MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b70b5494393d3644de4dd90ae5a906407175daea6ee97c0419997e99b4cdfd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b70b5494393d3644de4dd90ae5a906407175daea6ee97c0419997e99b4cdfd0
SHA3-384 hash: 51c40b3ab96462109be1e5bce1a3758b673d02adfbf4ec1b34c023941c0b465d6ab1a5a884af18c542cb8b16fd4c8437
SHA1 hash: 4594ea445796b0dce3a0da0544395c4bd9a6c0ff
MD5 hash: a17fc1697197f12ebecbf053a603fa8c
humanhash: magnesium-two-yankee-low
File name:a17fc1697197f12ebecbf053a603fa8c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:872'448 bytes
First seen:2021-12-28 02:46:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6af73011d9ad7cbccf66eb190442910 (42 x RedLineStealer, 8 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 24576:/Pz/P8J6rE5odQJggnofFN8QFy7SQHAkEaHNYK3Srwf4L3Xfj:CkE6dQJggofFNx4oNaIrwmb
Threatray 695 similar samples on MalwareBazaar
TLSH T1DD05334772E09EADD04D19F53A63098A3868C8C5D8CDE71CB0FA6709796CCB6FA1E41C
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.92.74.28:2332

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.92.74.28:2332 https://threatfox.abuse.ch/ioc/288177/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a17fc1697197f12ebecbf053a603fa8c.exe
Verdict:
Malicious activity
Analysis date:
2021-12-28 02:51:02 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/6b53bffe-23ed-4428-b28a-eeaa41ea9025

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216639/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Fragtor-9918672-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61ca7aa98991ba72b39bf46c/reports/4f0f35c5-776b-4673-a319-63bb4ef8cd9b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ce7cc1c-31fe-4a4e-8dee-298084197cee
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913347
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545825 Sample: 6cyx4ibSFP.exe Startdate: 28/12/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected RedLine Stealer 2->56 58 2 other signatures 2->58 9 6cyx4ibSFP.exe 2->9         started        12 subst.exe 13 2->12         started        process3 dnsIp4 64 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 9->64 66 Writes to foreign memory regions 9->66 68 Allocates memory in foreign processes 9->68 70 Injects a PE file into a foreign processes 9->70 15 AppLaunch.exe 15 7 9->15         started        20 WerFault.exe 23 9 9->20         started        36 dba692117be7b6d3480fe5220fdd58b38bf.xyz 45.147.197.60, 49748, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 12->36 72 Performs DNS queries to domains with low reputation 12->72 74 Machine Learning detection for dropped file 12->74 signatures5 process6 dnsIp7 38 debiazzela.xyz 185.92.74.28, 2332, 49741 FOXCLOUDNL Netherlands 15->38 40 transfer.sh 144.76.136.153, 443, 49746, 49747 HETZNER-ASDE Germany 15->40 42 192.168.2.1 unknown unknown 15->42 30 C:\Users\user\AppData\Local\Temp\fl.exe, PE32 15->30 dropped 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->44 46 Performs DNS queries to domains with low reputation 15->46 48 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->48 50 2 other signatures 15->50 22 fl.exe 3 15->22         started        32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->32 dropped file8 signatures9 process10 file11 34 C:\Users\user\AppData\Local\cache\subst.exe, PE32 22->34 dropped 60 Machine Learning detection for dropped file 22->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 22->62 26 schtasks.exe 1 22->26         started        signatures12 process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b70b5494393d3644de4dd90ae5a906407175daea6ee97c0419997e99b4cdfd0/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-12-25 06:35:16 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnylkskdspjwitpe3wik4wuqmqdroxnou3xjpqcbtgl6tg2m37ia._file
Verdict:
malicious
Similar samples:
4b53dc815775a5f6d377218f9bee6b102d49f5dfc678f5a939ec2e0be0890e4b
RedLineStealer
5b54867f600777e8cec30c3386a3d42f08da4e1a3a4e636f135e25e2d9850603
RedLineStealer
65f908a0dfe5c343457bab4b68004a1b5fceb4e89c28c263ec05479eae182e9a
RedLineStealer
8da691f23b44bbe621bc28b3d9d903b411978c07fc003c4568f3fa909b69ab83
RedLineStealer
9505b90393d8e04ab1c4a2921f9cda3c857bb7ce6b2bd5458e0424e8df63cc0f
RedLineStealer
ae92d01c510158dba98ea9b8b5dabf08fd5ab9bb8da6f9175fe455198ea2e1da
RedLineStealer
cd8c1cf2ae3ceb9b9eb7ac717004d4586e491f00cb686047bc128d3ffc1aa89f
RedLineStealer
e59a89138d5d7d96b4336b9323be581e35b3056180cc4fcf2844027534d5c189
RedLineStealer
+ 685 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211228-c9wnnsbhen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
cc1c179ae4b8ebcbd3c49befdb284932bd2982c186c7803142ac2df235c83be2
MD5 hash:
df50509ed930f8696d0bec95c929b552
SHA1 hash:
d5d18075d5748ed234aa91cf4b95f99af9556f45
Link:
https://www.unpac.me/results/b33214ec-2cc0-4e17-83bc-3b09c077d578/
SH256 hash:
66e45cb3ec1a6f75de0f8b8b417cef25911bc386a1de23a225b12a82675b54f1
MD5 hash:
986bceacfeda4dd6142922f3f3c15ff5
SHA1 hash:
e9e5675607f45e49c0223ac0e162c5455ad5e92e
Link:
https://www.unpac.me/results/b33214ec-2cc0-4e17-83bc-3b09c077d578/
SH256 hash:
6b70b5494393d3644de4dd90ae5a906407175daea6ee97c0419997e99b4cdfd0
MD5 hash:
a17fc1697197f12ebecbf053a603fa8c
SHA1 hash:
4594ea445796b0dce3a0da0544395c4bd9a6c0ff
Link:
https://www.unpac.me/results/b33214ec-2cc0-4e17-83bc-3b09c077d578/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b70b5494393d3644de4dd90ae5a906407175daea6ee97c0419997e99b4cdfd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216639/

Comments