MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9619a55c49642d423d9244bfe2e50b5027c395386056f82bbd10b7134b3d854e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9619a55c49642d423d9244bfe2e50b5027c395386056f82bbd10b7134b3d854e
SHA3-384 hash: e8e4b98aee6a573501829af5835f4fbbcd19f4e62b0d8fc777ab06e49c413f92cc7038c920633ac792e28ae9d2ae7a88
SHA1 hash: 2820b43315c4792515bff6b6cf96e1021c711b4f
MD5 hash: b888083ff853d4f150acb307906fb38d
humanhash: don-arizona-paris-purple
File name:b888083ff853d4f150acb307906fb38d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'403'360 bytes
First seen:2022-04-15 04:56:16 UTC
Last seen:2022-04-20 10:21:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7af3fcc58a6937bb6482ae42b5c5baab (1 x CoinMiner, 1 x RedLineStealer)
ssdeep 49152:xHoOidch7dAZgpMBDtApq1cgqwCX7sUMvvmKsxaOONQWRgNajX3L55VDeedx8QB/:xH1R7dAZgpMBDtApq1cgqwCLsUMvvmKV
TLSH T177B5D033D99D92B1CC2126F1950306A76C2F99F971CFBDA2F30D1821D073A2D64A7B69
TrID 32.1% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
23.82.141.102:42921

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.82.141.102:42921 https://threatfox.abuse.ch/ioc/519978/

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
b888083ff853d4f150acb307906fb38d.exe
Verdict:
Malicious activity
Analysis date:
2022-04-15 05:01:45 UTC
Tags:
trojan rat redline evasion loader
Link:
https://app.any.run/tasks/fcfecaa0-f8d6-4633-af6a-de2811ecd844

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263896/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50127732.22043.28398.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13932/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed zusy
Link:
https://www.filescan.io/uploads/6258fb1fffe27d5119d659f0/reports/56ea7587-5936-4f9d-a518-c3b179ff3357/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c5c3c14-25ac-4db8-91f6-1b1efd9efe44
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977261
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary or sample is protected by dotNetProtector
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 609748 Sample: 7LebaMgM4N.exe Startdate: 15/04/2022 Architecture: WINDOWS Score: 100 94 gerer.at 2->94 116 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for URL or domain 2->120 122 13 other signatures 2->122 13 7LebaMgM4N.exe 1 2->13         started        signatures3 process4 process5 15 RegSvcs.exe 3 13->15         started        19 WerFault.exe 23 9 13->19         started        21 conhost.exe 13->21         started        file6 82 C:\Users\Public\M3gJNbpqWpct.exe, PE32 15->82 dropped 84 C:\Users\Public\BEgHvre3gJNc.exe, PE32 15->84 dropped 112 Drops PE files to the user root directory 15->112 114 Contains functionality to detect sleep reduction / modifications 15->114 23 BEgHvre3gJNc.exe 14 7 15->23         started        28 M3gJNbpqWpct.exe 5 15->28         started        86 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->86 dropped signatures7 process8 dnsIp9 104 ip-api.com 208.95.112.1, 49714, 49724, 80 TUT-ASUS United States 23->104 106 checkip.eu-west-1.prod.check-ip.aws.a2z.com 54.76.187.137, 49713, 80 AMAZON-02US United States 23->106 110 2 other IPs or domains 23->110 78 C:\ProgramData\...\5b55fdf1.exe, PE32 23->78 dropped 80 C:\Users\user\AppData\...\tmp4DBC.tmp.bat, DOS 23->80 dropped 136 Multi AV Scanner detection for dropped file 23->136 138 May check the online IP address of the machine 23->138 140 Machine Learning detection for dropped file 23->140 142 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 23->142 30 cmd.exe 1 23->30         started        108 188.68.205.12, 49721, 7053 ITNET33RU Russian Federation 28->108 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->144 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->146 148 Tries to harvest and steal browser information (history, passwords, etc) 28->148 150 Tries to steal Crypto Currency Wallets 28->150 file10 signatures11 process12 process13 32 5b55fdf1.exe 15 6 30->32         started        36 reg.exe 1 30->36         started        39 conhost.exe 30->39         started        41 timeout.exe 1 30->41         started        dnsIp14 88 5.188.119.76, 49726, 80 SELECTELRU Russian Federation 32->88 90 107.189.6.214, 49730, 49733, 80 PONYNETUS United States 32->90 92 7 other IPs or domains 32->92 68 C:\Users\user\...\df2514b80becd081.exe, PE32 32->68 dropped 70 C:\Users\user\...\abd22ceb0b847fae.exe, PE32 32->70 dropped 72 C:\Users\user\...\5748427f951397ea.exe, PE32 32->72 dropped 74 C:\Users\user\...\22eb40f46350cfb4.exe, PE32 32->74 dropped 43 df2514b80becd081.exe 32->43         started        46 abd22ceb0b847fae.exe 32->46         started        48 22eb40f46350cfb4.exe 32->48         started        51 5748427f951397ea.exe 32->51         started        124 Creates an undocumented autostart registry key 36->124 file15 signatures16 process17 file18 152 Detected unpacking (changes PE section rights) 43->152 154 Machine Learning detection for dropped file 43->154 156 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->156 166 3 other signatures 43->166 53 explorer.exe 43->53 injected 158 Antivirus detection for dropped file 46->158 160 Writes to foreign memory regions 46->160 162 Tries to delay execution (extensive OutputDebugStringW loop) 46->162 164 Injects a PE file into a foreign processes 46->164 58 csc.exe 46->58         started        66 C:\ProgramData\1.exe, PE32 48->66 dropped 60 1.exe 48->60         started        62 WerFault.exe 51->62         started        signatures19 process20 dnsIp21 96 27.147.183.45, 49801, 49804, 80 LINK3-TECH-AS-BD-APLink3TechnologiesLtdBD Bangladesh 53->96 98 211.171.233.126, 49809, 49818, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 53->98 102 2 other IPs or domains 53->102 76 C:\Users\user\AppData\Roaming\ebhgtaw, PE32 53->76 dropped 126 System process connects to network (likely due to code injection or exploit) 53->126 128 Benign windows process drops PE files 53->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->130 100 23.82.141.102, 42921, 49797 LEASEWEB-USA-MIA-11US United States 58->100 132 Multi AV Scanner detection for dropped file 60->132 134 Machine Learning detection for dropped file 60->134 64 WerFault.exe 60->64         started        file22 signatures23 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9619a55c49642d423d9244bfe2e50b5027c395386056f82bbd10b7134b3d854e/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-04-08 03:44:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sym2kxcjmqwuepmsis76fzilkat4hfjymblpqk55cc3rgsz5qvha._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220415-fk9e1seffm/
Unpacked files
SH256 hash:
dd96dd3fb9a841267ba7fdd9c6ee960f5c705763d34d3744299f2a74e7fa24f5
MD5 hash:
f7e0bc53f475f93c184b31409ca5539f
SHA1 hash:
e60ba555b7f4d5dc28d57b474e0e0c7554da2552
Link:
https://www.unpac.me/results/95a08b9e-7409-4914-968a-5643d1c067e6/
SH256 hash:
356e4e6ba72cd92750e00ca7ee0016e53eddf4674d833afff6a17dabdb62cccd
MD5 hash:
dd98a38572264302a031491ab1609399
SHA1 hash:
1289dd899d70e5d7dbc370a05d1fe7b6fd853e62
Link:
https://www.unpac.me/results/95a08b9e-7409-4914-968a-5643d1c067e6/
SH256 hash:
9619a55c49642d423d9244bfe2e50b5027c395386056f82bbd10b7134b3d854e
MD5 hash:
b888083ff853d4f150acb307906fb38d
SHA1 hash:
2820b43315c4792515bff6b6cf96e1021c711b4f
Link:
https://www.unpac.me/results/95a08b9e-7409-4914-968a-5643d1c067e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9619a55c49642d423d9244bfe2e50b5027c395386056f82bbd10b7134b3d854e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263896/

Comments