MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86ae354a12341fd3def17aacee3e3ee3bf9678c499cbb81f0db1014177f378dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86ae354a12341fd3def17aacee3e3ee3bf9678c499cbb81f0db1014177f378dd
SHA3-384 hash: 5774bcc5b1f8c26909a6cd35dc139ca9c028be1e16185074ff6291a8371f696fcff34d679357f94ef0cc6deda942fab2
SHA1 hash: 14da197bfc569b861a09e6069a880924335375e1
MD5 hash: 56b672a6fd444c4bad0ee7f6756ca134
humanhash: rugby-white-hydrogen-texas
File name:Desync.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:365'976 bytes
First seen:2021-11-12 15:24:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:OX2zR939x3RN/HPOdaxRnfHWOIamwxP27x2+AWrdLm6l7wL1PVjL:Z39hRNb/nf2Ouw527EvcNkL
Threatray 126 similar samples on MalwareBazaar
TLSH T1A374F2632D5CF718E0977D33A2DFAA114FA31FD29B3669CA1F09DA0112509827E73729
Reporter tech_skeech
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205322/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/618e8751dec3347825a2db99/reports/55290b79-3fe4-4b18-8f31-fbdaf6510631/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5356e9e4-fcb1-436c-896c-31c2ef25caf2
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888207
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520678 Sample: Desync.exe Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected BitCoin Miner 2->69 71 Machine Learning detection for sample 2->71 73 Connects to many ports of the same IP (likely port scanning) 2->73 12 Desync.exe 14 7 2->12         started        17 vhyfd.exe 2->17         started        process3 dnsIp4 63 65.108.29.210, 21638, 49786 ALABANZA-BALTUS United States 12->63 65 cdn.discordapp.com 162.159.134.233, 443, 49789 CLOUDFLARENETUS United States 12->65 59 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 12->59 dropped 61 C:\Users\user\AppData\...\Desync.exe.log, ASCII 12->61 dropped 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->99 101 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->101 103 Tries to harvest and steal browser information (history, passwords, etc) 12->103 19 fl.exe 12->19         started        105 Multi AV Scanner detection for dropped file 17->105 107 Writes to foreign memory regions 17->107 109 Allocates memory in foreign processes 17->109 111 Creates a thread in another existing process (thread injection) 17->111 22 conhost.exe 5 17->22         started        file5 signatures6 process7 file8 75 Multi AV Scanner detection for dropped file 19->75 77 Writes to foreign memory regions 19->77 79 Allocates memory in foreign processes 19->79 81 Creates a thread in another existing process (thread injection) 19->81 25 conhost.exe 4 19->25         started        55 C:\Windows\System32\...\sihost32.exe, PE32+ 22->55 dropped 83 Drops executables to the windows directory (C:\Windows) and starts them 22->83 28 sihost32.exe 22->28         started        signatures9 process10 file11 57 C:\Windows\System32\vhyfd.exe, PE32+ 25->57 dropped 31 cmd.exe 1 25->31         started        34 cmd.exe 1 25->34         started        91 Multi AV Scanner detection for dropped file 28->91 93 Writes to foreign memory regions 28->93 95 Allocates memory in foreign processes 28->95 97 Creates a thread in another existing process (thread injection) 28->97 36 conhost.exe 2 28->36         started        signatures12 process13 signatures14 113 Drops executables to the windows directory (C:\Windows) and starts them 31->113 38 vhyfd.exe 31->38         started        41 conhost.exe 31->41         started        115 Uses schtasks.exe or at.exe to add and modify task schedules 34->115 43 conhost.exe 34->43         started        45 schtasks.exe 1 34->45         started        process15 signatures16 85 Writes to foreign memory regions 38->85 87 Allocates memory in foreign processes 38->87 89 Creates a thread in another existing process (thread injection) 38->89 47 conhost.exe 2 38->47         started        process17 process18 49 cmd.exe 1 47->49         started        process19 51 taskkill.exe 1 49->51         started        53 conhost.exe 49->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86ae354a12341fd3def17aacee3e3ee3bf9678c499cbb81f0db1014177f378dd/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 15:25:05 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2xdksqsgqp5hxxrpkwo4pr64o7zm6gethf3qhynweauc57tpdoq._file
Verdict:
malicious
Similar samples:
191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
RedLineStealer
2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a
RedLineStealer
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
RedLineStealer
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
RedLineStealer
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
RedLineStealer
c6110583978af41e0ec6705f89b4c6c0acccb6b314b6376052f1b984bd282456
RedLineStealer
d3971de408a80057671d1f39dd0aafcb4501903b6c9cf7f5fb51fffc0ab43599
RedLineStealer
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
RedLineStealer
f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc
RedLineStealer
f89908f8594a0dccfb5e52b295075ff63be86c0f5584f990d39dfe2b2c2f9c08
RedLineStealer
+ 116 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211112-stmc3adga2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
65.108.29.210:21638
Unpacked files
SH256 hash:
b2eab8013f0c0826809ea0f1e210b072f3a110961c1f7369101469aa6b8aa939
MD5 hash:
37067007ff47f0ed5cfc8df5f36d1ce2
SHA1 hash:
807de5ef41557f82a10a950a3988cf70f3d66e8f
Link:
https://www.unpac.me/results/bf30b22a-4098-4b85-aa5a-801970c2894d/
SH256 hash:
86ae354a12341fd3def17aacee3e3ee3bf9678c499cbb81f0db1014177f378dd
MD5 hash:
56b672a6fd444c4bad0ee7f6756ca134
SHA1 hash:
14da197bfc569b861a09e6069a880924335375e1
Link:
https://www.unpac.me/results/bf30b22a-4098-4b85-aa5a-801970c2894d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/86ae354a12341fd3def17aacee3e3ee3bf9678c499cbb81f0db1014177f378dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 86ae354a12341fd3def17aacee3e3ee3bf9678c499cbb81f0db1014177f378dd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205322/

Comments