MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64e9681932d0d5cf0799c0e0222cc65936eaebb5e1410d70fea34982aaaf0f6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64e9681932d0d5cf0799c0e0222cc65936eaebb5e1410d70fea34982aaaf0f6c
SHA3-384 hash: c42a002d96986dbfffaf7b1b7228967d338b793905b506acccc46182a23e3014215998b0f6e713a60933266e46e81274
SHA1 hash: 7ec390e57e9e44a86fc96e8f93548926f01a34c4
MD5 hash: 0afabe709994d14f85078f8cca3d7a9a
humanhash: alpha-dakota-hotel-virginia
File name:0afabe709994d14f85078f8cca3d7a9a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:308'680 bytes
First seen:2022-05-21 10:22:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c0864c9bc2a9439a8dca02c3a6407cc4 (6 x RedLineStealer)
ssdeep 6144:lxvh4iwsfjZ1MiBdLbFnqoAOoKk0Gfre+EE/Kiuf:lxZ4i5fjDBdooKKXu3RNO
Threatray 54 similar samples on MalwareBazaar
TLSH T1FA64AE8070C2D072D576153809F8E6B9693EB9100B345DFBA7945BAF4E30793EB31BA9
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.16:28958

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.16:28958 https://threatfox.abuse.ch/ioc/621028/

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0afabe709994d14f85078f8cca3d7a9a.exe
Verdict:
Malicious activity
Analysis date:
2022-05-21 10:24:20 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/159cf67d-1274-4e50-822a-0a44974f0d84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273305/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19430/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware overlay packed
Link:
https://www.filescan.io/uploads/6288bd673ec49f83a6bcb790/reports/d6897b89-bffc-4117-a1bd-b069a15b1ed9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/065acd69-ac5c-4e4a-ae47-fb636d95829b
Result
Threat name:
RedLine, SmokeLoader, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999068
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631564 Sample: jF6G4Ur9fw.exe Startdate: 21/05/2022 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 9 other signatures 2->83 9 jF6G4Ur9fw.exe 1 2->9         started        12 kdld.exe 2->12         started        14 kdld.exe 2->14         started        process3 signatures4 97 Writes to foreign memory regions 9->97 99 Allocates memory in foreign processes 9->99 101 Injects a PE file into a foreign processes 9->101 16 AppLaunch.exe 15 10 9->16         started        21 conhost.exe 9->21         started        process5 dnsIp6 69 193.106.191.16, 28958, 49742 BOSPOR-ASRU Russian Federation 16->69 71 file123.gofile.io 79.143.16.30, 443, 49748 PECOM-ASRU Russian Federation 16->71 73 6 other IPs or domains 16->73 59 C:\Users\user\AppData\Local\Temp\vlkv.exe, PE32 16->59 dropped 61 C:\Users\user\AppData\Local\Temp\kdld.exe, PE32 16->61 dropped 63 C:\Users\user\AppData\Local\Temp\ghjlf.exe, PE32+ 16->63 dropped 65 C:\Users\user\AppData\Local\Temp\c.exe, PE32 16->65 dropped 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->85 87 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->87 89 Tries to harvest and steal browser information (history, passwords, etc) 16->89 91 Tries to steal Crypto Currency Wallets 16->91 23 vlkv.exe 14 29 16->23         started        28 c.exe 1 16->28         started        30 kdld.exe 1 16->30         started        32 ghjlf.exe 16->32         started        file7 signatures8 process9 dnsIp10 75 store2.gofile.io 23->75 67 C:\ProgramData\HostData\logs.uce, ASCII 23->67 dropped 103 Antivirus detection for dropped file 23->103 105 Multi AV Scanner detection for dropped file 23->105 107 Obfuscated command line found 23->107 109 Adds a directory exclusion to Windows Defender 23->109 34 cmd.exe 1 23->34         started        111 Machine Learning detection for dropped file 28->111 113 Writes to foreign memory regions 28->113 115 Allocates memory in foreign processes 28->115 117 Injects a PE file into a foreign processes 28->117 37 AppLaunch.exe 28->37         started        39 conhost.exe 28->39         started        41 AppLaunch.exe 28->41         started        119 Tries to harvest and steal browser information (history, passwords, etc) 32->119 43 cmd.exe 32->43         started        file11 signatures12 process13 signatures14 93 Obfuscated command line found 34->93 95 Adds a directory exclusion to Windows Defender 34->95 45 conhost.exe 34->45         started        47 chcp.com 34->47         started        49 powershell.exe 34->49         started        57 2 other processes 34->57 51 WerFault.exe 23 9 37->51         started        53 conhost.exe 43->53         started        55 choice.exe 43->55         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64e9681932d0d5cf0799c0e0222cc65936eaebb5e1410d70fea34982aaaf0f6c/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 23:58:12 UTC
File Type:
PE (Exe)
AV detection:
29 of 40 (72.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtuwqgjs2dk46b4zydqcelggle3ov25v4faq24h6uneyfkvpb5wa._file
Verdict:
malicious
Similar samples:
0b251371b4891fe08157e6b9c84e0267a8c6d33cad2b2a06702c8f2f62381bda
RedLineStealer
114fbb0c82a2027da02fc1b88930598a667c6ebf4bcd764f6a4a83dd3c5fd40e
RedLineStealer
31dee2992c492212b1d090004f9aacd895b65c116cdd343049a444598feba9cd
RedLineStealer
5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2
RedLineStealer
7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e
RedLineStealer
bbb1db25b2b54928d97b0a0caf8726e5d62501ab6cdcf9b4aa2e192f59958aa6
RedLineStealer
+ 44 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware stealer upx
Link:
https://tria.ge/reports/220521-mesnmsehdj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.106.191.16:28958
Unpacked files
SH256 hash:
12010c92ee4df5c3f8410b370ee905f03e9068f86cf9559be0af3b0b2e5f004b
MD5 hash:
04371c2d629789e1e1be96ff593c8c50
SHA1 hash:
5a4f4b9f5b9a57fb5ae9f128d36644fa615b476b
Link:
https://www.unpac.me/results/db0b6439-c53c-487e-840e-869883ce790f/
SH256 hash:
64e9681932d0d5cf0799c0e0222cc65936eaebb5e1410d70fea34982aaaf0f6c
MD5 hash:
0afabe709994d14f85078f8cca3d7a9a
SHA1 hash:
7ec390e57e9e44a86fc96e8f93548926f01a34c4
Link:
https://www.unpac.me/results/db0b6439-c53c-487e-840e-869883ce790f/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64e9681932d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64e9681932d0d5cf0799c0e0222cc65936eaebb5e1410d70fea34982aaaf0f6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273305/

Comments