MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
SHA3-384 hash: 6a622dc40750ffc5c3c679484321455026d44aefd3778bce18e1dc5a9031c783031566116366f8f1be60b26752546d1b
SHA1 hash: 0d1580519970aadaae7a4771bba39668ac0c583f
MD5 hash: 8fb77edbae0c40e1e19d82a406b7615a
humanhash: thirteen-freddie-comet-avocado
File name:5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'843'200 bytes
First seen:2022-01-14 18:08:06 UTC
Last seen:2022-01-14 20:02:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (61 x BitRAT, 41 x RedLineStealer, 20 x TriumphLoader)
ssdeep 49152:w7tSsBqGiSI6UlFlD6p0PDmkpcaNv9eSY9h:wZSsqPJ60qCR7Nq
Threatray 39 similar samples on MalwareBazaar
TLSH T17A8533C907169D53E1D38FBF395400F00020E077275A8D56EFC9D1A72BABE6B69DB624
Reporter @abuse_ch
Tags:exe RedLineStealer


Twitter
@abuse_ch
RedLineStealer C2:
http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Verdict:
No threats detected
Analysis date:
2022-01-14 18:24:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e9b5014-60bc-4fe4-b5be-05c4904ec2d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219385/
Detection(s):
SecuriteInfo.com.WinGo.Agent.EF.23924.7757.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the process to change the firewall settings
Сreating synchronization primitives
Sending an HTTP POST request
Moving a system file
Creating a file
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Using the Windows Management Instrumentation requests
DNS request
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Replacing the hosts file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61e1bc0d1883c5ba4ecc8eaf/reports/2791d6ce-503e-4fa4-b72d-a1f36a527a79/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73c6e445-0f13-471f-9483-016126badaab
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920890
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Process Patterns
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Whoami Execution Anomaly
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses whoami command line tool to query computer and username
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553368 Sample: 5641e24e22ccd259f18585ed2cb... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 92 Antivirus detection for URL or domain 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Sigma detected: CobaltStrike Process Patterns 2->96 98 5 other signatures 2->98 10 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe 7 1 2->10         started        15 acrotray.exe 2->15         started        17 acrotray.exe 2->17         started        process3 dnsIp4 90 185.112.83.96, 20000, 49750, 49751 SUPERSERVERSDATACENTERRU Russian Federation 10->90 88 C:\Windows\System32\drivers\etc\hosts, ASCII 10->88 dropped 114 Creates multiple autostart registry keys 10->114 116 Creates an autostart registry key pointing to binary in C:\Windows 10->116 118 Modifies the hosts file 10->118 120 Modifies the windows firewall 10->120 19 cmd.exe 1 10->19         started        22 cmd.exe 1 10->22         started        24 cmd.exe 1 10->24         started        26 10 other processes 10->26 122 Uses cmd line tools excessively to alter registry or file data 15->122 124 Adds a directory exclusion to Windows Defender 15->124 126 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->126 128 Uses whoami command line tool to query computer and username 15->128 file5 signatures6 process7 signatures8 100 Uses whoami command line tool to query computer and username 19->100 28 whoami.exe 1 19->28         started        30 conhost.exe 19->30         started        32 conhost.exe 22->32         started        34 WMIC.exe 1 22->34         started        102 Uses cmd line tools excessively to alter registry or file data 24->102 104 Uses netsh to modify the Windows network and firewall settings 24->104 106 Uses ipconfig to lookup or modify the Windows network settings 24->106 36 conhost.exe 24->36         started        39 powershell.exe 23 24->39         started        108 Adds a directory exclusion to Windows Defender 26->108 41 ipconfig.exe 1 26->41         started        43 whoami.exe 1 26->43         started        45 14 other processes 26->45 process9 signatures10 47 cmd.exe 28->47         started        56 13 other processes 28->56 50 cmd.exe 32->50         started        52 cmd.exe 32->52         started        54 cmd.exe 32->54         started        58 11 other processes 32->58 110 Adds a directory exclusion to Windows Defender 36->110 60 2 other processes 36->60 112 Uses whoami command line tool to query computer and username 41->112 62 2 other processes 41->62 64 4 other processes 45->64 process11 signatures12 130 Uses cmd line tools excessively to alter registry or file data 47->130 66 reg.exe 47->66         started        68 conhost.exe 47->68         started        70 conhost.exe 50->70         started        72 reg.exe 50->72         started        132 Uses whoami command line tool to query computer and username 52->132 76 2 other processes 52->76 78 2 other processes 54->78 80 19 other processes 56->80 134 Adds a directory exclusion to Windows Defender 58->134 74 conhost.exe 58->74         started        82 14 other processes 58->82 process13 process14 84 conhost.exe 66->84         started        86 WMIC.exe 66->86         started       
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078/
Threat name:
Win64.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 21:29:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 43 (39.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://www.spamhaus.org/query/hash/kza6etrcztjft4mfqxwszo5pnpr3hgqewpd6c4aghjue4in46b4a._file
Verdict:
malicious
Similar samples:
08a6dfeb7adf5eb90703abfab6c1f24a9f93c79e6287213f695c44f0181644ec
RedLineStealer
164149035d4a3d2edba76c0601f6f83e04d45d7c057d221130c57fc9b13fd5b5
RedLineStealer
1b8192ec7f52e9056f5f2c83f0a9c56c83469575fded613e6ae7c1f3505a3c1d
RedLineStealer
4a74dbaaacb20b26d7237b74ced5bd105b0ff3e2eb3ece3eba7bb93bf224b853
RedLineStealer
50bee5c11d3905157aa3aa461b9da69cc05c90d748330e98324cc36815610bc0
RedLineStealer
55e13deee3f281585865313131f946195f683ea1926e25492e3dd7c0b87d9bac
RedLineStealer
6c02cd3294f998736222c255ddd163b9d5e72dfbf3492bfdd43519a46ed609de
RedLineStealer
847fd5a4cae442afc596f09b8a8f2de13bc85356dcd8b897a3b4a89081f5046f
RedLineStealer
d0f8a2be536ca434da7734bd318d2a88ea5005f47d518c30ff611185f42c3701
RedLineStealer
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/220114-wqytgahfg2/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Windows directory
Adds Run key to start application
Drops file in Drivers directory
Modifies Windows Firewall
Sets file to hidden
Unpacked files
SH256 hash:
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
MD5 hash:
8fb77edbae0c40e1e19d82a406b7615a
SHA1 hash:
0d1580519970aadaae7a4771bba39668ac0c583f
Link:
https://www.unpac.me/results/bf227c91-4f8e-4dcc-81a7-897dd2fa675a/
AV coverage:
20.59%
AV detections:
14 / 68
Link:
https://www.virustotal.com/gui/file/5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078/detection/f-5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078-1642011740
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078

YARA Signatures

MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php https://threatfox.abuse.ch/ioc/295289

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219385/

Comments