MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60c65307f80b12d2a8d8820756e900214ad19a1fcfcda18cdbee3a25974235ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60c65307f80b12d2a8d8820756e900214ad19a1fcfcda18cdbee3a25974235ac
SHA3-384 hash: 83fe656a98e23439c2c578ee489385e92d1013777fc421b4bd8e2fbb45c5de601a0342ff8e0de9763e3c4731706361c5
SHA1 hash: a4362b3fadd631fd06eb2159c677db84c34256a0
MD5 hash: 29ac701acd9d567c2f55bd518d6a588b
humanhash: september-johnny-delaware-iowa
File name:29ac701acd9d567c2f55bd518d6a588b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:48'056 bytes
First seen:2021-10-19 14:27:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:1SYadv6/8pFsZRcRDAYJR7mSiLSj8vfGuLv+HVQ0F0GSI1uyhW:Y7v6/8DsZRcJAdNdZvqVQT9I1uV
Threatray 2'602 similar samples on MalwareBazaar
TLSH T12C239D261B5C5221DA270F3644BA91005B7CB3DA6747CB3E6A48E05EEDD73835B2137E
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198575/
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/616ed5f5db358dd15ec4e0e1/reports/0caf6254-6988-4747-9a44-b7e6e6a764bf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0537a28c-26c6-419e-a4d4-db78b8426da8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873211
Signature
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Creates autostart registry keys with suspicious names
Drops PE files with benign system names
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505639 Sample: t4zdskXeId.exe Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 59 System process connects to network (likely due to code injection or exploit) 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 7 other signatures 2->65 7 t4zdskXeId.exe 23 9 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        process3 dnsIp4 57 cdn.discordapp.com 162.159.134.233, 443, 49750, 49757 CLOUDFLARENETUS United States 7->57 47 C:\Program Files\Common Files\...\svchost.exe, PE32 7->47 dropped 49 C:\...\svchost.exe:Zone.Identifier, ASCII 7->49 dropped 51 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->51 dropped 67 Creates autostart registry keys with suspicious names 7->67 69 Adds a directory exclusion to Windows Defender 7->69 71 Hides threads from debuggers 7->71 75 2 other signatures 7->75 16 t4zdskXeId.exe 7->16         started        19 AdvancedRun.exe 7->19         started        21 powershell.exe 25 7->21         started        29 3 other processes 7->29 73 System process connects to network (likely due to code injection or exploit) 12->73 23 powershell.exe 14->23         started        25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        file5 signatures6 process7 dnsIp8 53 198.23.172.50, 43819 AS-COLOCROSSINGUS United States 16->53 55 192.168.2.1 unknown unknown 19->55 31 AdvancedRun.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        45 conhost.exe 29->45         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60c65307f80b12d2a8d8820756e900214ad19a1fcfcda18cdbee3a25974235ac/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 10:53:20 UTC
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58
RedLineStealer
70abd0e56d64c9d19e81fc1f62f09b9644b00819c5a1feccfd185c168f4a2099
RedLineStealer
725860fa1888e2ffb0f434da8f8f6c98d25409f3b2ebe6090078cb091fee6397
RedLineStealer
c9250592c7cf1d5226a5cad25a83532deaba0cf18b079c194c58ad182d59b283
RedLineStealer
cc005ad9ad8411fda8398597954ce4f4210c978367f996e05ce01bba2833986c
RedLineStealer
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
RedLineStealer
daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e
RedLineStealer
dc050b963c642e86bf74da5e85fbfcb0b3c12bd692808bf8ae12a36f4bcf3c84
RedLineStealer
ea5236788c97196a492eb29449a57951e3df07b3d432f85fd23e511cfd02a58d
RedLineStealer
+ 2'592 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:125 evasion infostealer persistence trojan
Link:
https://tria.ge/reports/211019-rs1nmagac4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
198.23.172.50:43819
Unpacked files
SH256 hash:
60c65307f80b12d2a8d8820756e900214ad19a1fcfcda18cdbee3a25974235ac
MD5 hash:
29ac701acd9d567c2f55bd518d6a588b
SHA1 hash:
a4362b3fadd631fd06eb2159c677db84c34256a0
Link:
https://www.unpac.me/results/01ebf0cf-428e-4dfe-949c-c7162efb1b4e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/60c65307f80b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/60c65307f80b12d2a8d8820756e900214ad19a1fcfcda18cdbee3a25974235ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 60c65307f80b12d2a8d8820756e900214ad19a1fcfcda18cdbee3a25974235ac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1691060/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198575/

Comments