MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 646f3bfd3408a59f7e17bf070e4411fb2c378416759934f3875ebb1253b7131a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 646f3bfd3408a59f7e17bf070e4411fb2c378416759934f3875ebb1253b7131a
SHA3-384 hash: 1eb22cf33beafde75524446065b8f082f8ca9402857d68afb09cc96c704a33cf2d7fd0ab6f96bb39cd7e7edfb2ba2b1f
SHA1 hash: 9293202e7c98909176029d9b5d7dc4d00961b8b6
MD5 hash: f2e0677ee2aac634405bd56fe7148036
humanhash: snake-kilo-ohio-nitrogen
File name:f2e0677ee2aac634405bd56fe7148036
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'721'330 bytes
First seen:2021-12-25 04:14:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 196608:0we/AtLiC2ePN3vHnOdwamJQKvwVjUbuZyvbR8g:0we/V1kN3vHnFNJQRyuZyvtN
Threatray 36 similar samples on MalwareBazaar
TLSH T1916633CB80D7D1B2C7C34372ABB7D7B69B376A10C6650982DDDAA2891AE37423303755
File icon (PE):PE icon
dhash icon 3047337070330710 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hostero.exe
Verdict:
Malicious activity
Analysis date:
2021-12-23 12:11:06 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/db8953cd-4ea0-4f37-ab4f-d510e16cbd22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216317/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Using the Windows Management Instrumentation requests
Launching a process
Launching the default Windows debugger (dwwin.exe)
Setting a single autorun event
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3172/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61c69ad28991ba72b396b77e/reports/87e05088-68c9-4271-a731-eb45b415a140/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/512fc7fb-d841-4bc4-8c20-8384221ec34c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912673
Signature
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to detect virtual machines (IN, VMware)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545151 Sample: K2TsRxdKTe Startdate: 25/12/2021 Architecture: WINDOWS Score: 100 37 id.xn--80akicokc0aablc.xn--p1ai 2->37 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Machine Learning detection for sample 2->51 53 3 other signatures 2->53 8 K2TsRxdKTe.exe 52 2->8         started        11 ast.exe 4 2->11         started        13 ast.exe 2->13         started        signatures3 process4 file5 23 C:\Users\user\AppData\Local\...\quartz.dll, PE32 8->23 dropped 25 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 8->27 dropped 29 21 other files (none is malicious) 8->29 dropped 15 cmd.exe 1 8->15         started        process6 process7 17 ast.exe 25 4 15->17         started        21 conhost.exe 15->21         started        dnsIp8 31 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.74, 443, 44334, 44335 SAFIB-ASRU Russian Federation 17->31 33 127.0.0.1 unknown unknown 17->33 35 192.168.2.1 unknown unknown 17->35 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->39 41 Contains functionality to detect virtual machines (IN, VMware) 17->41 43 Contain functionality to detect virtual machines 17->43 45 4 other signatures 17->45 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/646f3bfd3408a59f7e17bf070e4411fb2c378416759934f3875ebb1253b7131a/
Threat name:
Win32.Virus.TheRat
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 04:29:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mrxtx7jubcsz67qxx4dq4rar7mwdpbawowmtj44hl25reu5xcmna._file
Verdict:
malicious
Similar samples:
229e27d75b86582a1c728de0898c3a8193f463db7b07176ac6cde7bbc8e9883a
RedLineStealer
4d59e857c6923b6ead19109dbf591bbe93f3407153c992ad35fc6ed8969a34c3
RedLineStealer
5d843a991e50d5cb0b420c0416b855aea512a3f7296a0964d1ccd224f3ac8718
RedLineStealer
657aa81665835f9c9ebe28e9a54c583e123498fd1284511ed95568b7d0597a55
RedLineStealer
7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425
RedLineStealer
80227896b81e39620f95acf0da9b41f8d555719fbe1cce0b5e341e7a0a307b0d
RedLineStealer
877c0c4537bce1b5e8730eaa12cb2ffbb0ad17067e7dcfd2b89c4985f33e4f17
RedLineStealer
94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
RedLineStealer
d33a4d3ac76095145e6061009fc20432b5c2c6ec4a828c7b6956ea5f072f2c34
RedLineStealer
f87ed79fbb1a2228c97fb59127eade39c4f8218fa28ddd76b50da177d81438e3
RedLineStealer
+ 26 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer persistence suricata trojan
Link:
https://tria.ge/reports/211225-et9ayafdaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
RedLine
RedLine Payload
UAC bypass
Windows security bypass
suricata: ET MALWARE SpyAgent C&C Activity (Request)
suricata: ET MALWARE SpyAgent C&C Activity (Response)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32.Spy/TVRat Checkin
Malware Config
C2 Extraction:
178.20.44.131:8842
Unpacked files
SH256 hash:
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
MD5 hash:
b9380b0bea8854fd9f93cc1fda0dfeac
SHA1 hash:
edb8d58074e098f7b5f0d158abedc7fc53638618
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e
MD5 hash:
d7778720208a94e2049972fb7a1e0637
SHA1 hash:
080d607b10f93c839ec3f07faec3548bb78ac4dc
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
b7b819dcf3aaed2774cecfa507f9baee47660b18758f7cb718bb5cb2d77947fa
MD5 hash:
5fc727c579f3c3b69ce0eb7f2ec7d48a
SHA1 hash:
4686ade71a45feb36f5f5f48e78bd673f60e45b5
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
e664756ea6bfb01787ee6dfe299f1e1cc52b0453759771124c9359cb3cf79cb4
MD5 hash:
602d953c391a05d2be162a661962c598
SHA1 hash:
794b83002517dca3a017337946d39df55646e3e0
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
MD5 hash:
34442e1e0c2870341df55e1b7b3cccdc
SHA1 hash:
99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
b95d217641e7e6e6a8eda712d06c5e6a061c53cc4090a14441c0f52884a6c938
MD5 hash:
ab72f7f6fdf802a1bf9248be227a3020
SHA1 hash:
e512cb82a4dc3f6a1a057109c7903c0e95ae40ff
Detections:
win_wpbrutebot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
9bd34462f38cf5688427941402c4b3fe8e95214fb2164e9c1323c5da09d120e7
MD5 hash:
2b2efe35f5777fd0f35bddafa29952f1
SHA1 hash:
b3cf35e2064d1fea7db51dd14d2eb3989c4ebbf7
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
2103e4d129603a1c5c9aeb96807444fda9f7113ab5b0c8013cd167d3c1eff38e
MD5 hash:
aa2aeb36ef0f99ff3ac73152b4369cb3
SHA1 hash:
b2d055c9721efacd3c77f07415178425534b096c
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
5ea4df50028fa272ac6cf5caae408b5e38d2ae8be3f55f92e8d9f980f11b5529
MD5 hash:
2095c53fc362f7a208219ea56edad100
SHA1 hash:
8ada0691e2b1e37f69e5cd6e85954184ce7a9c28
Detections:
win_rektloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
14846c4f07814a52a8a9db90bd1bb06027b208fca24e7ddf0c571f61422bddf8
MD5 hash:
b4b3782bfd8d794fb62ea87d897de786
SHA1 hash:
67ae98070950710389dba3b960c5b4061a98dbd8
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
dd3347d5c4da14cc34f65da9f1344521ca867050e0c18726fd95dba1c8fb6caa
MD5 hash:
992286a508c857fd0d95f5ee111f1e0c
SHA1 hash:
3f5179af77f5899e6811bb472526d07cce5dfbba
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
62e022b4969a66ce307219113fcd114830227cca9cb1feb84e960796b61d379f
MD5 hash:
ecebecfa21b52b740c55a73fc64cb583
SHA1 hash:
282785cca65cb55ff2419aeb9be92b2d1cf7f3f2
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
df6cf60f0ed5bc600842c7231b0210db2d0e1acd337d5496cf682e5693dfe3a6
MD5 hash:
dce60512115c31101dbe323bf9bc814c
SHA1 hash:
12e3f3f768325fb17767b9edf7fb849f3180f56a
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
ed7f0a0e6c7074163fcab06d8639209654e23d3b4adbcaeebf8869753a6a64dc
MD5 hash:
0fe40c71d992c99f6a2f512cf641d357
SHA1 hash:
05dc3ca27bbd5bcc1c7a90afd7118f07856f6115
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
afd67f96037a4a57ba846658933247e0193e925b5c42330bf5e134357494f15a
MD5 hash:
3a8dc2b0ddf9d3b7c02490ba6275a2bb
SHA1 hash:
a1f9a10d41b717f95ded58e5481c7e52428244da
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
SH256 hash:
646f3bfd3408a59f7e17bf070e4411fb2c378416759934f3875ebb1253b7131a
MD5 hash:
f2e0677ee2aac634405bd56fe7148036
SHA1 hash:
9293202e7c98909176029d9b5d7dc4d00961b8b6
Link:
https://www.unpac.me/results/3b3c6916-62fd-4d26-a458-d8d69a4075b9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/646f3bfd3408/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/646f3bfd3408a59f7e17bf070e4411fb2c378416759934f3875ebb1253b7131a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 646f3bfd3408a59f7e17bf070e4411fb2c378416759934f3875ebb1253b7131a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216317/
  
URLhaus
https://urlhaus.abuse.ch/url/1919086/
  
URLhaus
https://urlhaus.abuse.ch/url/1919108/
  
URLhaus
https://urlhaus.abuse.ch/url/1919120/
  
URLhaus
https://urlhaus.abuse.ch/url/1919199/

Comments


Avatar
zbet commented on 2021-12-25 04:14:51 UTC

url : hxxp://gettingtoaha.com/en/hostero.exe