MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 870d6260cbcd71de3acab138b9929af3d61ea86e8ee8d7ba75af2e6a54761af7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 870d6260cbcd71de3acab138b9929af3d61ea86e8ee8d7ba75af2e6a54761af7
SHA3-384 hash: 8fde8ec06b77b226da2e00ea5e51346064f29793a3f36c998820844919d7da47794539805593d0f13b6b9f74c5288085
SHA1 hash: c5643efd391a7b3df37ee20726f42e103fecac93
MD5 hash: fddd6b789812ad5e11648cd27455d2fa
humanhash: carolina-eight-angel-fruit
File name:fddd6b789812ad5e11648cd27455d2fa
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:166'912 bytes
First seen:2022-01-15 06:03:22 UTC
Last seen:2022-01-15 07:33:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:+HYm6JhKx4kvvbWtODgkFRC2S5x99999+ewwwwwKKKKK5GGGGp++eI+9Yuz:+nYhLkvzWiQwwwwwQGGGGp++eD9j
Threatray 1'117 similar samples on MalwareBazaar
TLSH T15DF3086B2591D1A6C4445330E164CFFF357CED3505827A8BA8897EAFBE2854C8AF13E1
File icon (PE):PE icon
dhash icon 456d94ca8b083817 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fddd6b789812ad5e11648cd27455d2fa
Verdict:
Malicious activity
Analysis date:
2022-01-15 06:06:40 UTC
Tags:
stealer evasion
Link:
https://app.any.run/tasks/6e05a307-fdef-422c-99db-ddfbc16cc51d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219434/
Detection(s):
SecuriteInfo.com.ArtemisFDDD6B789812.26174.1505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Searching for analyzing tools
Searching for synchronization primitives
Creating a file in the %AppData% directory
Reading critical registry keys
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control.exe obfuscated packed replace.exe shell32.dll
Link:
https://www.filescan.io/uploads/61e263d6f2e8ec86fe005c56/reports/b025c00d-a4b9-4a21-aec0-255c02b3bb16/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99e861b9-040b-414b-bcd4-d5d68ac1ef2d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921048
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553525 Sample: 7YpsSHnnWF Startdate: 15/01/2022 Architecture: WINDOWS Score: 100 47 Antivirus detection for URL or domain 2->47 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 5 other signatures 2->53 8 7YpsSHnnWF.exe 15 7 2->8         started        process3 dnsIp4 37 iplogger.org 148.251.234.83, 443, 49759, 49760 HETZNER-ASDE Germany 8->37 39 dpcapps.me 172.67.177.36, 443, 49752, 49753 CLOUDFLARENETUS United States 8->39 31 b4dfab8a-e9b7-405f-b8ff-6ea55bd8dbc2.exe, PE32 8->31 dropped 33 21b8ec62-4592-4afe-a8fb-79229d8c2acb.exe, PE32 8->33 dropped 35 126019a2-1605-498f-a9a5-e2e764691dc7.exe, PE32 8->35 dropped 55 May check the online IP address of the machine 8->55 13 21b8ec62-4592-4afe-a8fb-79229d8c2acb.exe 14 23 8->13         started        17 126019a2-1605-498f-a9a5-e2e764691dc7.exe 2 8->17         started        19 b4dfab8a-e9b7-405f-b8ff-6ea55bd8dbc2.exe 14 4 8->19         started        file5 signatures6 process7 dnsIp8 41 applesystems.me 104.21.59.35, 443, 49762 CLOUDFLARENETUS United States 13->41 57 Multi AV Scanner detection for dropped file 13->57 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->59 61 Machine Learning detection for dropped file 13->61 71 2 other signatures 13->71 63 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->63 65 Tries to evade analysis by execution special instruction which cause usermode exception 17->65 67 Hides threads from debuggers 17->67 43 freshstart-upsolutions.me 172.67.192.133, 443, 49761, 49763 CLOUDFLARENETUS United States 19->43 45 192.168.2.1 unknown unknown 19->45 27 C:\Users\user\AppData\Roaming\5592308.exe, PE32 19->27 dropped 69 Antivirus detection for dropped file 19->69 22 5592308.exe 8 19->22         started        file9 signatures10 process11 file12 29 C:\Users\user\AppData\Local\Temp\AWVL.3K, PE32 22->29 dropped 25 msiexec.exe 22->25         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/870d6260cbcd71de3acab138b9929af3d61ea86e8ee8d7ba75af2e6a54761af7/
Threat name:
ByteCode-MSIL.Spyware.Phonzy
Create hunting rule
Status:
Suspicious
First seen:
2022-01-14 19:54:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 28 (67.86%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
RedLineStealer
3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
RedLineStealer
4fe1cb64f16f7fa987407a906a4319520972f5a8f5749e3b071a831825559a45
RedLineStealer
79ac302029ae7a3c7601260bb855725bd568f3b1c3730dca0edd74d72a5b9efb
RedLineStealer
7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
RedLineStealer
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
RedLineStealer
a96e7065e6d2e724aa734cbdd99467f3c25f079da753c7681ee9d3c4bb6259f5
RedLineStealer
db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b
RedLineStealer
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
RedLineStealer
+ 1'107 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220115-gslvcschc6/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
870d6260cbcd71de3acab138b9929af3d61ea86e8ee8d7ba75af2e6a54761af7
MD5 hash:
fddd6b789812ad5e11648cd27455d2fa
SHA1 hash:
c5643efd391a7b3df37ee20726f42e103fecac93
Link:
https://www.unpac.me/results/3617e174-cf54-4fbf-90b4-37ff7cd297bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/870d6260cbcd71de3acab138b9929af3d61ea86e8ee8d7ba75af2e6a54761af7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 870d6260cbcd71de3acab138b9929af3d61ea86e8ee8d7ba75af2e6a54761af7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1978274/
Cape
Cape
https://www.capesandbox.com/analysis/219434/

Comments


Avatar
zbet commented on 2022-01-15 06:03:25 UTC

url : hxxps://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe