MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79d5d50575d3e18ebea2cd8ce8fdc0e9e58cc151e3ae72207991068b587d6432. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79d5d50575d3e18ebea2cd8ce8fdc0e9e58cc151e3ae72207991068b587d6432
SHA3-384 hash: f426e22228f11e5d8a672141313e8a0f7c3ca4878ce2b0b5c75e2a658013e880806e961eb330848c0c30a7c2be859975
SHA1 hash: 6218d1212f5c4e40f8aa7211dbe828a65117119f
MD5 hash: 7fc99168d3d3c1bcbdf46a322ea3adef
humanhash: quebec-idaho-undress-black
File name:gitadmincry.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:595'968 bytes
First seen:2023-01-20 19:48:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:+7/s2WI4WxewKi/i/iLx+W8kf34BohmNjg+jXo15vZb6LPwXRklnXibi:+vx8KK2UW39mKnVWaAQ
TLSH T14BC4D72429EB521CF4765FE91FC8B4FA499BFE61262AA1F624E173468B33E04CDD1035
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 08244a4c969e6018 (6 x AgentTesla, 2 x NanoCore, 2 x RedLineStealer)
Reporter Chainskilabs
Tags:exe RAT RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/1022328272870191218/1022673593336877056/gitadmincry.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 17:30:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3001c061-9df4-4f51-a307-48d034ccf1ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355118/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/63caf02f1c9cbf7d6250b91d/reports/29739a3d-fd2a-4cc2-a427-5d19bef45384/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/deaadb3e-d0ad-4356-a1f2-575ff9077bc4
Result
Threat name:
AsyncRAT, Quasar, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155795
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 788528 Sample: gitadmincry.exe Startdate: 20/01/2023 Architecture: WINDOWS Score: 100 102 tools.keycdn.com 2->102 104 api4.ipify.org 2->104 106 2 other IPs or domains 2->106 116 Snort IDS alert for network traffic 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for URL or domain 2->120 122 22 other signatures 2->122 14 gitadmincry.exe 3 2->14         started        18 $77-update.exe 2 2->18         started        20 powershell.exe 2->20         started        22 powershell.exe 2->22         started        signatures3 process4 file5 100 C:\Users\user\AppData\...\gitadmincry.exe.log, ASCII 14->100 dropped 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->152 154 Obfuscated command line found 14->154 24 gitadmincry.exe 6 14->24         started        28 lkxtif.exe 14->28         started        156 Multi AV Scanner detection for dropped file 18->156 158 Adds a directory exclusion to Windows Defender 18->158 160 Injects a PE file into a foreign processes 18->160 30 $77-update.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        signatures6 process7 file8 96 C:\Users\user\AppData\...\$77-update.exe, PE32 24->96 dropped 140 Obfuscated command line found 24->140 142 Protects its processes via BreakOnTermination flag 24->142 36 cmd.exe 1 24->36         started        38 cmd.exe 1 24->38         started        98 C:\Windows\System32\$77win\$77Client.exe, PE32 28->98 dropped 144 Antivirus detection for dropped file 28->144 146 Multi AV Scanner detection for dropped file 28->146 148 Machine Learning detection for dropped file 28->148 150 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->150 signatures9 process10 signatures11 41 $77-update.exe 3 36->41         started        43 conhost.exe 36->43         started        45 timeout.exe 1 36->45         started        128 Suspicious powershell command line found 38->128 130 Obfuscated command line found 38->130 132 Bypasses PowerShell execution policy 38->132 134 Uses schtasks.exe or at.exe to add and modify task schedules 38->134 47 conhost.exe 38->47         started        49 schtasks.exe 1 38->49         started        process12 process13 51 $77-update.exe 7 41->51         started        dnsIp14 108 179.43.187.19, 2525, 49708, 49712 PLI-ASCH Panama 51->108 88 C:\Users\user\AppData\Local\Temp\yclnay.exe, PE32 51->88 dropped 90 C:\Users\user\AppData\Local\Temp\tkaept.exe, PE32+ 51->90 dropped 92 C:\Users\user\AppData\Local\Temp\qbqfqq.exe, PE32 51->92 dropped 94 C:\Users\user\AppData\Local\Temp\lkxtif.exe, PE32 51->94 dropped 124 Protects its processes via BreakOnTermination flag 51->124 126 Adds a directory exclusion to Windows Defender 51->126 56 cmd.exe 51->56         started        59 cmd.exe 51->59         started        61 cmd.exe 51->61         started        63 2 other processes 51->63 file15 signatures16 process17 signatures18 136 Suspicious powershell command line found 56->136 65 powershell.exe 56->65         started        67 conhost.exe 56->67         started        69 powershell.exe 59->69         started        71 conhost.exe 59->71         started        73 conhost.exe 61->73         started        75 powershell.exe 61->75         started        138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 63->138 77 conhost.exe 63->77         started        79 conhost.exe 63->79         started        process19 process20 81 qbqfqq.exe 65->81         started        84 yclnay.exe 69->84         started        signatures21 110 Antivirus detection for dropped file 81->110 112 Multi AV Scanner detection for dropped file 81->112 114 Machine Learning detection for dropped file 81->114 86 conhost.exe 84->86         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79d5d50575d3e18ebea2cd8ce8fdc0e9e58cc151e3ae72207991068b587d6432/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 22:08:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phk5kblv2pqy5pvczwgor7oa5hsyzqkr4oxheidzsediwwd5mqza._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:quasar family:redline botnet:cheat botnet:github botnet:r77version discovery evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/230120-yjne9sbe6s/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
Async RAT payload
Looks for VirtualBox Guest Additions in registry
AsyncRat
Quasar RAT
Quasar payload
RedLine
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
179.43.187.19:33
179.43.187.19:2525
179.43.187.19:4523
179.43.187.19:5555
179.43.187.19:18875
179.43.187.19:2326
Unpacked files
SH256 hash:
324276fd85081bf681d573480b6e9ddd8349b67248716a7a6c203e3657389e9f
MD5 hash:
aa8bbb7c5ace14b0a480d45c9715d651
SHA1 hash:
af592c61c0ad792841662f7b912289b2db908c83
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/0ae35b4f-1e04-4a63-9c2c-6c5829f88ced/
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/0ae35b4f-1e04-4a63-9c2c-6c5829f88ced/
SH256 hash:
fe1b2023653d2406e90d78888d3450641826579adcac558ed5e3771c3777f4fb
MD5 hash:
a5d62632ed7a88620035be4993e23352
SHA1 hash:
37c9554dbb80ff065f8e061e06c21e57ebd6ad04
Link:
https://www.unpac.me/results/0ae35b4f-1e04-4a63-9c2c-6c5829f88ced/
SH256 hash:
79d5d50575d3e18ebea2cd8ce8fdc0e9e58cc151e3ae72207991068b587d6432
MD5 hash:
7fc99168d3d3c1bcbdf46a322ea3adef
SHA1 hash:
6218d1212f5c4e40f8aa7211dbe828a65117119f
Link:
https://www.unpac.me/results/0ae35b4f-1e04-4a63-9c2c-6c5829f88ced/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79d5d50575d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79d5d50575d3e18ebea2cd8ce8fdc0e9e58cc151e3ae72207991068b587d6432

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 79d5d50575d3e18ebea2cd8ce8fdc0e9e58cc151e3ae72207991068b587d6432

(this sample)

anyrun
any.run
https://app.any.run/tasks/21ef554a-5f66-4a60-b9f9-26064240fa94
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/355118/

Comments