MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 777fe8a5d9fee21eb0ad8490b29ad99d321afce48739d306b420ea4e92697975. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 777fe8a5d9fee21eb0ad8490b29ad99d321afce48739d306b420ea4e92697975
SHA3-384 hash: f1932b8b4e832a34c7e5c60bd3f45a0487d0f4ffec68acce8b6c4198f8253884d05f02a1d84e1ad2fda92590352a4dee
SHA1 hash: 0a7cf30bfb5be9b7cf1e3ba0091646e6086e1697
MD5 hash: 4ca58bd20b760faa00d33238ba3d5277
humanhash: north-ink-hawaii-sink
File name:VapeClient.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'485'120 bytes
First seen:2021-10-24 19:19:37 UTC
Last seen:2021-10-24 20:22:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 908bea7ee71339f1c35ba419da3ba679 (36 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 98304:JLaKsX1MSBX5E16Ph/nucEEM0my84RlgMAZq:v+X5E16put0mrR
Threatray 21 similar samples on MalwareBazaar
TLSH T10526233261A254D2D4E58C358773FEF137FD17254B41FABAABA96AC51D304E0E222B43
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199692/
Detection(s):
SecuriteInfo.com.Variant.Razy.971169.24447.3483.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf0c7f1b-fb94-46d2-ba83-151cc359d5bc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875859
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508292 Sample: VapeClient.exe Startdate: 24/10/2021 Architecture: WINDOWS Score: 100 106 Multi AV Scanner detection for submitted file 2->106 108 Detected VMProtect packer 2->108 110 Machine Learning detection for sample 2->110 112 2 other signatures 2->112 13 VapeClient.exe 2->13         started        16 services32.exe 2->16         started        process3 signatures4 158 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->158 160 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 13->160 162 Writes to foreign memory regions 13->162 164 Injects a PE file into a foreign processes 13->164 18 AppLaunch.exe 15 7 13->18         started        23 WerFault.exe 23 9 13->23         started        166 Multi AV Scanner detection for dropped file 16->166 168 Allocates memory in foreign processes 16->168 170 Tries to detect virtualization through RDTSC time measurements 16->170 172 Creates a thread in another existing process (thread injection) 16->172 25 conhost.exe 16->25         started        process5 dnsIp6 90 185.209.22.181, 29234, 49785 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 18->90 92 cdn.discordapp.com 162.159.134.233, 443, 49790 CLOUDFLARENETUS United States 18->92 84 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 18->84 dropped 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->128 130 Tries to harvest and steal browser information (history, passwords, etc) 18->130 132 Tries to steal Crypto Currency Wallets 18->132 27 build.exe 18->27         started        30 conhost.exe 18->30         started        86 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->86 dropped 94 140.82.121.3, 443, 49793 GITHUBUS United States 25->94 96 185.199.108.133, 443, 49795 FASTLYUS Netherlands 25->96 98 3 other IPs or domains 25->98 134 Adds a directory exclusion to Windows Defender 25->134 32 cmd.exe 25->32         started        file7 signatures8 process9 signatures10 148 Multi AV Scanner detection for dropped file 27->148 150 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->150 152 Writes to foreign memory regions 27->152 156 3 other signatures 27->156 34 conhost.exe 4 27->34         started        154 Adds a directory exclusion to Windows Defender 32->154 38 conhost.exe 32->38         started        40 powershell.exe 32->40         started        42 powershell.exe 32->42         started        process11 file12 82 C:\Users\user\services32.exe, PE32+ 34->82 dropped 114 Drops PE files to the user root directory 34->114 116 Adds a directory exclusion to Windows Defender 34->116 44 cmd.exe 34->44         started        46 cmd.exe 1 34->46         started        49 cmd.exe 34->49         started        signatures13 process14 signatures15 51 services32.exe 44->51         started        54 conhost.exe 44->54         started        174 Uses schtasks.exe or at.exe to add and modify task schedules 46->174 176 Adds a directory exclusion to Windows Defender 46->176 56 powershell.exe 23 46->56         started        58 conhost.exe 46->58         started        60 powershell.exe 46->60         started        62 conhost.exe 49->62         started        64 schtasks.exe 49->64         started        process16 signatures17 118 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 51->118 120 Writes to foreign memory regions 51->120 122 Allocates memory in foreign processes 51->122 124 Creates a thread in another existing process (thread injection) 51->124 66 conhost.exe 51->66         started        process18 dnsIp19 100 github.com 140.82.121.4, 443, 49792 GITHUBUS United States 66->100 102 raw.githubusercontent.com 185.199.111.133, 443, 49794 FASTLYUS Netherlands 66->102 104 sanctam.net 66->104 88 C:\Users\user\AppData\...\sihost32.exe, PE32+ 66->88 dropped 136 Adds a directory exclusion to Windows Defender 66->136 71 sihost32.exe 66->71         started        74 cmd.exe 66->74         started        file20 signatures21 process22 signatures23 138 Multi AV Scanner detection for dropped file 71->138 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 71->140 142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 71->142 146 3 other signatures 71->146 144 Adds a directory exclusion to Windows Defender 74->144 76 conhost.exe 74->76         started        78 powershell.exe 74->78         started        80 powershell.exe 74->80         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/777fe8a5d9fee21eb0ad8490b29ad99d321afce48739d306b420ea4e92697975/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-10-24 19:20:09 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o576rjoz73rb5mfnqsilfgwztuzbv7heq445gbvuedve5etjpf2q._file
Verdict:
malicious
Similar samples:
70abd0e56d64c9d19e81fc1f62f09b9644b00819c5a1feccfd185c168f4a2099
RedLineStealer
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
RedLineStealer
8344424b2ab65b90171d02df7f9f8625308284c4b25e0e489c005f9c164784c2
RedLineStealer
914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e
RedLineStealer
973294652225d5fa7ed66a39c2c0b1ef2b518169f1300ca0109c61cde55d35f1
RedLineStealer
d1b138a211d4b9ce4d825f82669ba211e585a87eec0e877a2b8ef87a9e43ccb6
RedLineStealer
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
RedLineStealer
dc050b963c642e86bf74da5e85fbfcb0b3c12bd692808bf8ae12a36f4bcf3c84
RedLineStealer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/211024-x14cdafhfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
8c9b030e652d014c12a5bb8bad7a7eb23c19b86ed0058b3634eb00e05f14e44a
MD5 hash:
8ad10d38bc774e499fde485b3f7b7607
SHA1 hash:
5b8e54392ba99431d35a9724e8e95d91769f37bb
Link:
https://www.unpac.me/results/f7680efa-f403-4be6-8699-8f1d1eadd50c/
SH256 hash:
777fe8a5d9fee21eb0ad8490b29ad99d321afce48739d306b420ea4e92697975
MD5 hash:
4ca58bd20b760faa00d33238ba3d5277
SHA1 hash:
0a7cf30bfb5be9b7cf1e3ba0091646e6086e1697
Link:
https://www.unpac.me/results/f7680efa-f403-4be6-8699-8f1d1eadd50c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/777fe8a5d9fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/777fe8a5d9fee21eb0ad8490b29ad99d321afce48739d306b420ea4e92697975

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199692/

Comments