MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90d6ab9d8c74e5724137f1137335ddfba5ce53f1e277c453c984c51b7ee53b46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90d6ab9d8c74e5724137f1137335ddfba5ce53f1e277c453c984c51b7ee53b46
SHA3-384 hash: 3e748bc5d69acf1ca8c37c1e59c97ac810fb1d46f8a3651d58405008564ad211e537f5e504ef607323a1f7a7cbe481d8
SHA1 hash: ab6b8b3f47d9d1e830b5fbe030d496f7aee7b885
MD5 hash: d432ba6b832f67708b71e3757fd8b5fa
humanhash: carbon-white-snake-lake
File name:Setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:355'328 bytes
First seen:2022-11-07 23:55:44 UTC
Last seen:2022-11-08 01:57:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a07bb4b81e6c6d0f72670722ee7e56 (20 x RedLineStealer)
ssdeep 6144:0jfIAyAsI7IHURrZCN8TffHBCyUAOFJYJ8vLzXFKQ2Qzklr/VSwKruZU5VBM6MJ+:0jfIBAsI7IHURc3fnX8Q2Qz6UDruZgVj
TLSH T18D74CF40B5D2D972D9B2543609E0E735CA7DB8200F3459FF67E41B7B4E202C3A972A7A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 23:48:38 UTC
Tags:
redline
Link:
https://app.any.run/tasks/d1afbc47-aaeb-4735-8529-688bb45411ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330289/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Redline.GKE.MTB.31332.18706.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed redline
Link:
https://www.filescan.io/uploads/63699b14470500d17a1ed7b1/reports/78f8e10c-8a65-4c4d-acec-7205e4f73c02/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78a3c728-b662-414f-83e8-a1c19538a5f1
Result
Threat name:
Laplas Clipper, MicroClip, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107828
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 740492 Sample: Setup.exe Startdate: 08/11/2022 Architecture: WINDOWS Score: 100 94 clipper.guru 2->94 104 Snort IDS alert for network traffic 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 15 other signatures 2->110 10 Setup.exe 1 2->10         started        13 svcupdater.exe 2->13         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        signatures3 process4 dnsIp5 138 Contains functionality to inject code into remote processes 10->138 140 Writes to foreign memory regions 10->140 142 Allocates memory in foreign processes 10->142 144 Injects a PE file into a foreign processes 10->144 20 AppLaunch.exe 15 9 10->20         started        25 WerFault.exe 23 9 10->25         started        27 conhost.exe 10->27         started        29 WerFault.exe 10->29         started        102 clipper.guru 45.159.189.115, 49727, 49733, 80 HOSTING-SOLUTIONSUS Netherlands 13->102 146 Multi AV Scanner detection for dropped file 13->146 148 Creates files in the system32 config directory 16->148 31 conhost.exe 16->31         started        33 conhost.exe 18->33         started        signatures6 process7 dnsIp8 96 79.137.204.112, 49715, 80 PSKSET-ASRU Russian Federation 20->96 98 api.ip.sb 20->98 100 ezisc.com 35.213.155.151, 443, 49723, 49725 GOOGLEUS United States 20->100 86 C:\Users\user\AppData\Local\...\setup.exe, PE32 20->86 dropped 88 C:\Users\user\AppData\Local\...\ofg.exe, PE32+ 20->88 dropped 90 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 20->90 dropped 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->132 134 Tries to harvest and steal browser information (history, passwords, etc) 20->134 136 Tries to steal Crypto Currency Wallets 20->136 35 brave.exe 20->35         started        39 setup.exe 20->39         started        41 ofg.exe 20->41         started        92 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->92 dropped 43 cmd.exe 25->43         started        file9 signatures10 process11 file12 78 C:\Users\user\AppData\Local\Temp\6988.tmp, PE32+ 35->78 dropped 80 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 35->80 dropped 112 Multi AV Scanner detection for dropped file 35->112 114 Writes to foreign memory regions 35->114 116 Modifies the context of a thread in another process (thread injection) 35->116 128 3 other signatures 35->128 45 cmd.exe 35->45         started        48 cmd.exe 35->48         started        50 powershell.exe 35->50         started        58 3 other processes 35->58 82 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 39->82 dropped 118 Encrypted powershell cmdline option found 39->118 52 powershell.exe 39->52         started        84 C:\Users\user\AppData\...\svcupdater.exe, PE32+ 41->84 dropped 120 Uses cmd line tools excessively to alter registry or file data 43->120 122 Uses schtasks.exe or at.exe to add and modify task schedules 43->122 124 Uses powercfg.exe to modify the power settings 43->124 126 Modifies power options to not sleep / hibernate 43->126 54 conhost.exe 43->54         started        56 schtasks.exe 43->56         started        signatures13 process14 signatures15 150 Uses cmd line tools excessively to alter registry or file data 45->150 60 conhost.exe 45->60         started        62 sc.exe 45->62         started        74 9 other processes 45->74 152 Modifies power options to not sleep / hibernate 48->152 64 conhost.exe 48->64         started        76 4 other processes 48->76 66 conhost.exe 50->66         started        68 conhost.exe 52->68         started        70 conhost.exe 58->70         started        72 conhost.exe 58->72         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90d6ab9d8c74e5724137f1137335ddfba5ce53f1e277c453c984c51b7ee53b46/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 23:56:09 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdlkxhmmotsxeqjx6ejxgno57os44u7r4j34iu6jqtcrw7xfhnda._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@chykhas evasion infostealer spyware upx
Link:
https://tria.ge/reports/221107-3y125ahgfn/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Stops running service(s)
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
79.137.204.112:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/90074b03-9a78-45a4-a1c3-1ce1db3f2231
Unpacked files
SH256 hash:
394bfd981dcf506f067322c90091dc055e0af598df034cd81bb52505b3d5642c
MD5 hash:
d8beb9c1837b0cd22707dd73d97d1187
SHA1 hash:
a805ffde3c42d051b7fd982c0d94e976f1fb8e91
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/013760f9-cbdc-4f5b-bbf7-4683c59fc8f5/
Parent samples :
5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030
90d6ab9d8c74e5724137f1137335ddfba5ce53f1e277c453c984c51b7ee53b46
SH256 hash:
90d6ab9d8c74e5724137f1137335ddfba5ce53f1e277c453c984c51b7ee53b46
MD5 hash:
d432ba6b832f67708b71e3757fd8b5fa
SHA1 hash:
ab6b8b3f47d9d1e830b5fbe030d496f7aee7b885
Link:
https://www.unpac.me/results/013760f9-cbdc-4f5b-bbf7-4683c59fc8f5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90d6ab9d8c74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90d6ab9d8c74e5724137f1137335ddfba5ce53f1e277c453c984c51b7ee53b46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330289/

Comments