MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
SHA3-384 hash: 0742cf9873a30297a4b7127d518605081acade86c7fa4033da7fc297644f98fa6d3585ffdfae4b8b6b07785cf3454d4d
SHA1 hash: 97f9ed4054e47f32e1ef538e21b4ce4969a15066
MD5 hash: 9ed9f7afabfb805380dbcb5e96f2e0e4
humanhash: oscar-quebec-cardinal-oklahoma
File name:OhGodAnETHlargementPill.sfx.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'133'914 bytes
First seen:2021-01-01 20:12:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:5HLmCiIhiXLd6xl0bbdK+5jcG9y+6HK6GrDEm/ZjXarW/w5QLTOFEhY+hlMoJluI:q+0bH9cAybGD3jX6WAaR7gSPvDBoM
Threatray 893 similar samples on MalwareBazaar
TLSH 68A52341B9C499B3C4724936292D8FA0793DBC200F34CBEF63F8691D9A755D16A34BA3
Reporter o2genum
Tags:RedLineStealer


Avatar
o2genum
Distributed as RAR.
Packed into RAR SFX for analysis.

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OhGodAnETHlargementPill.sfx.exe
Verdict:
Malicious activity
Analysis date:
2021-01-01 20:13:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4b412e9-49af-4ebd-ab87-51953778d2be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110248/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Creating a process with a hidden window
Sending an HTTP GET request
Launching a process
Sending an HTTP POST request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Quasar RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572847
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to disable the Task Manager (.Net Source)
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Quasar RAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335486 Sample: OhGodAnETHlargementPill.sfx.exe Startdate: 01/01/2021 Architecture: WINDOWS Score: 100 129 Malicious sample detected (through community Yara rule) 2->129 131 Antivirus detection for dropped file 2->131 133 Multi AV Scanner detection for dropped file 2->133 135 13 other signatures 2->135 14 OhGodAnETHlargementPill.sfx.exe 12 2->14         started        process3 file4 95 C:\Users\user\...\OhGodAnETHlargementPill.exe, PE32 14->95 dropped 17 OhGodAnETHlargementPill.exe 2 14->17         started        process5 file6 73 C:\Users\user\...\OhGodAnETHlargementPill.tmp, PE32 17->73 dropped 20 OhGodAnETHlargementPill.tmp 3 13 17->20         started        process7 file8 75 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->75 dropped 23 OhGodAnETHlargementPill.exe 2 20->23         started        process9 file10 81 C:\Users\user\...\OhGodAnETHlargementPill.tmp, PE32 23->81 dropped 26 OhGodAnETHlargementPill.tmp 5 19 23->26         started        process11 file12 87 C:\Program Files (x86)\...\is-RL3RN.tmp, PE32 26->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->89 dropped 91 C:\Program Files (x86)\...\is-OVLCG.tmp, PE32 26->91 dropped 93 C:\Program Files (x86)\...\is-H28IA.tmp, PE32+ 26->93 dropped 29 ffdasdfc.exe 18 26->29         started        33 OhGodAnETHlargementPill.exe 1 26->33         started        process13 dnsIp14 123 bitbucket.org 104.192.141.1, 443, 49730 AMAZON-02US United States 29->123 125 s3-1-w.amazonaws.com 52.216.204.67, 443, 49731 AMAZON-02US United States 29->125 127 2 other IPs or domains 29->127 97 C:\Users\user\AppData\Local\...\dIRsdD_S.exe, PE32 29->97 dropped 99 C:\Users\user\AppData\Local\...99aiZsg_R.exe, PE32 29->99 dropped 101 C:\Users\user\AppData\...101aiZsg_R[1].exe, PE32 29->101 dropped 103 C:\Users\user\AppData\...\dIRsdD_S[1].exe, PE32 29->103 dropped 35 dIRsdD_S.exe 29->35         started        40 NaiZsg_R.exe 1 17 29->40         started        42 WerFault.exe 20 9 33->42         started        44 conhost.exe 33->44         started        file15 process16 dnsIp17 77 C:\Users\user\AppData\nKecWVfYPctvmm.proj, ASCII 35->77 dropped 137 Multi AV Scanner detection for dropped file 35->137 46 MSBuild.exe 35->46         started        107 joxi.net 176.9.162.205, 49734, 49737, 80 HETZNER-ASDE Germany 40->107 109 joxi.ru 78.47.21.152, 49733, 49736, 80 HETZNER-ASDE Germany 40->109 111 dl3.joxi.net 78.47.21.155, 49735, 49738, 80 HETZNER-ASDE Germany 40->111 79 C:\Users\user\AppData\VeQeclnOa.proj, ASCII 40->79 dropped 50 MSBuild.exe 40->50         started        file18 signatures19 process20 file21 105 C:\Users\user\AppData\...\vryizjgj.cmdline, UTF-8 46->105 dropped 149 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->149 151 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->151 153 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 46->153 52 MSBuild.exe 46->52         started        56 csc.exe 46->56         started        59 conhost.exe 46->59         started        61 WerFault.exe 46->61         started        155 Writes to foreign memory regions 50->155 157 Injects a PE file into a foreign processes 50->157 63 MSBuild.exe 50->63         started        65 svchost.exe 50->65         started        67 csc.exe 50->67         started        69 2 other processes 50->69 signatures22 process23 dnsIp24 113 geoplugin.net 178.237.33.50, 49761, 80 ATOM86-ASATOM86NL Netherlands 52->113 115 www.geoplugin.net 52->115 121 8 other IPs or domains 52->121 139 Tries to harvest and steal browser information (history, passwords, etc) 52->139 141 Tries to steal Crypto Currency Wallets 52->141 83 C:\Users\user\AppData\Local\...\vryizjgj.dll, PE32 56->83 dropped 71 cvtres.exe 56->71         started        117 ip-api.com 208.95.112.1, 49755, 80 TUT-ASUS United States 63->117 119 185.238.171.234, 49758, 5552 SCALAXY-ASNL Ukraine 63->119 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 63->143 145 Installs a global keyboard hook 63->145 147 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 65->147 85 C:\Users\user\AppData\Local\...\evq1a0qj.dll, PE32 67->85 dropped file25 signatures26 process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2021-01-01 20:13:04 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgtdq2gkk25os64vjqhm45pnj5todc7syjmkt3kxclrxnoxheiga._file
Verdict:
malicious
Similar samples:
04a908a9e407549cb834e945f0afb49da90f7581bda7e2d2cd3871a55997d53b
RedLineStealer
1a3bf054f01ab4ec1c068ee4bbb5961a3109e61a12374c26501ce7a772279463
RedLineStealer
3c7744b3236b34b32adf0b3a3d5b7874533878c34d200d2c07fe0e0e37cb16f6
RedLineStealer
3e5bbf9fcae918011ec4eee75ac6402fddf20d09fef95b362d0e226d56b80f1d
RedLineStealer
57372f78f979ab331a3ce1ebd9154c6eb4674db4de60c5c6b521934d7b9463ac
RedLineStealer
5c525f83e1414e33353169d89e84a5e22857c55727a30aa1c78fc1ccfb83900f
RedLineStealer
69bc65bef9fd7833c261434e1feb538861fc3359b66bde16a8cc0e8375a7b92c
RedLineStealer
7d6e222b4b23f7d10f667027b0de0c51ea5262a415880c90fe60a3596a27a40d
RedLineStealer
a4fcf02ada330a1e50982618833ae730d5238adbf9407e303cc6c05fa8270ba5
RedLineStealer
d8cacda848bd2a780b1a081222e0eb609794e309b13327fb5fc59231022aba81
RedLineStealer
+ 883 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210101-5yqhvd9mbe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of SetWindowsHookEx
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Drops startup file
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
RedLine
Unpacked files
SH256 hash:
91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
MD5 hash:
9ed9f7afabfb805380dbcb5e96f2e0e4
SHA1 hash:
97f9ed4054e47f32e1ef538e21b4ce4969a15066
Link:
https://www.unpac.me/results/e976e20e-a4b4-4445-abdd-8ceeba77e654/
SH256 hash:
d3e396da40670b10d069728d526ce0a0883e5f1516174e22b1f87bea5f5edf11
MD5 hash:
8ef203b369247f13f55c105516132fcc
SHA1 hash:
0f123a34d4f256c06fa4029fea7e5534346cfd24
Link:
https://www.unpac.me/results/e976e20e-a4b4-4445-abdd-8ceeba77e654/
SH256 hash:
3bab262d2a76924ca13c110b3740d90bde7bd267ee6eb39774446839799a75b3
MD5 hash:
7ecf53e0d4dae718b32709a201122be6
SHA1 hash:
042ac26ed21ceb4bc74b7b61823456a070368200
Link:
https://www.unpac.me/results/e976e20e-a4b4-4445-abdd-8ceeba77e654/
SH256 hash:
2737448db2e556b90994587ab9a8284147e04de9ed6155db3f097d111b1647fe
MD5 hash:
21977db1f43d6f59442967326f57ee0f
SHA1 hash:
445676a59df254be303d14bc2521bf56811b90d4
Link:
https://www.unpac.me/results/e976e20e-a4b4-4445-abdd-8ceeba77e654/
SH256 hash:
0fd10b75d8f7fbbf4964ae5adcf350c38b1bcf64b59ec14a72ea1ceb9022f82c
MD5 hash:
f62ba0d008d4ff776b5ca6190a25783a
SHA1 hash:
ed4678ae80e1d1fea2aca31097c5daee49996cfc
Link:
https://www.unpac.me/results/e976e20e-a4b4-4445-abdd-8ceeba77e654/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c

(this sample)

  
Link
https://crypto-bears.com/mayning-efira-s-ohgodanethlargementpill-uvelichenie-heshreyta-1080ti-50-mh-s/
anyrun
any.run
https://app.any.run/tasks/4c8e7d93-0046-430b-abe7-5097a7667860
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110248/

Comments