MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a498d84dd0cba5d8e272cbc5cb10382e7fd0da648a345e92c26414ceb5d3dc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a498d84dd0cba5d8e272cbc5cb10382e7fd0da648a345e92c26414ceb5d3dc8
SHA3-384 hash: 1e525f66ec04ae521d93d86346338b174070c0a96716ab1922ca849278008f56cb9a5a86309d4f9b5eb96ee95332d782
SHA1 hash: 1144d5904f795993de335c45684df5c0a812460b
MD5 hash: d6d1b2a908378b4d104e9db304d67203
humanhash: burger-golf-winner-fillet
File name:d6d1b2a908378b4d104e9db304d67203.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'176'387 bytes
First seen:2021-09-19 06:23:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 49152:ZxBt+n3sc03YZ7afGhCrgNgvgRkJthP85bTf6foW2ASoWcX01K+e6iQTPsJV:b+n337AECENXathPAiJ2AX0s+niQDmV
Threatray 6'488 similar samples on MalwareBazaar
TLSH T117E5120E1066B3AECDB0333B9E3ADF11D7F45D298566416D39C0BA37E6B5E82427C606
File icon (PE):PE icon
dhash icon f0ccc8eab292ccf0 (18 x RedLineStealer, 1 x Vidar)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-19 02:11:57 UTC
Tags:
trojan evasion rat redline loader stealer vidar opendir banker dridex
Link:
https://app.any.run/tasks/b953f7eb-1847-4911-bb13-25e0ad38f717

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189024/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37561425.678.2152.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Creating a window
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/64ffcfec-64b5-4d58-a5b4-30bc7b891654
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853425
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Check external IP via Powershell
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485856 Sample: C4erXJwD0y.exe Startdate: 19/09/2021 Architecture: WINDOWS Score: 100 51 192.168.2.1 unknown unknown 2->51 53 iplogger.org 2->53 55 8 other IPs or domains 2->55 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Antivirus detection for URL or domain 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 8 other signatures 2->105 9 C4erXJwD0y.exe 19 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\Temp\wwl.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\Temp\wwi.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\Temp\f.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\Local\...\T2O5RKVZ8.dll, PE32 9->41 dropped 12 cmd.exe 1 9->12         started        process6 process7 14 wwi.exe 14 50 12->14         started        19 wwl.exe 14 3 12->19         started        21 f.exe 15 5 12->21         started        23 2 other processes 12->23 dnsIp8 65 demner.site 80.66.87.32, 26062, 49745 WORLDSTREAMNL Russian Federation 14->65 77 2 other IPs or domains 14->77 43 C:\Users\user\AppData\Local\Temp\vss.exe, PE32 14->43 dropped 45 C:\Users\user\AppData\Local\Temp\svss.exe, PE32 14->45 dropped 47 C:\Users\user\AppData\Local\Temp\sss.exe, PE32 14->47 dropped 79 Detected unpacking (changes PE section rights) 14->79 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->81 83 Query firmware table information (likely to detect VMs) 14->83 97 3 other signatures 14->97 25 svss.exe 14->25         started        29 conhost.exe 14->29         started        67 79.174.13.108, 33311, 49751 THEFIRST-ASRU Russian Federation 19->67 69 api.ip.sb 19->69 85 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->85 87 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->87 89 Hides threads from debuggers 19->89 31 conhost.exe 19->31         started        71 iplogger.org 88.99.66.31, 443, 49740, 49794 HETZNER-ASDE Germany 21->71 73 pastebin.com 104.23.98.190, 443, 49738, 49739 CLOUDFLARENETUS United States 21->73 75 cryptorelated.net 31.31.198.223, 443, 49741, 49742 AS-REGRU Russian Federation 21->75 49 C:\Users\user\AppData\Local\237843444.exe, PE32 21->49 dropped 91 Antivirus detection for dropped file 21->91 93 Multi AV Scanner detection for dropped file 21->93 95 Machine Learning detection for dropped file 21->95 33 237843444.exe 21->33         started        file9 signatures10 process11 dnsIp12 57 iplogger.org 25->57 107 Antivirus detection for dropped file 25->107 109 Machine Learning detection for dropped file 25->109 59 api.pro.coinbase.com 104.18.14.237, 443, 49750 CLOUDFLARENETUS United States 33->59 61 104.18.7.10, 443, 49749, 49835 CLOUDFLARENETUS United States 33->61 63 api.coinbase.com 33->63 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a498d84dd0cba5d8e272cbc5cb10382e7fd0da648a345e92c26414ceb5d3dc8/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 02:46:59 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a1d8823b35b8c0d8dfcebe065520a07fe105589893262976fce4122317c55b8
RedLineStealer
26475ed3848e105b527811e024a8d2cebfe254225898cbef04e2507a0c2f2a25
RedLineStealer
996adc0da02472ca20f950e7482e415f86332393d73a077ea947c15525406e2f
RedLineStealer
a8c66fa9f677eef9b0346115211edf5126762e20751dd8c118f7fc13c104f40e
RedLineStealer
aef50fda005e037a443df81e3dbaa530c7f4d661bacb90f40f955647c1ab33fd
RedLineStealer
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
RedLineStealer
c0aef5e5917abe6276cc6ee7225cc9f47115d1f95e1a5ec861fb0f42a8d4af18
RedLineStealer
ed58793bc31fa9098152a7d5e1e473ab50be287577f639f031aa9adffc040103
RedLineStealer
edd5a3dc519a5feacea84473ade885844e72b8165a93a91871928330bde659e7
RedLineStealer
fa828910a57f28e7f5c5d98f5bceb8c082dec0f2b71d225a06ee231d326e713e
RedLineStealer
+ 6'478 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210919-g52rcaecfq/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/ec4bae6b-82be-4b20-a048-8dfff940a73b/
SH256 hash:
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
MD5 hash:
293165db1e46070410b4209519e67494
SHA1 hash:
777b96a4f74b6c34d43a4e7c7e656757d1c97f01
Link:
https://www.unpac.me/results/ec4bae6b-82be-4b20-a048-8dfff940a73b/
SH256 hash:
9ee589a37c4a1347fc2d6410aba4239e5b647e1e80ea69ece09378380d4b795a
MD5 hash:
229a4e934956f6e73f92e24f21a3b526
SHA1 hash:
d509e92da3346c47e25df2b9c906e4dc805f8e97
Link:
https://www.unpac.me/results/ec4bae6b-82be-4b20-a048-8dfff940a73b/
SH256 hash:
a6fe62d19b2b0f608fe3367ba5612742b9ff248b91a32b13fe189c891a22a00d
MD5 hash:
729168d16501390f6b7d92edb38886c4
SHA1 hash:
d244dc2a6325b22a02372c2b8e01ef4a3e51d10c
Link:
https://www.unpac.me/results/ec4bae6b-82be-4b20-a048-8dfff940a73b/
SH256 hash:
6a498d84dd0cba5d8e272cbc5cb10382e7fd0da648a345e92c26414ceb5d3dc8
MD5 hash:
d6d1b2a908378b4d104e9db304d67203
SHA1 hash:
1144d5904f795993de335c45684df5c0a812460b
Link:
https://www.unpac.me/results/ec4bae6b-82be-4b20-a048-8dfff940a73b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a498d84dd0cba5d8e272cbc5cb10382e7fd0da648a345e92c26414ceb5d3dc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6a498d84dd0cba5d8e272cbc5cb10382e7fd0da648a345e92c26414ceb5d3dc8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1627245/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189024/

Comments