MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA3-384 hash: 37884b5e601587a1367add101f226b1b9f8864d0b026f62199e8984eb0ef3278a62ec019403ce77fcf79591899d414fa
SHA1 hash: ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
MD5 hash: 34dc3b6f5ad9472d3eee5fe006b97b4a
humanhash: fruit-glucose-ceiling-golf
File name:9785eec1ff877367352742e441815f7f7372615e463e3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'097'664 bytes
First seen:2023-08-19 11:16:27 UTC
Last seen:2023-08-25 17:10:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:OJ6ogow0HOLfdH/1AV38wQxKSgp4a05AwsXLZM47CY8BwLuRrKCLv8jY0OsOv8E5:Fo7w57bReUhhhuuJ
Threatray 823 similar samples on MalwareBazaar
TLSH T12CA538E13F0B4FD1F3D2353980962011CEAAEDEB1231F21F7E89448936452EB599BD66
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f6a0e8989b8a8489 (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
116.203.59.108:34830

Intelligence

File Origin
# of uploads :
3
# of downloads :
327
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
629c3b9bae76e2f3dd5a14cebdfeb635.exe
Verdict:
Malicious activity
Analysis date:
2023-08-19 11:13:10 UTC
Tags:
amadey trojan loader smoke
Link:
https://app.any.run/tasks/02a4ebe5-9253-4766-9fb1-3e1e9b8df1bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443692/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.4390.23702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64e0a4aeac089eb8123d46b7/reports/1cd35fa3-86c7-4d65-a606-3e9ea0fa8040/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b537e0c8-80c4-44b3-8a2d-9f652a044625
Result
Threat name:
Clipboard Hijacker, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1293842
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1293842 Sample: 9785eec1ff877367352742e4418... Startdate: 19/08/2023 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 8 other signatures 2->91 8 9785eec1ff877367352742e441815f7f7372615e463e3.exe 1 2->8         started        10 Jeepdriveroads.exe 2->10         started        13 jsc.exe 2->13         started        15 2 other processes 2->15 process3 signatures4 17 RegSvcs.exe 7 8->17         started        21 RegSvcs.exe 8->21         started        99 Multi AV Scanner detection for dropped file 10->99 101 Machine Learning detection for dropped file 10->101 24 jsc.exe 10->24         started        26 jsc.exe 10->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        process5 dnsIp6 65 industrias-lopez.com 66.225.201.5, 49717, 49718, 49719 SERVERCENTRALUS United States 17->65 67 tokoi45.beget.tech 5.101.152.100, 49714, 49715, 49716 BEGET-ASRU Russian Federation 17->67 57 C:\Users\user\AppData\...32KC7AACKBM07M.exe, PE32+ 17->57 dropped 59 C:\Users\user\AppData\...\A49NAFKNO8G8IFE.exe, PE32 17->59 dropped 61 C:\Users\user\AppData\...\63KCLF1NAP6L66K.exe, PE32 17->61 dropped 63 C:\Users\user\AppData\...\3GQ50CA4BHNBEG8.exe, PE32+ 17->63 dropped 32 E32KC7AACKBM07M.exe 1 4 17->32         started        36 A49NAFKNO8G8IFE.exe 1 17->36         started        38 63KCLF1NAP6L66K.exe 4 17->38         started        40 2 other processes 17->40 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->93 95 Creates HTML files with .exe extension (expired dropper behavior) 21->95 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->97 file7 signatures8 process9 dnsIp10 51 C:\Users\user\AppData\...\despitearea.exe, PE32 32->51 dropped 53 C:\Users\user\AppData\...\despiitearea.exe, PE32+ 32->53 dropped 75 Multi AV Scanner detection for dropped file 32->75 77 Machine Learning detection for dropped file 32->77 79 Creates multiple autostart registry keys 32->79 43 despitearea.exe 15 3 32->43         started        47 RegSvcs.exe 36->47         started        55 C:\Users\user\Videos\Jeepdriveroads.exe, PE32 38->55 dropped 49 jsc.exe 38->49         started        69 iplogger.com 148.251.234.93, 443, 49728 HETZNER-ASDE Germany 40->69 81 Antivirus detection for dropped file 40->81 83 May check the online IP address of the machine 40->83 file11 signatures12 process13 dnsIp14 71 files.catbox.moe 108.181.20.39, 443, 49729 ASN852CA Canada 43->71 103 Multi AV Scanner detection for dropped file 43->103 105 Machine Learning detection for dropped file 43->105 107 Injects a PE file into a foreign processes 43->107 73 116.203.59.108, 34830, 49780 HETZNER-ASDE Germany 47->73 109 Tries to harvest and steal browser information (history, passwords, etc) 47->109 111 Tries to steal Crypto Currency Wallets 47->111 113 Creates multiple autostart registry keys 49->113 115 Creates an autostart registry key pointing to binary in C:\Windows 49->115 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2023-08-19 08:27:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6c65qp7q5zwonjhilsedak7p5zxeyk6iy7duwdc7j4id2zoocaq._file
Verdict:
malicious
Similar samples:
211809c137b352584707b7d3b254df7e9b80302615f758ff8060b535d8804945
RedLineStealer
3454a03a003a23385521dae0e13fbe65211a9e9c590022dc906da7085ca71244
RedLineStealer
4a269414d116334ba8837a573d824a3ff46c3b7d274b7b8e3c3ffd688a2e3729
RedLineStealer
4eb94831dc8c5d208a185b7f83469113379a05db96af352e5c0de634611050dd
RedLineStealer
8be2a3d913c8851bffa0a682c9fb393d614a108e142344987ff9c8712d48c8c3
RedLineStealer
a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199
RedLineStealer
bd213bacf745262d609025230b73d653d2ef62875f28860ea1b4d1a65f5c5cca
RedLineStealer
cffee94b2fed3ea5bf85eb7bab308ac9488d1ed882c02787ee318760b1a90350
RedLineStealer
fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181
RedLineStealer
+ 813 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer persistence spyware
Link:
https://tria.ge/reports/230819-ndn5hahc74/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
RedLine payload
Unpacked files
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/fbe0b4d4-7d46-46b5-b54c-c8ba0ff32f61/
SH256 hash:
cef5f8c95542d19f4ff60773bac3576f29dd626aa6d9201875fcdb227c4fccb8
MD5 hash:
e4bb11aff11d809161b58f9c22ecd32f
SHA1 hash:
4026ab66e758b5881eabf4bef602b081b843ace6
Link:
https://www.unpac.me/results/fbe0b4d4-7d46-46b5-b54c-c8ba0ff32f61/
SH256 hash:
9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
MD5 hash:
34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 hash:
ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
Link:
https://www.unpac.me/results/fbe0b4d4-7d46-46b5-b54c-c8ba0ff32f61/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9785eec1ff87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICOUS_EXE_UNC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables with considerable number of regexes often observed in infostealers
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_2
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/443692/
  
URLhaus
https://urlhaus.abuse.ch/url/2705471/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2705552/

Comments