MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
SHA3-384 hash: b689f2ea7deae12d92fa2a452afdc8b294b61b6ddc8b565acd7294201e97a46e9f5edfac76ffe16bac64e13e629a6847
SHA1 hash: e7580190a96f166df77a2e8cd2464ff98673c52c
MD5 hash: a278f258834853daaf20e4e37b2e913f
humanhash: hydrogen-pluto-freddie-low
File name:a278f258834853daaf20e4e37b2e913f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'520'640 bytes
First seen:2021-09-27 05:32:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 196608:pFbF8HCec6ikJkqA/WFOfnbACw1lsOryKO64FB7/+7hSaK0:+ie5LkqA+CUDl1ryKOx/T+7o0
Threatray 196 similar samples on MalwareBazaar
TLSH T182A633277DCB7EA8D9263FB08E4275C850938A072F458EA5B99B1E5113100F6AFF479C
File icon (PE):PE icon
dhash icon 822ee2a46cece60e (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.213.210.82:4505

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.213.210.82:4505 https://threatfox.abuse.ch/ioc/226931/

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a278f258834853daaf20e4e37b2e913f.exe
Verdict:
Malicious activity
Analysis date:
2021-09-27 05:35:24 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/bd0578d8-502f-4cb2-b4f7-eed533659689

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191894/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a window
Launching a service
DNS request
Connection attempt
Sending an HTTP GET request
Launching a process
Delayed writing of the file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/648d2d34-6fe0-4a07-9443-fa4f8d812994
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858669
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491100 Sample: fXdCUH5B7X.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 111 Found malware configuration 2->111 113 Antivirus / Scanner detection for submitted sample 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 7 other signatures 2->117 13 fXdCUH5B7X.exe 6 2->13         started        17 services32.exe 2->17         started        process3 file4 93 C:\Users\user\AppData\...\modest-menu.exe, PE32+ 13->93 dropped 95 C:\Users\user\AppData\Local\...\Updater.exe, PE32 13->95 dropped 97 C:\Users\user\AppData\...\fXdCUH5B7X.exe.log, ASCII 13->97 dropped 157 Detected unpacking (overwrites its own PE header) 13->157 159 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->159 19 Updater.exe 15 4 13->19         started        23 modest-menu.exe 13->23         started        161 Adds a directory exclusion to Windows Defender 17->161 25 cmd.exe 17->25         started        signatures5 process6 dnsIp7 99 pshmn.com 69.197.158.18, 49744, 49745, 80 WIIUS United States 19->99 101 ping.pushmon.com 19->101 123 Multi AV Scanner detection for dropped file 19->123 125 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->125 127 Machine Learning detection for dropped file 19->127 139 2 other signatures 19->139 27 Updater.exe 35 19->27         started        32 powershell.exe 18 19->32         started        34 Updater.exe 19->34         started        129 Query firmware table information (likely to detect VMs) 23->129 131 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->131 133 Hides threads from debuggers 23->133 135 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->135 137 Adds a directory exclusion to Windows Defender 25->137 36 conhost.exe 25->36         started        38 powershell.exe 25->38         started        signatures8 process9 dnsIp10 103 185.213.210.82, 4505, 49860 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 27->103 105 f0575427.xsph.ru 141.8.193.236, 49870, 80 SPRINTHOSTRU Russian Federation 27->105 107 api.ip.sb 27->107 91 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 27->91 dropped 153 Tries to harvest and steal browser information (history, passwords, etc) 27->153 155 Tries to steal Crypto Currency Wallets 27->155 40 fl.exe 27->40         started        44 conhost.exe 27->44         started        46 conhost.exe 32->46         started        file11 signatures12 process13 file14 89 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 40->89 dropped 147 Multi AV Scanner detection for dropped file 40->147 149 Machine Learning detection for dropped file 40->149 151 Adds a directory exclusion to Windows Defender 40->151 48 cmd.exe 40->48         started        50 cmd.exe 40->50         started        signatures15 process16 signatures17 53 svchost32.exe 48->53         started        57 conhost.exe 48->57         started        119 Uses schtasks.exe or at.exe to add and modify task schedules 50->119 121 Adds a directory exclusion to Windows Defender 50->121 59 conhost.exe 50->59         started        61 powershell.exe 50->61         started        63 powershell.exe 50->63         started        process18 file19 87 C:\Windows\System32\services32.exe, PE32+ 53->87 dropped 141 Machine Learning detection for dropped file 53->141 143 Drops executables to the windows directory (C:\Windows) and starts them 53->143 65 services32.exe 53->65         started        68 cmd.exe 53->68         started        70 cmd.exe 53->70         started        signatures20 process21 signatures22 109 Adds a directory exclusion to Windows Defender 65->109 72 cmd.exe 65->72         started        75 conhost.exe 68->75         started        77 schtasks.exe 68->77         started        79 conhost.exe 70->79         started        81 choice.exe 70->81         started        process23 signatures24 145 Adds a directory exclusion to Windows Defender 72->145 83 conhost.exe 72->83         started        85 powershell.exe 72->85         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41/
Threat name:
ByteCode-MSIL.Trojan.RelineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 08:29:31 UTC
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sljcf7bhjugjqgszkmt46ebzmbjvgongkwxcid4sm6uev3n2p5aq._file
Verdict:
malicious
Similar samples:
1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6
RedLineStealer
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
RedLineStealer
493bfdb9e04607e49f6ead719b51e9c25cc8c4fa76bcb79c2f8e9225bb46e659
RedLineStealer
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
RedLineStealer
5d459a560ce1e32853c637997806cf8080c8d8f02d0c136057a0344d543b2532
RedLineStealer
a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3
RedLineStealer
da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795
RedLineStealer
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
RedLineStealer
+ 186 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@l_like_a_sir_l discovery evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210927-jx7nqsfhhl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
185.213.210.82:4505
Unpacked files
SH256 hash:
158260f63d79bd2dc6acf8c0c38ab0156563fe1b0985f0ccd4b237fc008619c7
MD5 hash:
cb8c102cb95c2b80e550d7da2690c212
SHA1 hash:
d76c4d2c1c5b6bec74890b6870de9f355fb51231
Link:
https://www.unpac.me/results/22cfcea6-1927-4027-9cf5-02f5c8db215c/
SH256 hash:
c827ccc211f24343b7d9002d53dba55e02e0ff0a200e21deb9cf258b840b3b2b
MD5 hash:
a0ef505e836c497fe35fdb8749213550
SHA1 hash:
70bf8135d00b84fe4529e6d6a53985d0880e48aa
Link:
https://www.unpac.me/results/22cfcea6-1927-4027-9cf5-02f5c8db215c/
SH256 hash:
81f2c2efa59450fe1e7ce5ebf19f76bbd950931059bf1a6a06475b96923f4c31
MD5 hash:
f396b10b65b7a897affe533a094276b7
SHA1 hash:
c825f13175fe6ccbffcda0717562abda3b9d4d8a
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/22cfcea6-1927-4027-9cf5-02f5c8db215c/
Parent samples :
85c6f9cc1d92580088ac090c6eeaba9169aa57290ee6568ef5278fc9170d11dc
e80d7de90473de5e1d9fb140d2537896872f7a7ca665e9342514426604f4f708
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
91326481061021101661bce6cd8cff3316ce41038bc2e25415a3e1055b185300
d710d3a9f98ccf3a406ddfc2fb1fe4b814766708f345b12fee5e029a6012f212
9a1ddb0d33956c9657da8e6272b58c589cfac04fce724a3f913451c8d1b09759
SH256 hash:
6240dff467cd7abe61db58b846e0e27645ba0eb6fb957f650766d68f7618f36e
MD5 hash:
61fb42d4e72bf79d7a6028b82e43bd41
SHA1 hash:
27f396ce263c9717ed06a28f5006959c19ab7c8a
Detections:
win_karkoff_auto
Create hunting rule
Link:
https://www.unpac.me/results/22cfcea6-1927-4027-9cf5-02f5c8db215c/
SH256 hash:
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
MD5 hash:
a278f258834853daaf20e4e37b2e913f
SHA1 hash:
e7580190a96f166df77a2e8cd2464ff98673c52c
Link:
https://www.unpac.me/results/22cfcea6-1927-4027-9cf5-02f5c8db215c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191894/

Comments