MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 777e70135321f3b5f6e8402192ee653b21e789fbd505c1b95fa643ce4a140689. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 777e70135321f3b5f6e8402192ee653b21e789fbd505c1b95fa643ce4a140689
SHA3-384 hash: 0800e07c4101b8d5d5017503cdcb8919ec12378ad4bbffdaad6680a29174be184d969ef680bfe94924ca708e0a87a6da
SHA1 hash: 9d20827bcc8803f6d084d63262b67b6ec8dd3b2e
MD5 hash: b997d78748992e5d31e82ceb365b3bbb
humanhash: hot-high-burger-orange
File name:b997d78748992e5d31e82ceb365b3bbb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'858'704 bytes
First seen:2023-02-05 04:05:14 UTC
Last seen:2023-02-05 05:40:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 39a4439f8bc5e6e61317c81ff97d3d8f (1 x ManusCrypt, 1 x Amadey, 1 x RedLineStealer)
ssdeep 49152:3VSobaC+FWOFXXzDHkbLIvDNFcoYDlFcrQRQc9k5:3VSO5CFFXzbUtDlFcrQI
Threatray 387 similar samples on MalwareBazaar
TLSH T1AF85B020F2B8C719C9530772EBB7B36EA43E79B0273251DBE5B472E709926C245B46C1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 21989cc6963c1c01 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:*.oreilly.com
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-19T18:00:56Z
Valid to:2023-04-20T18:00:56Z
Serial number: 38ab43225ef53ca6
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5a3479fa45dced56200d9967ae8eb80f322ae8fac39825920a9879d81a46029b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RedLineStealer C2:
185.225.191.155:21251

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b997d78748992e5d31e82ceb365b3bbb.exe
Verdict:
No threats detected
Analysis date:
2023-02-05 04:08:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f8389eb7-e835-41c1-82a5-6a241333d1bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360341/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.97015.18116.21334.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65367/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63df2b2b696b2d9725754870/reports/59fb8030-ea1d-42fe-9ccf-681ce93ad03a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/777e70135321f3b5f6e8402192ee653b21e789fbd505c1b95fa643ce4a140689
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82862536-1935-4696-9da3-9ebd5f52f659
Result
Threat name:
RHADAMANTHYS, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1165924
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 798695 Sample: rWPrXGgQ07.exe Startdate: 05/02/2023 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 12 other signatures 2->76 11 rWPrXGgQ07.exe 9 2->11         started        process3 dnsIp4 66 ai15to9ltc9q1hkpxozki.hrmxhnghxoibvpaiuzdj 11->66 54 C:\Users\user\AppData\Local\...\5310015.dll, PE32 11->54 dropped 112 Detected unpacking (creates a PE file in dynamic memory) 11->112 114 Writes to foreign memory regions 11->114 116 Allocates memory in foreign processes 11->116 118 Injects a PE file into a foreign processes 11->118 16 fontview.exe 1 11->16         started        21 ngentask.exe 4 11->21         started        23 ngentask.exe 11->23         started        file5 signatures6 process7 dnsIp8 60 109.206.243.168, 49701, 49702, 49703 AWMLTNL Germany 16->60 50 C:\Users\user\AppData\...\nsis_uns51d1bd.dll, PE32+ 16->50 dropped 78 Query firmware table information (likely to detect VMs) 16->78 80 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 16->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->82 92 4 other signatures 16->92 25 rundll32.exe 16->25         started        62 185.225.191.155, 21251, 49700 ALFATEL-ASRU Russian Federation 21->62 84 Tries to harvest and steal browser information (history, passwords, etc) 21->84 86 Tries to steal Crypto Currency Wallets 21->86 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->88 90 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->90 file9 signatures10 process11 signatures12 104 System process connects to network (likely due to code injection or exploit) 25->104 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->106 108 Tries to steal Mail credentials (via file / registry access) 25->108 110 4 other signatures 25->110 28 dllhost.exe 7 15 25->28         started        process13 dnsIp14 68 transfer.sh 144.76.136.153, 443, 49704, 49705 HETZNER-ASDE Germany 28->68 56 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 28->56 dropped 58 C:\Users\user\AppData\Local\Temp\Data.exe, PE32+ 28->58 dropped 120 System process connects to network (likely due to code injection or exploit) 28->120 33 Library.exe 28->33         started        37 Data.exe 3 28->37         started        file15 signatures16 process17 file18 52 C:\Users\user\AppData\...\IntelService.exe, PE32+ 33->52 dropped 94 Creates an undocumented autostart registry key 33->94 96 Machine Learning detection for dropped file 33->96 98 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->98 102 3 other signatures 33->102 39 powershell.exe 33->39         started        41 MSBuild.exe 33->41         started        100 Encrypted powershell cmdline option found 37->100 44 powershell.exe 37->44         started        signatures19 process20 dnsIp21 46 conhost.exe 39->46         started        64 45.159.189.105, 49714, 80 HOSTING-SOLUTIONSUS Netherlands 41->64 48 conhost.exe 44->48         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/777e70135321f3b5f6e8402192ee653b21e789fbd505c1b95fa643ce4a140689/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2023-02-02 14:08:00 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o57hae2tehz3l5xiiaqzf3tfhmq6pcp32uc4dok7uzb44squa2eq._file
Verdict:
malicious
Similar samples:
4640e5b9817fd35d92b0d0687003576c75fd4e0df34bcfa0008c6ca3450a8f6d
RedLineStealer
8d2f398982564f5b71a557b2250a9cf4d0e797f05678c4ffdb3872a9782ee245
RedLineStealer
a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2
RedLineStealer
ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
RedLineStealer
ee8ea5570b0a2c9f6aef8e551cc0d3fbd0be45dc5c11c50ca7056eef2d85d77d
RedLineStealer
f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
RedLineStealer
fee142712ee9fba0c3cc57b4e314480bf976e4b1707bbeb202a58ca2b98f39bd
RedLineStealer
+ 377 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:redline family:rhadamanthys botnet:@nightsoulwork infostealer spyware stealer
Link:
https://tria.ge/reports/230205-en3k7sbd8t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Detect rhadamanthys stealer shellcode
RedLine
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.225.191.155:21251
Unpacked files
SH256 hash:
c58f7013e7d9f10cfc593825697a6f97b182ec240dd518a3208e3ea412204799
MD5 hash:
4a5490991a25f5946e17ed54efd6fae7
SHA1 hash:
487f4511e91287297a47703ff638706ba4c41559
Link:
https://www.unpac.me/results/8e9b82b1-6612-4159-a46f-61615d8e23d7/
SH256 hash:
777e70135321f3b5f6e8402192ee653b21e789fbd505c1b95fa643ce4a140689
MD5 hash:
b997d78748992e5d31e82ceb365b3bbb
SHA1 hash:
9d20827bcc8803f6d084d63262b67b6ec8dd3b2e
Link:
https://www.unpac.me/results/8e9b82b1-6612-4159-a46f-61615d8e23d7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/777e70135321/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/777e70135321f3b5f6e8402192ee653b21e789fbd505c1b95fa643ce4a140689

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Hunter
Create hunting rule
Author:Potato
Description:Unpacked RedLine Hunter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360341/

Comments