MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments

SHA256 hash: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
SHA3-384 hash: 6a622dc40750ffc5c3c679484321455026d44aefd3778bce18e1dc5a9031c783031566116366f8f1be60b26752546d1b
SHA1 hash: 0d1580519970aadaae7a4771bba39668ac0c583f
MD5 hash: 8fb77edbae0c40e1e19d82a406b7615a
humanhash: thirteen-freddie-comet-avocado
File name:5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Download: download sample
Signature RedLineStealer
File size:1'843'200 bytes
First seen:2022-01-14 18:08:06 UTC
Last seen:2022-01-14 20:02:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (61 x BitRAT, 41 x RedLineStealer, 20 x TriumphLoader)
ssdeep 49152:w7tSsBqGiSI6UlFlD6p0PDmkpcaNv9eSY9h:wZSsqPJ60qCR7Nq
Threatray 39 similar samples on MalwareBazaar
TLSH T17A8533C907169D53E1D38FBF395400F00020E077275A8D56EFC9D1A72BABE6B69DB624
Reporter @abuse_ch
Tags:exe RedLineStealer


Twitter
@abuse_ch
RedLineStealer C2:
http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php

Intelligence


File Origin
# of uploads :
2
# of downloads :
284
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Verdict:
No threats detected
Analysis date:
2022-01-14 18:24:55 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the process to change the firewall settings
–°reating synchronization primitives
Sending an HTTP POST request
Moving a system file
Creating a file
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Using the Windows Management Instrumentation requests
DNS request
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Replacing the hosts file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Process Patterns
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Whoami Execution Anomaly
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses whoami command line tool to query computer and username
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553368 Sample: 5641e24e22ccd259f18585ed2cb... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 92 Antivirus detection for URL or domain 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Sigma detected: CobaltStrike Process Patterns 2->96 98 5 other signatures 2->98 10 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe 7 1 2->10         started        15 acrotray.exe 2->15         started        17 acrotray.exe 2->17         started        process3 dnsIp4 90 185.112.83.96, 20000, 49750, 49751 SUPERSERVERSDATACENTERRU Russian Federation 10->90 88 C:\Windows\System32\drivers\etc\hosts, ASCII 10->88 dropped 114 Creates multiple autostart registry keys 10->114 116 Creates an autostart registry key pointing to binary in C:\Windows 10->116 118 Modifies the hosts file 10->118 120 Modifies the windows firewall 10->120 19 cmd.exe 1 10->19         started        22 cmd.exe 1 10->22         started        24 cmd.exe 1 10->24         started        26 10 other processes 10->26 122 Uses cmd line tools excessively to alter registry or file data 15->122 124 Adds a directory exclusion to Windows Defender 15->124 126 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->126 128 Uses whoami command line tool to query computer and username 15->128 file5 signatures6 process7 signatures8 100 Uses whoami command line tool to query computer and username 19->100 28 whoami.exe 1 19->28         started        30 conhost.exe 19->30         started        32 conhost.exe 22->32         started        34 WMIC.exe 1 22->34         started        102 Uses cmd line tools excessively to alter registry or file data 24->102 104 Uses netsh to modify the Windows network and firewall settings 24->104 106 Uses ipconfig to lookup or modify the Windows network settings 24->106 36 conhost.exe 24->36         started        39 powershell.exe 23 24->39         started        108 Adds a directory exclusion to Windows Defender 26->108 41 ipconfig.exe 1 26->41         started        43 whoami.exe 1 26->43         started        45 14 other processes 26->45 process9 signatures10 47 cmd.exe 28->47         started        56 13 other processes 28->56 50 cmd.exe 32->50         started        52 cmd.exe 32->52         started        54 cmd.exe 32->54         started        58 11 other processes 32->58 110 Adds a directory exclusion to Windows Defender 36->110 60 2 other processes 36->60 112 Uses whoami command line tool to query computer and username 41->112 62 2 other processes 41->62 64 4 other processes 45->64 process11 signatures12 130 Uses cmd line tools excessively to alter registry or file data 47->130 66 reg.exe 47->66         started        68 conhost.exe 47->68         started        70 conhost.exe 50->70         started        72 reg.exe 50->72         started        132 Uses whoami command line tool to query computer and username 52->132 76 2 other processes 52->76 78 2 other processes 54->78 80 19 other processes 56->80 134 Adds a directory exclusion to Windows Defender 58->134 74 conhost.exe 58->74         started        82 14 other processes 58->82 process13 process14 84 conhost.exe 66->84         started        86 WMIC.exe 66->86         started       
Threat name:
Win64.Trojan.Fsysna
Status:
Malicious
First seen:
2022-01-12 21:29:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 43 (39.53%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence upx
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Windows directory
Adds Run key to start application
Drops file in Drivers directory
Modifies Windows Firewall
Sets file to hidden
Unpacked files
SH256 hash:
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
MD5 hash:
8fb77edbae0c40e1e19d82a406b7615a
SHA1 hash:
0d1580519970aadaae7a4771bba39668ac0c583f

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:GoBinTest
Rule name:golang
Rule name:HiveRansomware
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Author:smiller
Description:Looks for PEs with a Golang build ID

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://47.254.235.229/7/Universal/HttpFlower1Track/BigloadpacketCdn/localSecure/eternalPipebigloadsqldownloads.php https://threatfox.abuse.ch/ioc/295289

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments