MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 942d5531f10fb85a1511fadd5cec74331cb7cad407779b36b004e0469180c44e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 942d5531f10fb85a1511fadd5cec74331cb7cad407779b36b004e0469180c44e
SHA3-384 hash: 1776b10d346531ad7857d35d3f12934a568ecf9e70bca959c86d82b29edc82bf7bf1077b3b91c450a82b2c53bcedddba
SHA1 hash: dd3b0c96798f7205c737d3372c606eeea3c6fd33
MD5 hash: e4bd6386a6abc3dcd3b8d0f1aaa2e307
humanhash: september-steak-item-michigan
File name:e4bd6386a6abc3dcd3b8d0f1aaa2e307
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:991'232 bytes
First seen:2022-10-23 18:46:33 UTC
Last seen:2022-10-23 20:10:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:+4EOct/DxX2ZyromUwqwpvmKkCb0sYhBWqoXnKR:9EBt/8yJNllDwJhAlXn
Threatray 7'461 similar samples on MalwareBazaar
TLSH T1B125D03425D9531CF177AF751FD078AE8BEAF6222706E46E2C910BC24716F40DDA263A
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Exploit.ShellCode.69.26742.16842
Verdict:
Malicious activity
Analysis date:
2022-10-23 12:13:32 UTC
Tags:
exploit cve-2017-11882 trojan rat redline stealer phishing
Link:
https://app.any.run/tasks/8cff6e84-58d8-416a-9384-0bc01cee5b28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323053/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.15945.8332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
DNS request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63558c29898b0652a4b97bc3/reports/5c854758-f35c-4294-add0-099956b70052/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb24cff9-7415-45c5-9625-ee7efd5b2181
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096008
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728649 Sample: 9E9DEyYMUw.exe Startdate: 23/10/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Sigma detected: Scheduled temp file as task from temp location 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 7 other signatures 2->46 7 9E9DEyYMUw.exe 6 2->7         started        11 ipoXJyO.exe 4 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming\ipoXJyO.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmp61AF.tmp, XML 7->34 dropped 36 C:\Users\user\AppData\...\9E9DEyYMUw.exe.log, ASCII 7->36 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Injects a PE file into a foreign processes 7->50 13 9E9DEyYMUw.exe 15 3 7->13         started        16 schtasks.exe 1 7->16         started        18 9E9DEyYMUw.exe 7->18         started        52 Multi AV Scanner detection for dropped file 11->52 54 Machine Learning detection for dropped file 11->54 20 ipoXJyO.exe 14 3 11->20         started        22 schtasks.exe 1 11->22         started        signatures5 process6 dnsIp7 38 mark1234.duckdns.org 185.216.71.172, 49710, 49711, 49712 CLOUDCOMPUTINGDE Germany 13->38 24 conhost.exe 13->24         started        26 conhost.exe 16->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/942d5531f10fb85a1511fadd5cec74331cb7cad407779b36b004e0469180c44e/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 16:57:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqwvkmprb64fufir7lovz3dugmolpswua53zwnvqatqenemayrha._file
Verdict:
malicious
Similar samples:
0fd29453e32c7b932aff741c9c2ea349e2105701ac56f1387678db16c634c85e
RedLineStealer
37798a05e1d59846c3abeceaca8a3d8ed09fe3a91fdb84e3af3a9e0d9654ba42
RedLineStealer
52e6c9bc6656584aa7795ee6c9472269125d8eebc0ee9abca86c6e4f0b1f1c65
RedLineStealer
b7a5f993206c8b0d774bea0d33c0097a6d033436fee72ee0bca7cd59a12c66ef
RedLineStealer
c6b4cbec17730dd197d90a5367371318bd1d99774b03e2089f1d33ee15ead50c
RedLineStealer
fd770b7e6e8adcbfdf4386254b5e9f05d01a5ba35b5fca0aeb430d2b9ab5ce67
RedLineStealer
+ 7'451 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cheat infostealer
Link:
https://tria.ge/reports/221023-xe7gxabhgn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
RedLine
RedLine payload
Malware Config
C2 Extraction:
mark1234.duckdns.org:57793
Unpacked files
SH256 hash:
7074e058e5c7cd5755e577b73e0ffea7103beb8a5257feaf76c10350d2265749
MD5 hash:
9e36b4bb7895d766ef8e3c21e3d5f6a8
SHA1 hash:
c9e6c281f5a2cacd90f3f5f890a5deeb05ba4060
Link:
https://www.unpac.me/results/ab2dd7be-35c4-48d2-8982-46faca3e1b32/
SH256 hash:
7db3819f4ab1f0b8e993d0d2a3359633143eefebc1b23ee36c326455a57a8514
MD5 hash:
24f5923b8edc3f2c35c8a16dc6fc7767
SHA1 hash:
c2431bd0fab6b596e68308b3c82239dcf162cd5e
Link:
https://www.unpac.me/results/ab2dd7be-35c4-48d2-8982-46faca3e1b32/
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/ab2dd7be-35c4-48d2-8982-46faca3e1b32/
SH256 hash:
942d5531f10fb85a1511fadd5cec74331cb7cad407779b36b004e0469180c44e
MD5 hash:
e4bd6386a6abc3dcd3b8d0f1aaa2e307
SHA1 hash:
dd3b0c96798f7205c737d3372c606eeea3c6fd33
Link:
https://www.unpac.me/results/ab2dd7be-35c4-48d2-8982-46faca3e1b32/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/942d5531f10f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/942d5531f10fb85a1511fadd5cec74331cb7cad407779b36b004e0469180c44e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 942d5531f10fb85a1511fadd5cec74331cb7cad407779b36b004e0469180c44e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2381936/
Cape
Cape
https://www.capesandbox.com/analysis/323053/

Comments


Avatar
zbet commented on 2022-10-23 18:46:35 UTC

url : hxxps://app.allkar.xyz/wp-content/plugins/seoplugins/cradm.exe