MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 924f000ee5e3b7cd618b1f9d9d7e2203f469fba4536a86eb022d718b71f13e96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 924f000ee5e3b7cd618b1f9d9d7e2203f469fba4536a86eb022d718b71f13e96
SHA3-384 hash: edf2e372aac8abb405b999d8c344b0b8d6a4b6470dae6e6d555baacff5079ba0bbc416a9453f4900cdf9e2521349fa8a
SHA1 hash: 2c5e57b48cb9e2e76484762ec06570ba87cf2489
MD5 hash: a46677ef04129bb12890d5552d4b10c9
humanhash: pip-oxygen-music-yellow
File name:Drawing and Logo.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:587'264 bytes
First seen:2023-07-31 12:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Z+uZ4/2YmJ+37dZam4rkaJevTgbEzds/Bsnq/dNncUYqjg2ilqtNi2:Z+uS/2YmQ37dZaMaJG3ASqdtMkg2As
Threatray 147 similar samples on MalwareBazaar
TLSH T163C4023016E8DB9EC92D077E1D71106503F5A77E3239EF3E8F86A6C95A607810325EAD
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f2ceaeaeb2968eaa (68 x RedLineStealer, 21 x AgentTesla, 18 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.95.168.240:55615

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Drawing and Logo.exe
Verdict:
Malicious activity
Analysis date:
2023-07-31 12:11:52 UTC
Tags:
rat redline trojan stealer
Link:
https://app.any.run/tasks/de53597d-7c1e-4375-96b4-eba3fa61e67b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439414/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12588.23510.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/64c7a4d6e64bd705397ef73b/reports/3840c39d-7705-48f2-b417-b39d0848167e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/924f000ee5e3b7cd618b1f9d9d7e2203f469fba4536a86eb022d718b71f13e96
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cf90aa7-d125-4d62-9d96-df2bd2173721
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283147
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1283147 Sample: Drawing_and_Logo.exe Startdate: 31/07/2023 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->59 61 5 other signatures 2->61 7 Drawing_and_Logo.exe 7 2->7         started        11 fwQCzWOfcwLTwi.exe 5 2->11         started        process3 file4 41 C:\Users\user\AppData\...\fwQCzWOfcwLTwi.exe, PE32 7->41 dropped 43 C:\...\fwQCzWOfcwLTwi.exe:Zone.Identifier, ASCII 7->43 dropped 45 C:\Users\user\AppData\Local\...\tmpA138.tmp, XML 7->45 dropped 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->63 65 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 7->67 69 Adds a directory exclusion to Windows Defender 7->69 13 Drawing_and_Logo.exe 15 31 7->13         started        17 powershell.exe 19 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        23 fwQCzWOfcwLTwi.exe 11->23         started        25 schtasks.exe 11->25         started        27 fwQCzWOfcwLTwi.exe 11->27         started        signatures5 process6 dnsIp7 47 45.95.168.240, 49707, 49709, 49710 GIGANET-HUGigaNetInternetServiceProviderCoHU Croatia (LOCAL Name: Hrvatska) 13->47 49 api.ip.sb 13->49 29 conhost.exe 13->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        51 192.168.2.1 unknown unknown 23->51 53 api.ip.sb 23->53 71 Tries to harvest and steal browser information (history, passwords, etc) 23->71 73 Tries to steal Crypto Currency Wallets 23->73 37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/924f000ee5e3b7cd618b1f9d9d7e2203f469fba4536a86eb022d718b71f13e96/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 12:11:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjhqadxf4o342ymld6oz27rcap2gt65eknvin2ycfvyyw4prh2la._file
Verdict:
malicious
Similar samples:
0255e2579c043b9a3557a95a0a37af0dceb75077680a436087c70268d70411de
RedLineStealer
0b2fe9ed6a7e5da7f211a891a6b578a4dd1c850e546703e9d8bf6acb27da4a20
RedLineStealer
198a27bb3eafb16e85363be12dc849311bc4e25043794c5ee1364f2422dbdf4d
RedLineStealer
396b5562de7bc8b4652e763c8241d7b55aaa02c563278597163b768acdfc306d
RedLineStealer
6d0ab1c3aadadef9335264a57ef26a307636d0367f57695f95284f03fa5e4111
RedLineStealer
9f31bb30ebd91a758214962fd6ead4a2fb6b5dc99a4e4296084a3af02eae2b8a
RedLineStealer
a44d262ed7c8085b22ad15653bd2a7d3ecc966c3e7c54252de5670ce64027847
RedLineStealer
e3119e0ff31316bdc580183591b2c5555667e2af422968916d89def1c0559360
RedLineStealer
e626db552e3975b073a3c3d621ea039c431f0431fa6e220d4b66cbf540a9a02f
RedLineStealer
ec94fe18197f8fccb0e786717ba7fbafcb1f7376e6350e19c2cd7072e62dd204
RedLineStealer
+ 137 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:cheat discovery infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/230731-pcmqqagb3w/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
45.95.168.240:55615
Unpacked files
SH256 hash:
bc9f30b9cab3da1ffb2a21cc03bb19a154232d9eade2e0b407f3c87c2c5d3abb
MD5 hash:
e59b0ff8113d6881fbfe8c64e49fe5c9
SHA1 hash:
f71d1b4cb6e0e5405f1032165a2dbc30b1d96681
Link:
https://www.unpac.me/results/4a09d7d6-18ca-463f-9f03-1f6574f12b66/
SH256 hash:
ce70b762f00b1f1f5b5b608df8944663757b444a9a0073efcebf373097b78511
MD5 hash:
140c5dfc819673474867dee81b42c5a0
SHA1 hash:
dd3e61e55bc2a9fae23b0932ba330e69b5521247
Link:
https://www.unpac.me/results/4a09d7d6-18ca-463f-9f03-1f6574f12b66/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/4a09d7d6-18ca-463f-9f03-1f6574f12b66/
SH256 hash:
32f048ebc57fb0439c311391238a0d433431d3b9a611d3201ea3da32773ab2bc
MD5 hash:
aabf3ea84ac758b82cccacb56f75c4ff
SHA1 hash:
6666947ac045a7f1fce2f92984f758b1b0a7141b
Link:
https://www.unpac.me/results/4a09d7d6-18ca-463f-9f03-1f6574f12b66/
SH256 hash:
924f000ee5e3b7cd618b1f9d9d7e2203f469fba4536a86eb022d718b71f13e96
MD5 hash:
a46677ef04129bb12890d5552d4b10c9
SHA1 hash:
2c5e57b48cb9e2e76484762ec06570ba87cf2489
Link:
https://www.unpac.me/results/4a09d7d6-18ca-463f-9f03-1f6574f12b66/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/924f000ee5e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/924f000ee5e3b7cd618b1f9d9d7e2203f469fba4536a86eb022d718b71f13e96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/439414/

Comments