d9b34f7ac2b6b9069a141e1fbb303403f
MD5 hash:
e2c275f511ecf1b9e9c26533ece8adae
SHA1 hash:
97e9091ce0bf847e180cbac2384774432fe1410d
Link:
https://www.unpac.me/results/48aa5783-86df-4760-b0e4-23aef0b50f72/
SH256 hash:
4ca6d5674dde3941aab3788a17b3612c0a1f085a2c1c5dfde04dbbc9bb82138d
MD5 hash:
72f6e0f5e094d14a587672fa3e98ead1
SHA1 hash:
ed071d9d00b1dd0924e20c708d2543fe0afc69f7
Link:
https://www.unpac.me/results/48aa5783-86df-4760-b0e4-23aef0b50f72/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4ca6d5674dde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ca6d5674dde3941aab3788a17b3612c0a1f085a2c1c5dfde04dbbc9bb82138d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 4ca6d5674dde3941aab3788a17b3612c0a1f085a2c1c5dfde04dbbc9bb82138d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1924371/
Cape
Cape
https://www.capesandbox.com/analysis/216505/

Comments


Avatar
zbet commented on 2021-12-27 07:14:14 UTC

url : hxxp://data-file-data-7.com/files/4151_1640461469_2859.exe