MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2
SHA3-384 hash: 86c1d354dcae555a2ccbf58c2d7c69d84bb20a125f6fff371b0c11567da4b06b58817e28ac2d980997de3792945cecf1
SHA1 hash: 8a65cf26f148ed1ba2313762fbbdfb0739484b79
MD5 hash: 022ffcaf0d05a9f02b4199f44c40d86a
humanhash: shade-oxygen-tennis-fruit
File name:022ffcaf0d05a9f02b4199f44c40d86a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'804'765 bytes
First seen:2023-05-30 05:43:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91e96141ed5dbe3bc541c8aad7ff3c38 (22 x CryptOne, 7 x njrat, 5 x DCRat)
ssdeep 24576:NLllLl72qOMO3J8VP9kSLOCcwpHf589p1YBHl:VllLXOMOJ8VP9vd/5WpAl
Threatray 2'971 similar samples on MalwareBazaar
TLSH T1F7859B31FE82C0E2D4952630CDE34F59373AA9AA97110B97C7A8153DCED23985DAE5C3
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 CoinMiner exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
NTExYmE3NmVjZDk3YWU3MWMxZDU4NDA3MzBmMTY2YzU.exe
Verdict:
Malicious activity
Analysis date:
2023-05-29 17:11:57 UTC
Tags:
redline
Link:
https://app.any.run/tasks/d407ae6f-6d60-426a-98b1-7b6786d2427c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393273/
Detection(s):
Win.Dropper.njRAT-9986242-0
Create hunting rule

Win.Dropper.Nanocore-9986456-0
Create hunting rule

SecuriteInfo.com.Variant.Fugrafa.267521.30514.22927.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88621/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin overlay setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/64758d24ebe47fbad72dafda/reports/a7bc349f-45ff-445c-ae13-22b3b729accb/overview
Verdict:
Malicious
Labled as:
Fugrafa.Generic
Link:
https://www.hybrid-analysis.com/sample/6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5504be16-e327-42f7-bcd1-b66abaaa1bae
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244882
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877896 Sample: 2zqIfAcKzh.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 8 2zqIfAcKzh.exe 9 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\Start.exe, PE32 8->33 dropped 11 Start.exe 1 8->11         started        14 Update.exe 2 8->14         started        process5 file6 57 Antivirus detection for dropped file 11->57 59 Contain functionality to detect virtual machines 11->59 61 Writes to foreign memory regions 11->61 67 2 other signatures 11->67 17 AppLaunch.exe 4 11->17         started        21 conhost.exe 11->21         started        35 C:\ProgramData\ProgramFiles\AUIJOL.exe, PE32+ 14->35 dropped 63 Detected unpacking (changes PE section rights) 14->63 65 Adds a directory exclusion to Windows Defender 14->65 23 powershell.exe 19 14->23         started        25 powershell.exe 20 14->25         started        27 WerFault.exe 9 14->27         started        signatures7 process8 dnsIp9 37 qiqi.podos.top 195.201.253.174, 40309, 49710 HETZNER-ASDE Germany 17->37 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->49 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->51 53 Tries to harvest and steal browser information (history, passwords, etc) 17->53 55 Tries to steal Crypto Currency Wallets 17->55 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        39 192.168.2.1 unknown unknown 27->39 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 22:00:00 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkqs7sfyqcxx6g5e5xeujpqmy6nazrfvrlofiooeey4hauy3mhja._file
Verdict:
malicious
Similar samples:
11aabbba0268cf5ad901f11038f6d920671dcd7b4b52f77fd6e53772d606c8fa
RedLineStealer
42512e8e1edcb73da0e3b5a3422dc471f26a381534e258efdbd43a9225e40ae6
RedLineStealer
635af14d9da60481f1811a34fd34382e6afa72eac2f4b10ae776f9c8560696eb
RedLineStealer
bbe151d7c659c41de2f9522507a79dce900a5758d3116be0c4b83a58c5facf77
RedLineStealer
e1c3e42f794ea8db905580fa5ac184a3d06cba1ab0ac47d6bd686c24fe0b6c99
RedLineStealer
fece78aa06612c83dbf398608d6e827053eb21ff3860907b20b298d681974497
RedLineStealer
+ 2'961 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:5637482599 infostealer spyware
Link:
https://tria.ge/reports/230530-ge6bvafg91/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
qiqi.podos.top:40309
Unpacked files
SH256 hash:
2178213eed65a59199ef2bf13bf7468e6747cf9bed873b00e554f24f38db53e6
MD5 hash:
82521ab3ca33f76a331d0426d4aa4a19
SHA1 hash:
7ce84b4515cf4704287b4772ca2ff72528b26a45
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/fb3544c1-a8e9-4422-a7fa-f2cc5802590c/
SH256 hash:
62a6f89ccfa1ef215a2b8eca6d557719d87c1b60c1666d8d855d8ffd451b92a5
MD5 hash:
df94bf12633e181bbd96760695f40ccb
SHA1 hash:
bdf4a03dec87891786ec27371debab777d6b4124
Link:
https://www.unpac.me/results/fb3544c1-a8e9-4422-a7fa-f2cc5802590c/
SH256 hash:
6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2
MD5 hash:
022ffcaf0d05a9f02b4199f44c40d86a
SHA1 hash:
8a65cf26f148ed1ba2313762fbbdfb0739484b79
Link:
https://www.unpac.me/results/fb3544c1-a8e9-4422-a7fa-f2cc5802590c/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6aa12fc8b880/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2645283/
Cape
Cape
https://www.capesandbox.com/analysis/393273/

Comments


Avatar
zbet commented on 2023-05-30 05:43:13 UTC

url : hxxps://theloder.top/top/100.exe