MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62778ccb7df0b670ccc24269c64459259633d6dfdec48e99fd385e2dba3864d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62778ccb7df0b670ccc24269c64459259633d6dfdec48e99fd385e2dba3864d6
SHA3-384 hash: 01a21107d795e897efb390d4068c4721e7868e45ad4e661cb82b1cb300f3b764cdd79793b04543c330787820d5917c71
SHA1 hash: 8a18c7c3a9505794cd6b8e928615f60293dc1eab
MD5 hash: 00c99ac957aafe7a9edcfb94cdf51b4c
humanhash: bluebird-tennessee-october-massachusetts
File name:00c99ac957aafe7a9edcfb94cdf51b4c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:41'464 bytes
First seen:2021-06-21 07:02:02 UTC
Last seen:2021-06-21 08:11:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 768:n/MLJ5XeqcVxPUvBNRHg4deQAXrgM2i7XvShKV:nK5OqcVMTRt+rr7XvFV
Threatray 4 similar samples on MalwareBazaar
TLSH FD13946A10507158E6E349B52C61FD783B28E7725C80D14EE426865CCF82AFB78ECDDE
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
34b2d327ebe6246d844b7a4b8640d4d5
Verdict:
Malicious activity
Analysis date:
2021-06-21 06:05:51 UTC
Tags:
trojan parasite loader stealer evasion
Link:
https://app.any.run/tasks/cfb0d712-205e-4a3b-9f24-ffd202bcd0aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.62254.12994.32298.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b1a8d03-ab0c-47bd-b3b8-cedb5caf9f87
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805136
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 437551 Sample: rm1hgMUmHz.exe Startdate: 21/06/2021 Architecture: WINDOWS Score: 100 73 adda.net.in 2->73 83 Multi AV Scanner detection for submitted file 2->83 85 Drops executables to the windows directory (C:\Windows) and starts them 2->85 87 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->87 89 Sigma detected: System File Execution Location Anomaly 2->89 8 rm1hgMUmHz.exe 18 13 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 77 apdocroto.gq 104.21.14.60, 49699, 49722, 49723 CLOUDFLARENETUS United States 8->77 79 192.168.2.1 unknown unknown 8->79 65 C:\Windows\Cursors\...\svchost.exe, PE32 8->65 dropped 67 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->67 dropped 69 C:\Users\user\AppData\...\xonztsji.newcfg, XML 8->69 dropped 71 C:\Users\user\AppData\...\feyc5ibx.newcfg, ASCII 8->71 dropped 99 Drops PE files to the document folder of the user 8->99 101 Creates an autostart registry key pointing to binary in C:\Windows 8->101 103 Adds a directory exclusion to Windows Defender 8->103 105 Drops PE files with benign system names 8->105 19 rm1hgMUmHz.exe 8->19         started        24 WerFault.exe 8->24         started        26 cmd.exe 1 8->26         started        34 3 other processes 8->34 107 System process connects to network (likely due to code injection or exploit) 13->107 109 Multi AV Scanner detection for dropped file 13->109 111 Hides threads from debuggers 13->111 28 cmd.exe 13->28         started        30 powershell.exe 13->30         started        36 2 other processes 13->36 113 Injects a PE file into a foreign processes 15->113 81 127.0.0.1 unknown unknown 17->81 115 Changes security center settings (notifications, updates, antivirus, firewall) 17->115 32 WerFault.exe 17->32         started        38 2 other processes 17->38 file6 signatures7 process8 dnsIp9 75 adda.net.in 103.20.214.241, 49719, 49733, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 19->75 59 C:\Users\user\Documents\winlogon.exe, PE32+ 19->59 dropped 61 C:\Users\user\AppData\...\rm1hgMUmHz.exe.log, ASCII 19->61 dropped 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->91 40 winlogon.exe 19->40         started        63 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->63 dropped 43 conhost.exe 26->43         started        45 timeout.exe 1 26->45         started        55 2 other processes 28->55 47 conhost.exe 30->47         started        93 Tries to evade analysis by execution special instruction which cause usermode exception 32->93 49 conhost.exe 34->49         started        51 conhost.exe 34->51         started        53 conhost.exe 34->53         started        57 2 other processes 36->57 file10 signatures11 process12 signatures13 95 Multi AV Scanner detection for dropped file 40->95 97 Machine Learning detection for dropped file 40->97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62778ccb7df0b670ccc24269c64459259633d6dfdec48e99fd385e2dba3864d6/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-21 00:46:02 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
RedLineStealer
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20
RedLineStealer
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
RedLineStealer
a276b0d2aaf8a132ffbe9ae16763975bcf38fc1e5a6419890712fc3de02b793f
RedLineStealer
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence trojan
Link:
https://tria.ge/reports/210621-r8kwsx1te6/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks BIOS information in registry
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
Windows security bypass
xmrig
Unpacked files
SH256 hash:
62778ccb7df0b670ccc24269c64459259633d6dfdec48e99fd385e2dba3864d6
MD5 hash:
00c99ac957aafe7a9edcfb94cdf51b4c
SHA1 hash:
8a18c7c3a9505794cd6b8e928615f60293dc1eab
Link:
https://www.unpac.me/results/b027dcc5-2ac6-4010-b340-957cbf490b20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62778ccb7df0b670ccc24269c64459259633d6dfdec48e99fd385e2dba3864d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 62778ccb7df0b670ccc24269c64459259633d6dfdec48e99fd385e2dba3864d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1380415/
  
Delivery method
Distributed via web download

Comments