MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8411282e09396eeac60b64899b70e5aa2260aa2d105a928a974cb467e2c8f5eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8411282e09396eeac60b64899b70e5aa2260aa2d105a928a974cb467e2c8f5eb
SHA3-384 hash: 60f6cdaeaba45ed198de94c4e7f8ab55585df1ec20460245f58f190fad49c908da1beb3ffd30bb4de4e9be3097389c82
SHA1 hash: 520b3473a84f08f76e55f061dc41a2dd9f14f852
MD5 hash: 5443a5c1e51f031fa931369bd795cf17
humanhash: coffee-mars-nebraska-eighteen
File name:SYNAPSE X FREE.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'620'352 bytes
First seen:2022-01-24 22:30:13 UTC
Last seen:2022-01-25 01:09:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 49152:oHR06o+CqaX04mNN8NlYO6s1OIHxHZquffcR7d1VRp5SQsnNauvbJr0vH99xaKNH:oxSfXOolCsNZ5E5npExfvbevH9xTX7
Threatray 1'838 similar samples on MalwareBazaar
TLSH T187F533CBF3E107B4C6C9B6FEA9048D6B89A13503C1BC37AE77A14435B54A4F1ADE40A5
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SYNAPSE X FREE.exe
Verdict:
Malicious activity
Analysis date:
2022-01-24 22:28:32 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c0a5cf13-b077-4e5e-869e-4d4f5a4ff01e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222087/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61ef28aaf81da814afa14823/reports/f560f6c1-1280-45ca-8793-21a0b9fa8be8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1aaa2a6d-ad82-4010-925b-9e406603009a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926685
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 559163 Sample: SYNAPSE X FREE.exe Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 9 other signatures 2->70 10 SYNAPSE X FREE.exe 2->10         started        13 MicrosoftApi.exe 2->13         started        process3 dnsIp4 86 Writes to foreign memory regions 10->86 88 Allocates memory in foreign processes 10->88 90 Injects a PE file into a foreign processes 10->90 16 AppLaunch.exe 15 7 10->16         started        21 WerFault.exe 23 9 10->21         started        62 62.182.156.182, 49842, 49843, 49844 AutonomousSystemofBaunetworks-SerbiaRS Russian Federation 13->62 signatures5 process6 dnsIp7 56 46.8.52.48, 49776, 9006 RDITELECOM-ASRU Russian Federation 16->56 58 dl.uploadgram.me 176.9.247.226, 443, 49816 HETZNER-ASDE Germany 16->58 48 C:\Users\user\AppData\Local\Temp\2.exe, PE32+ 16->48 dropped 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->72 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->74 76 Tries to harvest and steal browser information (history, passwords, etc) 16->76 78 Tries to steal Crypto Currency Wallets 16->78 23 2.exe 1 4 16->23         started        60 192.168.2.1 unknown unknown 21->60 file8 signatures9 process10 file11 50 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 23->50 dropped 52 C:\Users\user\AppData\Local\...\2.exe.log, ASCII 23->52 dropped 80 Multi AV Scanner detection for dropped file 23->80 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->82 84 Machine Learning detection for dropped file 23->84 27 MicrosoftApi.exe 1 5 23->27         started        signatures12 process13 file14 54 C:\Users\user\AppData\...\tmpAB55.tmp.cmd, DOS 27->54 dropped 92 Multi AV Scanner detection for dropped file 27->92 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->94 96 Machine Learning detection for dropped file 27->96 31 cmd.exe 1 27->31         started        34 cmd.exe 1 27->34         started        signatures15 process16 signatures17 98 Uses schtasks.exe or at.exe to add and modify task schedules 31->98 100 Adds a directory exclusion to Windows Defender 31->100 36 powershell.exe 23 31->36         started        38 conhost.exe 31->38         started        40 timeout.exe 1 31->40         started        42 conhost.exe 34->42         started        44 timeout.exe 1 34->44         started        46 schtasks.exe 34->46         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8411282e09396eeac60b64899b70e5aa2260aa2d105a928a974cb467e2c8f5eb/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 22:31:19 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqisqlqjhfxovrqlmsezw4hfvirgbkrncbnjfcuxjs2gpywi6xvq._file
Verdict:
malicious
Similar samples:
1a1d8823b35b8c0d8dfcebe065520a07fe105589893262976fce4122317c55b8
RedLineStealer
264b1ca9df86f0d722b98b6aebc1be86d4c342747b709113a4eca4d68fc0dbdc
RedLineStealer
51e96096360aaaa7df70507ee70610710b1c532e30994b60fc3d20792fcd688d
RedLineStealer
8040940621af7b77ecbb66d16ca8fc924900960d48665247aa3f77d4de560c9a
RedLineStealer
872689bf87c4789712c2d066c958f87ff3069d167bb29f6788ce83c9bc2f126d
RedLineStealer
924bb78c8e816ebd25d656fb6cf0387449cd4b3cd55846c99d4f0ddb47f71dd5
RedLineStealer
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440
RedLineStealer
c88aa7ed56d611114cd6e9376e42a608103f371d5ceeb82c1c0253cb7d1d7151
RedLineStealer
dda8e5e4b93708ef5042d3e46027670a9ffa93f4c18646d0e48b13f8d1b013fe
RedLineStealer
f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041
RedLineStealer
+ 1'828 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220124-2fc2xabdhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
9ed0484f5de830bb620f4c0de48f11fe087cfe9195dcc4f613fdbf47480a16c4
MD5 hash:
d1e94bcaa2a2af9f51573d28ed914d2f
SHA1 hash:
707c148b212ae8d39737ef4e667a214a789fa41d
Link:
https://www.unpac.me/results/64442a1d-ac56-4672-ac75-36a60d3a554f/
SH256 hash:
8411282e09396eeac60b64899b70e5aa2260aa2d105a928a974cb467e2c8f5eb
MD5 hash:
5443a5c1e51f031fa931369bd795cf17
SHA1 hash:
520b3473a84f08f76e55f061dc41a2dd9f14f852
Link:
https://www.unpac.me/results/64442a1d-ac56-4672-ac75-36a60d3a554f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8411282e0939/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8411282e09396eeac60b64899b70e5aa2260aa2d105a928a974cb467e2c8f5eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8411282e09396eeac60b64899b70e5aa2260aa2d105a928a974cb467e2c8f5eb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/222087/

Comments