MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994
SHA3-384 hash: 06a7a6f55f797c3494012c1b72bf0f34fd17c07aa47ab8c88b172a893e85e2bfb0d56fdea05fd377a82a5a2e9a1004ad
SHA1 hash: 4601bd223fd7c52b12bc186ec9a0eb94167aaebb
MD5 hash: 17f6f3213a5a5d2fb1ef8793081c5ddd
humanhash: ohio-connecticut-mexico-hotel
File name:17f6f3213a5a5d2fb1ef8793081c5ddd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:61'952 bytes
First seen:2021-09-30 15:17:33 UTC
Last seen:2021-09-30 16:19:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 768:cjzm0ipsb7LDGRzZj4N8RM0jMzYT8suhDVnWUGUtE2KME1qSJV4XQL5eEgqpRMEd:w5qE7UZjTjMzAuZ9WUGp5BEoM1Z
Threatray 1'063 similar samples on MalwareBazaar
TLSH T18E53B57B016151A6C5892334F4B51F4B3ABCC6341981B698F04FF3AAEC1D69D8EF87A4
File icon (PE):PE icon
dhash icon 5a91aeaf71994486 (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
17f6f3213a5a5d2fb1ef8793081c5ddd.exe
Verdict:
Malicious activity
Analysis date:
2021-09-30 21:37:00 UTC
Tags:
evasion trojan rat redline stealer
Link:
https://app.any.run/tasks/89da8953-3735-4674-9fe7-9ca8b5139203

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193707/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.6921.2074.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65f560bd-a863-4cee-9871-1ab55d5b2f5d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862057
Signature
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494485 Sample: RM2w8Mc4j1.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected RedLine Stealer 2->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 2->66 68 2 other signatures 2->68 7 RM2w8Mc4j1.exe 15 7 2->7         started        12 WinHoster.exe 2->12         started        14 WinHoster.exe 2->14         started        process3 dnsIp4 56 iplogger.org 88.99.66.31, 443, 49774, 49775 HETZNER-ASDE Germany 7->56 58 onepremiumstore.bar 104.21.42.252, 443, 49764, 49765 CLOUDFLARENETUS United States 7->58 60 auto-repair-solutions.bar 7->60 38 C:\Users\user\AppData\Roaming\7577523.scr, PE32 7->38 dropped 40 C:\Users\user\AppData\Roaming\7452887.scr, PE32 7->40 dropped 42 C:\Users\user\AppData\Roaming\1825996.scr, PE32 7->42 dropped 44 C:\Users\user\AppData\Roaming\1485280.scr, PE32 7->44 dropped 84 May check the online IP address of the machine 7->84 86 Drops PE files with a suspicious file extension 7->86 16 1825996.scr 14 26 7->16         started        21 7452887.scr 1 4 7->21         started        23 7577523.scr 7->23         started        25 1485280.scr 15 24 7->25         started        file5 signatures6 process7 dnsIp8 46 94.140.112.88, 49776, 81 TELEMACHBroadbandAccessCarrierServicesSI Latvia 16->46 48 api.ip.sb 16->48 34 C:\Users\user\AppData\...\1825996.scr.log, ASCII 16->34 dropped 70 Detected unpacking (changes PE section rights) 16->70 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->72 74 Query firmware table information (likely to detect VMs) 16->74 82 4 other signatures 16->82 27 conhost.exe 16->27         started        36 C:\Users\user\AppData\...\WinHoster.exe, PE32 21->36 dropped 76 Multi AV Scanner detection for dropped file 21->76 29 WinHoster.exe 21->29         started        50 newbestpewpewcompany.com 104.21.3.50, 443, 49777 CLOUDFLARENETUS United States 23->50 78 Tries to harvest and steal browser information (history, passwords, etc) 23->78 80 Tries to steal Crypto Currency Wallets 23->80 52 the-lead-bitter.com 104.21.66.135, 443, 49771 CLOUDFLARENETUS United States 25->52 54 192.168.2.1 unknown unknown 25->54 32 conhost.exe 25->32         started        file9 signatures10 process11 signatures12 88 Multi AV Scanner detection for dropped file 29->88 90 Detected unpacking (changes PE section rights) 29->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 12:56:02 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
RedLineStealer
198032ed08a5197c0b5ceefa0be69749d46a724b7d88915fe0762242692cb942
RedLineStealer
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
RedLineStealer
9136c982fe9d870f6199002d9509f242b4a5df661f81553fd9ecbc7389e924e4
RedLineStealer
bff3d8677d0c866b3fa47a2176ba05c9ae03cc215794896f2ef922a1aa037097
RedLineStealer
c0aef5e5917abe6276cc6ee7225cc9f47115d1f95e1a5ec861fb0f42a8d4af18
RedLineStealer
e022f21e50f96a61c49f398c2f8e9e34be36be5d2bdddaa391fec53d992091b5
RedLineStealer
e371f0c9caa5fcc9a9698f9de2a40d815e22db19b37454781450633249b84dc4
RedLineStealer
f5ad5f72cdd46c72b9272c1df0a4294a5bbf7ff8857b603147ab4478773124d3
RedLineStealer
+ 1'053 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210930-splwqsaac9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994
MD5 hash:
17f6f3213a5a5d2fb1ef8793081c5ddd
SHA1 hash:
4601bd223fd7c52b12bc186ec9a0eb94167aaebb
Link:
https://www.unpac.me/results/99d85cbc-a9f9-432e-ad5c-b9a1ac602f56/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6987f229daf0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6987f229daf0e954b67d5dbf779150b3b5c8dc3e69f66fe7c41f875be7725994

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639256/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193707/

Comments