MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9148bcf1957c9dc89339b577fc122c8d947cafc09b275c95361dc6b4150eeaa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9148bcf1957c9dc89339b577fc122c8d947cafc09b275c95361dc6b4150eeaa1
SHA3-384 hash: 6302541c1d58d73def2f42b4f41b563dc66bc3bd4aa17ff627a60c971e88e65bdd069bd00a30c0ebf8dd89aed0aec98e
SHA1 hash: c2988f45fd2d8ea05f54a44ce37fa302b9f51354
MD5 hash: e79fe7f210696edc45ad8507c81b092e
humanhash: cola-coffee-west-arkansas
File name:9148BCF1957C9DC89339B577FC122C8D947CAFC09B275.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:323'072 bytes
First seen:2022-06-09 03:33:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:tn+PJao6KT1sUZq1EQsPopW6Er9c4JDn0SNJl0aRMDvzw802b:B+PQo6e1sUZgEQEopFEraeDn0eJl/RMN
TLSH T118644A3439EA501AB1B3EFA58BE4B996DAAFB7733B03945D105103870B23A41DED153E
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.235.219.199:1510

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.235.219.199:1510 https://threatfox.abuse.ch/ioc/678011/

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9148BCF1957C9DC89339B577FC122C8D947CAFC09B275.exe
Verdict:
Malicious activity
Analysis date:
2022-06-09 03:36:39 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/118576c9-12ee-48a0-bc66-e8f73792d718

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277991/
Detection(s):
Win.Packed.Pwsx-9918173-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a16a0ca2b1fc9744d84375/reports/c799fdf3-0dc9-4a3b-8f5a-bde33559e6a8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/735a4c62-9a9a-4be1-829d-3c8b4f7d2d53
Result
Threat name:
BitCoin Miner, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009623
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Extracts suspicious resources from PE file (packer detected)
Found many strings related to Crypto-Wallets (likely being stolen)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 642118 Sample: 9148BCF1957C9DC89339B577FC1... Startdate: 09/06/2022 Architecture: WINDOWS Score: 100 107 Snort IDS alert for network traffic 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus / Scanner detection for submitted sample 2->111 113 13 other signatures 2->113 12 9148BCF1957C9DC89339B577FC122C8D947CAFC09B275.exe 3 2->12         started        process3 file4 99 9148BCF1957C9DC893...7CAFC09B275.exe.log, ASCII 12->99 dropped 147 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->147 149 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->149 16 9148BCF1957C9DC89339B577FC122C8D947CAFC09B275.exe 15 7 12->16         started        21 9148BCF1957C9DC89339B577FC122C8D947CAFC09B275.exe 12->21         started        signatures5 process6 dnsIp7 101 185.235.219.199, 1510, 49767 VMISTO-ASUA Ukraine 16->101 103 cdn.discordapp.com 162.159.133.233, 443, 49834, 49846 CLOUDFLARENETUS United States 16->103 87 C:\Users\user\AppData\...\WindowsDefender.exe, PE32 16->87 dropped 89 C:\Users\user\AppData\Local\...\Windows.exe, PE32+ 16->89 dropped 115 Tries to harvest and steal browser information (history, passwords, etc) 16->115 117 Tries to steal Crypto Currency Wallets 16->117 23 WindowsDefender.exe 2 16->23         started        27 Windows.exe 1 2 16->27         started        file8 signatures9 process10 file11 93 C:\Users\user\RuntimeBroker.exe, PE32+ 23->93 dropped 95 C:\Users\user\AppData\Local\...\Defender.exe, PE32+ 23->95 dropped 119 Antivirus detection for dropped file 23->119 121 Multi AV Scanner detection for dropped file 23->121 123 Drops PE files to the user root directory 23->123 125 Adds a directory exclusion to Windows Defender 23->125 29 cmd.exe 1 23->29         started        31 cmd.exe 1 23->31         started        34 cmd.exe 23->34         started        36 cmd.exe 1 23->36         started        97 C:\Users\user\AppData\Roaming\paint.exe, PE32 27->97 dropped 127 Extracts suspicious resources from PE file (packer detected) 27->127 38 conhost.exe 27->38         started        signatures12 process13 signatures14 40 Defender.exe 29->40         started        43 conhost.exe 29->43         started        157 Adds a directory exclusion to Windows Defender 31->157 45 conhost.exe 31->45         started        47 powershell.exe 17 31->47         started        49 RuntimeBroker.exe 34->49         started        52 conhost.exe 34->52         started        54 powershell.exe 36->54         started        57 powershell.exe 23 36->57         started        59 conhost.exe 36->59         started        process15 dnsIp16 129 Antivirus detection for dropped file 40->129 131 Multi AV Scanner detection for dropped file 40->131 133 Writes to foreign memory regions 40->133 141 2 other signatures 40->141 61 conhost.exe 40->61         started        64 conhost.exe 43->64         started        66 powercfg.exe 43->66         started        68 powercfg.exe 43->68         started        135 Encrypted powershell cmdline option found 45->135 137 Uses powercfg.exe to modify the power settings 45->137 139 Modifies power options to not sleep / hibernate 45->139 91 C:\Users\user\AppData\...\update.exe (copy), PE32+ 49->91 dropped 70 update.exe 49->70         started        105 192.168.2.1 unknown unknown 54->105 file17 signatures18 process19 signatures20 151 Encrypted powershell cmdline option found 61->151 153 Modifies the context of a thread in another process (thread injection) 61->153 155 Injects a PE file into a foreign processes 61->155 72 cmd.exe 61->72         started        75 cmd.exe 61->75         started        77 powershell.exe 61->77         started        process21 signatures22 143 Uses cmd line tools excessively to alter registry or file data 72->143 79 conhost.exe 72->79         started        81 sc.exe 72->81         started        83 sc.exe 72->83         started        145 Modifies power options to not sleep / hibernate 75->145 85 conhost.exe 77->85         started        process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9148bcf1957c9dc89339b577fc122c8d947cafc09b275c95361dc6b4150eeaa1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 00:55:26 UTC
File Type:
PE (.Net Exe)
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfelz4mvpso4rezzwv37yermrwkhzl6atmtvzfjwdxdlifio5kqq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@shmoney discovery evasion exploit infostealer spyware stealer upx
Link:
https://tria.ge/reports/220609-d4ryzagae9/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Looks for VMWare drivers on disk
Possible privilege escalation attempt
Stops running service(s)
UPX packed file
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
Modifies security service
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.235.219.199:1510
Unpacked files
SH256 hash:
bdcc3135b0735cd503e7d8cde9e0acf49d2e44810a0722cc04581eb307eeb0b9
MD5 hash:
eabbfebdc29c8c5bd7a06ba7e350d104
SHA1 hash:
f0725ac1a94129b247aad0d5cfb9df72956f1d8d
Link:
https://www.unpac.me/results/77b672a2-ca35-4425-9f02-ac4b6d1411fa/
SH256 hash:
9148bcf1957c9dc89339b577fc122c8d947cafc09b275c95361dc6b4150eeaa1
MD5 hash:
e79fe7f210696edc45ad8507c81b092e
SHA1 hash:
c2988f45fd2d8ea05f54a44ce37fa302b9f51354
Link:
https://www.unpac.me/results/77b672a2-ca35-4425-9f02-ac4b6d1411fa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9148bcf1957c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9148bcf1957c9dc89339b577fc122c8d947cafc09b275c95361dc6b4150eeaa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277991/

Comments