MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aa1689c65b3af4d5e9f3d5774c0ecdd2cfd1e9c439e8f905832b9fcdf6951e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6aa1689c65b3af4d5e9f3d5774c0ecdd2cfd1e9c439e8f905832b9fcdf6951e5
SHA3-384 hash: ef6ea7a99472b9ae71d4554cf06b96e365b7b3d2d6c57313b6ad1dc6fb9b65b343105f2150d3f9103631669e5e0ba40b
SHA1 hash: 01dbff3fb0f356de090a66049c97b3bdcbb6927d
MD5 hash: 6a706c3f400c9d62e1fb16eb2c6d4c48
humanhash: asparagus-cup-monkey-crazy
File name:6a706c3f400c9d62e1fb16eb2c6d4c48.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'954'583 bytes
First seen:2021-03-28 21:25:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 196608:QOWJur1IDDoF09Txl4dicjZAdBenqLXmt6RStA+uOyjvkOe:QOJW39TxqdftAH2FtI9+une
TLSH 6FA633EC5697EE24D848A479807CCD3B1F7F5EACC8B161570AA1F4F9533198C830E69A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://5.252.195.219:40355/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.252.195.219:40355/ https://threatfox.abuse.ch/ioc/5653/
http://quosmm.xyz/ https://threatfox.abuse.ch/ioc/5663/

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a706c3f400c9d62e1fb16eb2c6d4c48.exe
Verdict:
Malicious activity
Analysis date:
2021-03-28 21:40:33 UTC
Tags:
rat redline trojan evasion stealer
Link:
https://app.any.run/tasks/b0e16fa4-792a-45cd-b7a5-0e34f9263177

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127401/
Detection(s):
Win.Packed.Dopping-9832657-0
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.UGA.20041.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
Creating a window
Sending a UDP request
Moving a recently created file
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Searching for the window
Adding a root certificate
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a service
Deleting a recently created file
Launching a service
Unauthorized injection to a recently created process
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da915552-d5e3-48a7-bb39-497c40493fb1
Result
Threat name:
RMSRemoteAdmin RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656250
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Check external IP via Powershell
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377057 Sample: 0LyaS3hVE5.exe Startdate: 28/03/2021 Architecture: WINDOWS Score: 100 111 api.ip.sb 2->111 113 zen.hldns.ru 2->113 115 10 other IPs or domains 2->115 159 Multi AV Scanner detection for dropped file 2->159 161 Multi AV Scanner detection for submitted file 2->161 163 Yara detected RedLine Stealer 2->163 165 4 other signatures 2->165 15 0LyaS3hVE5.exe 20 2->15         started        18 svchost.exe 2->18         started        21 svchost.exe 2->21         started        24 6 other processes 2->24 signatures3 process4 dnsIp5 103 C:\Users\user\AppData\...\Xylophages.exe, PE32 15->103 dropped 105 C:\Users\user\AppData\Local\Temp\Holler.exe, PE32 15->105 dropped 107 C:\Users\user\AppData\Local\Temp\top.exe, PE32 15->107 dropped 109 2 other files (none is malicious) 15->109 dropped 26 cmd.exe 1 15->26         started        157 Changes security center settings (notifications, updates, antivirus, firewall) 18->157 117 127.0.0.1 unknown unknown 21->117 file6 signatures7 process8 process9 28 top.exe 2 26->28         started        31 Holler.exe 15 3 26->31         started        35 Xylophages.exe 16 37 26->35         started        37 3 other processes 26->37 dnsIp10 99 C:\Users\user\AppData\Local\Temp\...\top.tmp, PE32 28->99 dropped 39 top.tmp 28->39         started        131 simple-mind.ru 81.177.140.169, 443, 49695, 49696 RTCOMM-ASRU Russian Federation 31->131 133 192.168.2.1 unknown unknown 31->133 145 Multi AV Scanner detection for dropped file 31->145 147 Sample uses process hollowing technique 31->147 42 AddInProcess32.exe 31->42         started        135 api.ip.sb 35->135 137 5.252.195.219, 40355, 49717, 49720 IPSERVER-RU-NETFiordRU Russian Federation 35->137 143 6 other IPs or domains 35->143 101 C:\Users\user\AppData\Local\Temp\seervs.exe, PE32 35->101 dropped 149 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->149 151 Machine Learning detection for dropped file 35->151 153 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->153 46 iexplore.exe 35->46         started        48 seervs.exe 35->48         started        139 iplogger.org 88.99.66.31, 443, 49715 HETZNER-ASDE Germany 37->139 141 i.happyfox6.ru 37->141 155 DLL side loading technique detected 37->155 file11 signatures12 process13 dnsIp14 93 C:\ProgramData\is-TQJ7F.tmp, PE32 39->93 dropped 95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->95 dropped 97 C:\ProgramData\is-DTDH2.tmp, PE32+ 39->97 dropped 50 cmd.exe 39->50         started        123 api.ip.sb 42->123 125 34.200.69.241 AMAZON-AESUS United States 42->125 129 3 other IPs or domains 42->129 171 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->171 173 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->173 175 Tries to harvest and steal browser information (history, passwords, etc) 42->175 177 DLL side loading technique detected 42->177 127 iplogger.org 46->127 54 iexplore.exe 46->54         started        57 iexplore.exe 46->57         started        file15 signatures16 process17 dnsIp18 79 C:\...\PasswordOnWakeSettingFlyout.exe, PE32+ 50->79 dropped 81 C:\Windows \System32\uxtheme.dll, PE32+ 50->81 dropped 167 Drops executables to the windows directory (C:\Windows) and starts them 50->167 169 Uses regedit.exe to modify the Windows registry 50->169 59 PasswordOnWakeSettingFlyout.exe 50->59         started        61 conhost.exe 50->61         started        64 timeout.exe 50->64         started        119 iplogger.org 54->119 121 iplogger.org 57->121 file19 signatures20 process21 signatures22 66 pass.exe 59->66         started        181 DLL side loading technique detected 61->181 process23 file24 83 C:\Users\user\AppData\Local\Temp\...\pass.tmp, PE32 66->83 dropped 69 pass.tmp 66->69         started        process25 file26 85 C:\ProgramData\Immunity\is-CIR5M.tmp, PE32 69->85 dropped 87 C:\ProgramData\Immunity\is-7G3H2.tmp, PE32 69->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 69->89 dropped 91 3 other files (none is malicious) 69->91 dropped 72 cmd.exe 69->72         started        74 cmd.exe 69->74         started        process27 process28 76 conhost.exe 74->76         started        signatures29 179 DLL side loading technique detected 76->179
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6aa1689c65b3af4d5e9f3d5774c0ecdd2cfd1e9c439e8f905832b9fcdf6951e5/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 05:32:49 UTC
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkqwrhdfwoxu2xu7hvlxjqhm3uwp2hu4iopi7ecygk47zx3jkhsq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210328-h6tc988kg6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
themida
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
Unpacked files
SH256 hash:
83412778c6a1d67f1c404681f1f2e7019f60d2a351773ff69ec9108c1c9feeb4
MD5 hash:
a0961b81ee865fd81ba9057a6c390a27
SHA1 hash:
f24391857c9c9ca92a7c7e4b33ece95ba4569fca
Link:
https://www.unpac.me/results/1476772d-c78c-47e5-a43e-141820eb0110/
SH256 hash:
59b522ff8833852a3cc4016c13129035a581eecc0983d25f8f33e62ca43b11ac
MD5 hash:
f667a7e53acfc801ff0a7c538a6366f5
SHA1 hash:
63cd4c4b0834b403aef3c1dab95c833df016e90b
Link:
https://www.unpac.me/results/1476772d-c78c-47e5-a43e-141820eb0110/
SH256 hash:
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
MD5 hash:
293165db1e46070410b4209519e67494
SHA1 hash:
777b96a4f74b6c34d43a4e7c7e656757d1c97f01
Link:
https://www.unpac.me/results/1476772d-c78c-47e5-a43e-141820eb0110/
SH256 hash:
806a6ed3ea9d356ca6d8aed06838d94b05959d26b0cc8f2490fed776543f7aa0
MD5 hash:
dba5f630e09a52acdd6b4009726f2c40
SHA1 hash:
05b94ea4415da2e6e44ad4de169082c51bb9ddec
Link:
https://www.unpac.me/results/1476772d-c78c-47e5-a43e-141820eb0110/
SH256 hash:
76960741ad5c7213fc0545ab4d49f6b3b907ca8d678ea768bbfded7712556835
MD5 hash:
d83598f9d877c304a4e08da8c9e40283
SHA1 hash:
603352a1dcbbf8db7183228d84efb6150023600d
Link:
https://www.unpac.me/results/1476772d-c78c-47e5-a43e-141820eb0110/
SH256 hash:
a6fe62d19b2b0f608fe3367ba5612742b9ff248b91a32b13fe189c891a22a00d
MD5 hash:
729168d16501390f6b7d92edb38886c4
SHA1 hash:
d244dc2a6325b22a02372c2b8e01ef4a3e51d10c
Link:
https://www.unpac.me/results/1476772d-c78c-47e5-a43e-141820eb0110/
SH256 hash:
6aa1689c65b3af4d5e9f3d5774c0ecdd2cfd1e9c439e8f905832b9fcdf6951e5
MD5 hash:
6a706c3f400c9d62e1fb16eb2c6d4c48
SHA1 hash:
01dbff3fb0f356de090a66049c97b3bdcbb6927d
Link:
https://www.unpac.me/results/1476772d-c78c-47e5-a43e-141820eb0110/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6aa1689c65b3af4d5e9f3d5774c0ecdd2cfd1e9c439e8f905832b9fcdf6951e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6aa1689c65b3af4d5e9f3d5774c0ecdd2cfd1e9c439e8f905832b9fcdf6951e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1011491/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127401/

Comments