MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1
SHA3-384 hash: cbe405a49191f61321fae45c7e920510854365b115be4b6e4b0e2d642930796e26971b0716b53dc96719a368214d0f0c
SHA1 hash: 474ed56ba18bfc91debf3e38e793d025c3d92e1c
MD5 hash: a6b605c4fa1ab6361219008c6174f15c
humanhash: bacon-nuts-crazy-nevada
File name:a6b605c4fa1ab6361219008c6174f15c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'123'720 bytes
First seen:2021-04-20 14:10:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:l1qUutnXwk581ZLc+qvDlyaqaM/xN8yTJLrKif8wpEeTi+QQY+3fiZQyDD:l1qUu1Xwk5kQncaHqNRNfRThQZ+P6PDD
Threatray 138 similar samples on MalwareBazaar
TLSH DD352311379E00B9D3F13471BAA0A7B1CFAAD7681B4181EF5B941A477A18DC2CB742DB
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
31.148.99.134:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
31.148.99.134:80 https://threatfox.abuse.ch/ioc/9270/

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6b605c4fa1ab6361219008c6174f15c.exe
Verdict:
Malicious activity
Analysis date:
2021-04-20 14:17:51 UTC
Tags:
autoit trojan rat redline
Link:
https://app.any.run/tasks/d4087c6d-777b-4e1c-b4d2-9a723e21b22e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/139702/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Jacard.184087.14432.10100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/689245
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 393562 Sample: 1nEaZvYoKF.exe Startdate: 20/04/2021 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected Ficker Stealer 2->76 78 2 other signatures 2->78 12 1nEaZvYoKF.exe 7 2->12         started        process3 signatures4 96 Contains functionality to register a low level keyboard hook 12->96 15 cmd.exe 1 12->15         started        18 makecab.exe 1 12->18         started        process5 signatures6 100 Submitted sample is a known malware sample 15->100 102 Obfuscated command line found 15->102 104 Uses ping.exe to sleep 15->104 106 Uses ping.exe to check the status of other devices and networks 15->106 20 cmd.exe 3 15->20         started        23 conhost.exe 15->23         started        25 conhost.exe 18->25         started        process7 signatures8 80 Obfuscated command line found 20->80 82 Uses ping.exe to sleep 20->82 27 Quello.exe.com 20->27         started        29 PING.EXE 1 20->29         started        32 findstr.exe 1 20->32         started        process9 dnsIp10 35 Quello.exe.com 1 27->35         started        68 127.0.0.1 unknown unknown 29->68 52 C:\Users\user\AppData\...\Quello.exe.com, Targa 32->52 dropped file11 process12 dnsIp13 60 QsMzBpSuRRNsczz.QsMzBpSuRRNsczz 35->60 54 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 35->54 dropped 84 Writes to foreign memory regions 35->84 86 Injects a PE file into a foreign processes 35->86 40 RegAsm.exe 15 26 35->40         started        file14 signatures15 process16 dnsIp17 62 zeupilen.xyz 31.148.99.134, 49726, 49728, 49729 IHOR-ASRU Czech Republic 40->62 64 iplogger.org 88.99.66.31, 443, 49730 HETZNER-ASDE Germany 40->64 66 2 other IPs or domains 40->66 56 C:\Users\user\AppData\Local\Temp\file.exe, PE32 40->56 dropped 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->88 90 May check the online IP address of the machine 40->90 92 Performs DNS queries to domains with low reputation 40->92 94 3 other signatures 40->94 45 file.exe 4 40->45         started        file18 signatures19 process20 file21 58 C:\Users\user\AppData\Local\...\tphost.exe, PE32+ 45->58 dropped 98 Multi AV Scanner detection for dropped file 45->98 49 tphost.exe 45->49         started        signatures22 process23 signatures24 70 Machine Learning detection for dropped file 49->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=scrinlc3jeiav24ahcxso7n2xq4fhzx6kvl4dhk2msef6akvs2yq._file
Verdict:
malicious
Similar samples:
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
RedLineStealer
207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3
RedLineStealer
2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66
RedLineStealer
6da762e6a282e959a607c046a3b33dd71baaf6c7fe5d49c97a8e2de2a60e4c5d
RedLineStealer
872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f
RedLineStealer
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
RedLineStealer
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
RedLineStealer
ecee44992b84f86f98c14b5af66451c9e6306e7db33d038cef6d7292988da559
RedLineStealer
+ 128 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:vicktraff discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210420-fgdhaestf6/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
zeupilen.xyz:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
OpenCandy
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/139702/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-20 15:12:49 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0002.001] Collection::Application Hook
1) [F0002.002] Collection::Polling
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0017] Process Micro-objective::Create Process
15) [C0038] Process Micro-objective::Create Thread
16) [C0054] Process Micro-objective::Resume Thread
17) [C0018] Process Micro-objective::Terminate Process