MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07
SHA3-384 hash: 0bd592e55ba095d964aed25e80a259fe1fa6476b04190697f6db236b94b3ad4648244fe0eb954cf45a2d0c46ae580263
SHA1 hash: a503d2586a3eab062b1696fc1602bae9faaeb221
MD5 hash: aad0024d7c30bf6fee7c90d90371ca14
humanhash: march-mobile-jupiter-pennsylvania
File name:aad0024d7c30bf6fee7c90d90371ca14.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:38'798'606 bytes
First seen:2022-06-09 20:11:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 786432:+NSrIb0KL8VTXU3qBgfERdDfNGh9bCwnWJFBDH/92krc/XuFM0:en0KL8vgsRBfUCwMrDf92kqXuFM0
TLSH T11E873327B294A53DD46E2B354633900069FBB9ADF9077D1672E0C8CDDF250C42E3AA76
TrID 59.6% (.EXE) Inno Setup installer (109740/4/30)
22.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
3.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f08eb2d4aacce831 (1 x RedLineStealer, 1 x Adware.Generic)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.250.148.104:23290

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.250.148.104:23290 https://threatfox.abuse.ch/ioc/683422/

Intelligence

File Origin
# of uploads :
1
# of downloads :
516
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aad0024d7c30bf6fee7c90d90371ca14.exe
Verdict:
Malicious activity
Analysis date:
2022-06-09 21:15:09 UTC
Tags:
installer
Link:
https://app.any.run/tasks/97a5c5f3-3b07-4a37-8b61-b6fbccc3dd6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending an HTTP GET request
Enabling the 'hidden' option for files in the %temp% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Moving a file to the %temp% subdirectory
Creating a file
Downloading the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62a25415a2b1fc9744da80e4/reports/8381d168-1023-42fe-9e06-7e8ea5ae1457/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1010429
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to download and execute files (via powershell)
Tries to download files via bitsadmin
Uses 7zip to decompress a password protected archive
Uses cmd line tools excessively to alter registry or file data
Uses STUN server to do NAT traversial
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 642927 Sample: BPtHMWjgi3.exe Startdate: 09/06/2022 Architecture: WINDOWS Score: 60 85 www3.l.google.com 2->85 87 untimburra.com 2->87 89 16 other IPs or domains 2->89 99 Snort IDS alert for network traffic 2->99 101 Antivirus detection for URL or domain 2->101 103 Antivirus / Scanner detection for submitted sample 2->103 105 3 other signatures 2->105 11 BPtHMWjgi3.exe 2 2->11         started        15 svchost.exe 1 3 2->15         started        signatures3 process4 dnsIp5 79 C:\Users\user\AppData\...\BPtHMWjgi3.tmp, PE32 11->79 dropped 121 Obfuscated command line found 11->121 18 BPtHMWjgi3.tmp 5 17 11->18         started        95 127.0.0.1 unknown unknown 15->95 97 thddghdd3.com 15->97 81 C:\Users\user\...\wlanext32.exe (copy), PE32+ 15->81 dropped 83 C:\Users\user\AppData\Local\...\BIT1DC7.tmp, PE32+ 15->83 dropped 123 System process connects to network (likely due to code injection or exploit) 15->123 125 Benign windows process drops PE files 15->125 file6 signatures7 process8 file9 69 C:\...\Wise Care 365 5.9.1.582.exe (copy), PE32 18->69 dropped 71 C:\Users\user\AppData\Local\...\is-R10C2.tmp, PE32 18->71 dropped 73 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->73 dropped 75 3 other files (none is malicious) 18->75 dropped 21 cmd.exe 3 2 18->21         started        24 cmd.exe 1 18->24         started        26 Wise Care 365 5.9.1.582.exe 18->26         started        process10 file11 107 Suspicious powershell command line found 21->107 109 Wscript starts Powershell (via cmd or directly) 21->109 111 Tries to download and execute files (via powershell) 21->111 29 wscript.exe 1 21->29         started        33 7za.exe 7 21->33         started        36 powershell.exe 15 15 21->36         started        44 2 other processes 21->44 113 Tries to download files via bitsadmin 24->113 115 Uses cmd line tools excessively to alter registry or file data 24->115 117 Uses 7zip to decompress a password protected archive 24->117 38 conhost.exe 24->38         started        40 bitsadmin.exe 1 24->40         started        77 C:\Users\user\...\Wise Care 365 5.9.1.582.tmp, PE32 26->77 dropped 119 Obfuscated command line found 26->119 42 Wise Care 365 5.9.1.582.tmp 26->42         started        signatures12 process13 dnsIp14 91 192.168.2.1 unknown unknown 29->91 127 Wscript starts Powershell (via cmd or directly) 29->127 46 cmd.exe 1 29->46         started        57 C:\ProgramData\ConsoleApp\ControlSet001.bat, Little-endian 33->57 dropped 59 C:\ProgramData\ConsoleApp\kernel32.exe, PE32 33->59 dropped 93 thddghdd3.com 31.31.196.51, 49737, 49740, 49789 AS-REGRU Russian Federation 36->93 61 C:\Users\user\AppData\...\syspin.exe (copy), PE32 42->61 dropped 63 C:\Users\user\AppData\Local\...\is-BTD3C.tmp, PE32 42->63 dropped 65 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->65 dropped 67 32 other files (none is malicious) 42->67 dropped file15 signatures16 process17 signatures18 129 Uses cmd line tools excessively to alter registry or file data 46->129 49 conhost.exe 46->49         started        51 reg.exe 46->51         started        53 reg.exe 46->53         started        55 4 other processes 46->55 process19
Gathering data
Threat name:
Win32.Downloader.Bitser
Create hunting rule
Status:
Malicious
First seen:
2022-06-04 16:15:57 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
9 of 26 (34.62%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngrcudbvf43ugoxigpop73kb4g3nnrno57tbm6ve4c7d7yxqpydq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:main discovery evasion infostealer spyware trojan upx
Link:
https://tria.ge/reports/220609-yyt7csbgbp/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Download via BitsAdmin
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
AutoIT Executable
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender notification settings
Modifies security service
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.250.148.104:23290
Dropper Extraction:
http://thddghdd3.com/hfile.bin
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69a22a0c352f37433ae833dcffed41e1b6d6c5aeefe6167aa4e0be3fe2f07e07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments