MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2
SHA3-384 hash: 5d81902417ab385dbaf2603c8cd3a7fb416e2c879da80153c5dc850e76c4b3ac90eaf0bd18c5a9f9762599caf06aea14
SHA1 hash: 0282d75ca0ef8167e1798ab5925bdddf604753c9
MD5 hash: 63c02bf79ba67e69dfb5b5f115986f8b
humanhash: whiskey-oregon-two-coffee
File name:63c02bf79ba67e69dfb5b5f115986f8b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:248'320 bytes
First seen:2022-11-24 15:55:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19f81fe756f31ae8a7d11110e6e81c7a (12 x RedLineStealer, 1 x LaplasClipper)
ssdeep 6144:71gE5wi2UCeNWGa+nMzVWMNQErpV2IviDnye3sEuYq7Z:pgEaACe1a+nMzVWMNQErpV2IvQypEuYa
TLSH T177348C137580743AF6ADCBFAD89C9E55487FA3E1178066CB112E071847F13FA9AA434E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
37.220.87.2:27924

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
63c02bf79ba67e69dfb5b5f115986f8b.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 15:58:33 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/e29aa309-871b-4f31-937a-7f609a028459

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/338118/
Detection(s):
Win.Packed.Redline-9978660-0
Create hunting rule

Win.Packed.Redline-9978665-0
Create hunting rule

Win.Packed.Redline-9978667-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/637f9414559d07a06f473bdd/reports/6f5bd39c-c261-449e-8b0d-afd4ec693d9d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c1cbe93-d048-48a3-b2b4-6aed2428ddb3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120620
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 753337 Sample: cfBJlHsOsz.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 101 pool.hashvault.pro 2->101 115 Snort IDS alert for network traffic 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for dropped file 2->119 121 8 other signatures 2->121 11 cfBJlHsOsz.exe 1 2->11         started        14 chrome.exe 2->14         started        16 ofg.exe 2->16         started        18 chrome.exe 2->18         started        signatures3 process4 signatures5 153 Contains functionality to inject code into remote processes 11->153 155 Writes to foreign memory regions 11->155 157 Allocates memory in foreign processes 11->157 20 vbc.exe 15 9 11->20         started        25 WerFault.exe 24 9 11->25         started        27 conhost.exe 11->27         started        159 Encrypted powershell cmdline option found 14->159 161 Sample uses process hollowing technique 14->161 163 Injects a PE file into a foreign processes 14->163 29 powershell.exe 14->29         started        31 powershell.exe 14->31         started        33 schtasks.exe 1 16->33         started        process6 dnsIp7 107 37.220.87.2, 27924, 49711 ARTEM-CATV-ASRU Russian Federation 20->107 109 www.idpminic.org 20->109 111 idpminic.org 66.235.200.147, 49712, 49713, 80 CLOUDFLARENETUS United States 20->111 93 C:\Users\user\AppData\Localbehaviorgraphoogle\ofg.exe, PE32 20->93 dropped 95 C:\Users\user\AppData\Local\...\chrome.exe, PE32 20->95 dropped 97 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 20->97 dropped 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->143 145 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->145 147 Tries to harvest and steal browser information (history, passwords, etc) 20->147 149 Tries to steal Crypto Currency Wallets 20->149 35 chrome.exe 1 20->35         started        39 brave.exe 2 20->39         started        41 ofg.exe 20->41         started        113 192.168.2.1 unknown unknown 25->113 99 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->99 dropped 151 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->151 43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        file8 signatures9 process10 file11 87 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 35->87 dropped 123 Antivirus detection for dropped file 35->123 125 Multi AV Scanner detection for dropped file 35->125 127 Detected unpacking (creates a PE file in dynamic memory) 35->127 139 5 other signatures 35->139 47 GoogleUpdate.exe 35->47         started        50 GoogleUpdate.exe 35->50         started        53 powershell.exe 3 35->53         started        65 3 other processes 35->65 89 C:\Users\user\AppData\Local\Temp\8ABA.tmp, PE32+ 39->89 dropped 91 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 39->91 dropped 129 Writes to foreign memory regions 39->129 131 Modifies the context of a thread in another process (thread injection) 39->131 133 Found hidden mapped module (file has been removed from disk) 39->133 141 2 other signatures 39->141 55 cmd.exe 39->55         started        57 cmd.exe 39->57         started        59 powershell.exe 17 39->59         started        61 powershell.exe 39->61         started        135 Machine Learning detection for dropped file 41->135 137 Uses schtasks.exe or at.exe to add and modify task schedules 41->137 63 schtasks.exe 1 41->63         started        signatures12 process13 dnsIp14 165 Detected unpacking (changes PE section rights) 47->165 167 Uses netsh to modify the Windows network and firewall settings 47->167 169 Modifies the windows firewall 47->169 171 Tries to detect virtualization through RDTSC time measurements 47->171 103 api.peer2profit.com 172.66.43.60, 443, 49714, 49715 CLOUDFLARENETUS United States 50->103 105 162.19.175.163, 443, 49716, 49717 CENTURYLINK-US-LEGACY-QWESTUS United States 50->105 173 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 50->173 67 netsh.exe 50->67         started        69 netsh.exe 50->69         started        71 conhost.exe 53->71         started        175 Uses cmd line tools excessively to alter registry or file data 55->175 177 Uses powercfg.exe to modify the power settings 55->177 179 Modifies power options to not sleep / hibernate 55->179 79 11 other processes 55->79 81 5 other processes 57->81 73 conhost.exe 59->73         started        75 conhost.exe 61->75         started        77 conhost.exe 63->77         started        83 3 other processes 65->83 signatures15 process16 process17 85 conhost.exe 67->85         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 18:37:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsag27wvtjl7z2nuxmdvdhly6jpn2rof4vwfoonckl2ljm6hahra._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer persistence spyware
Link:
https://tria.ge/reports/221124-tdb3tsea29/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
Stops running service(s)
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
37.220.87.2:27924
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ad29bf48-1ca4-4b25-ac33-e8d1b9039138
Unpacked files
SH256 hash:
c8bd2f0f797598b23585a9e14fded0b91248b531faeabe9eca9ac76ce04b581e
MD5 hash:
e34180cf3b0292395895e562380907d5
SHA1 hash:
3fa365ac0bc62d139705d217d71b4763df2316e1
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/795a9fc6-637c-4fbb-ba77-3fe2c91f96cf/
SH256 hash:
84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2
MD5 hash:
63c02bf79ba67e69dfb5b5f115986f8b
SHA1 hash:
0282d75ca0ef8167e1798ab5925bdddf604753c9
Link:
https://www.unpac.me/results/795a9fc6-637c-4fbb-ba77-3fe2c91f96cf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84806d7ed59a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/338118/

Comments