MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9848335d47d8bb203145e2aca78fc8f9b42fb2ba1cd91561974172ea6da43851. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9848335d47d8bb203145e2aca78fc8f9b42fb2ba1cd91561974172ea6da43851
SHA3-384 hash: 7fabe09426892cffbb684a75a5d65ce436cf71a085b5db97dd703cea79252db17c925f2dc7a99606fb5c9b1ceed991f5
SHA1 hash: c3ff4a0472171973fdbfd65c2a4e08ee44b56928
MD5 hash: a79139fb8b7bf3a652f63fa89e5a6067
humanhash: robert-cat-carpet-video
File name:a79139fb8b7bf3a652f63fa89e5a6067.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'108'870 bytes
First seen:2021-12-02 10:01:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 98304:iX4vdAj8imG9zg214F4LoA9l8CDkeoSGYRx58cGCyTLGJANFI2:4DmG4O02ODiT5OCamD2
TLSH T1DF561227B2A4A03EC46927354637B5405CFFA779F417BE1266E4CC88CFA60C01EFA665
File icon (PE):PE icon
dhash icon 3271d4b6b6d47132 (11 x RedLineStealer, 2 x Adware.Generic, 2 x LummaStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.67.228.240:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.67.228.240:80 https://threatfox.abuse.ch/ioc/257376/

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a79139fb8b7bf3a652f63fa89e5a6067.exe
Verdict:
Malicious activity
Analysis date:
2021-12-02 10:08:27 UTC
Tags:
installer
Link:
https://app.any.run/tasks/846dbd13-fa6e-4221-b80a-d8e6809c9021

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210647/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Transferring files using the Background Intelligent Transfer Service (BITS)
Connecting to a non-recommended domain
Sending an HTTP GET request
Enabling the 'hidden' option for files in the %temp% directory
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Downloading the file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/521/overview
Behaviour
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a8999df9d950eb11b67ae5/reports/0a49476d-1e08-4f5e-9b9c-a4a7da47f583/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f154bcd5-8d39-4d9f-b534-5eaaaf84ad3b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900047
Signature
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Sigma detected: Copying Sensitive Files with Credential Data
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to download files via bitsadmin
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532525 Sample: 5Yi7XQkHUQ.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Sigma detected: Copying Sensitive Files with Credential Data 2->77 8 5Yi7XQkHUQ.exe 2 2->8         started        12 wlanext32.exe 1 2->12         started        14 svchost.exe 9 3 2->14         started        17 7 other processes 2->17 process3 dnsIp4 53 C:\Users\user\AppData\...\5Yi7XQkHUQ.tmp, PE32 8->53 dropped 89 Obfuscated command line found 8->89 19 5Yi7XQkHUQ.tmp 5 17 8->19         started        55 C:\Windows\Temp\iqvw64e.sys, PE32+ 12->55 dropped 91 Multi AV Scanner detection for dropped file 12->91 93 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->93 95 Machine Learning detection for dropped file 12->95 103 5 other signatures 12->103 22 cmd.exe 12->22         started        69 oniondq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh47.biz 45.147.197.150, 49760, 49764, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 14->69 71 127.0.0.1 unknown unknown 14->71 57 C:\Users\user~1\...\wlanext32.exes (copy), PE32+ 14->57 dropped 59 C:\Users\user\AppData\Local\...\BITEC92.tmp, PE32+ 14->59 dropped 97 System process connects to network (likely due to code injection or exploit) 17->97 99 Benign windows process drops PE files 17->99 101 Changes security center settings (notifications, updates, antivirus, firewall) 17->101 file5 signatures6 process7 file8 45 C:\Users\user~1\...\DriverEasy.exe (copy), PE32 19->45 dropped 47 C:\Users\user\AppData\Local\...\is-IB8LG.tmp, PE32 19->47 dropped 49 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->49 dropped 51 3 other files (none is malicious) 19->51 dropped 24 cmd.exe 1 19->24         started        27 cmd.exe 3 2 19->27         started        29 conhost.exe 22->29         started        process9 signatures10 79 Suspicious powershell command line found 24->79 81 Tries to download files via bitsadmin 24->81 83 Uses ping.exe to sleep 24->83 87 2 other signatures 24->87 31 xcopy.exe 6 24->31         started        34 xcopy.exe 2 24->34         started        36 PING.EXE 24->36         started        43 26 other processes 24->43 85 Tries to download and execute files (via powershell) 27->85 39 powershell.exe 15 14 27->39         started        41 conhost.exe 27->41         started        process11 dnsIp12 61 C:\ProgramData\Local\...\wlanext32.exe, PE32+ 31->61 dropped 63 C:\ProgramData\Local\...\Telemetry.xml, XML 34->63 dropped 65 192.168.2.1 unknown unknown 36->65 67 oniondq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh47.biz 39->67 file13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9848335d47d8bb203145e2aca78fc8f9b42fb2ba1cd91561974172ea6da43851/
Threat name:
Win32.Downloader.Bitser
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 07:09:20 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
11 of 28 (39.29%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tbedgxkh3c5samkf4kwkpd6i7g2c7mv2dtmrkymxifzou3nehbiq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/211202-l2tc1sedam/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Download via BitsAdmin
Enumerates system info in registry
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Deletes shadow copies
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender notification settings
Modifies security service
Malware Config
Dropper Extraction:
http://oniondq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh47.biz/hfile.bin
Unpacked files
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
395c370b426a2cf427b1a8ca700ff64c82c971ca0585b5350974102aa5f68429
MD5 hash:
3366fa560a3db2e620ab92148a737dc8
SHA1 hash:
c12a57e152001316d443912daaecbf706a0ae710
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
42fa16c9d9014e26858fe9b4cb3d36c375375560e2f6a3bfea0b33710f89f261
MD5 hash:
a715eb7da02e9a35954c337f1af4357e
SHA1 hash:
f5685d72a12308f5ad0874ed6b068148b886ae40
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
dfe25e9c801f828df9fb5e3baee41651ba72c1e00634be4b648d72f1ad8599e7
MD5 hash:
559ec2666c1b2a509aebf1cfd182add8
SHA1 hash:
d9fe1a0fc77eee967de02606f87c5a8c5c6d7729
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
1b703b0545b27c23921b3953f10acdb943db25a406d110d4f50120e5a6553d58
MD5 hash:
8c023fe5726daf6a14e6ec963d8a10a7
SHA1 hash:
d92ac2d1abd8f6a9379c0ab6fd6b3c38ff7906b9
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
55a7b6e88f03528c8cdcc4cfff9a7e5efce3c9d3d21023ef2b37aa228b530ddc
MD5 hash:
850d12295447dbcd9e38a073aef72fb6
SHA1 hash:
bb8e998ed8b2e07d5ffec82509019df134468643
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
a9c78e25952d72a1d27975cefcfe30c61b36e2dfc5057b810f037ea02b4a3d57
MD5 hash:
dd08ed5839252d79e27a3712f3f1536b
SHA1 hash:
b5b899f064b5e940779402c38e9ced82e9f84c2e
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
53d3b08f6b3a2cbbfdfd763e3efafd7acf33e641d73ea2d65dd6950aa7d5f72b
MD5 hash:
e1ba35dc85f8e5443d783a0336f7b51f
SHA1 hash:
996b13f8330f02fc1fca92577bee65efa7b85677
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
89b5030a8272a67ce36b279273da26c8e0495b89f9499dfe9a249e6105efaa77
MD5 hash:
56f55ac335d7b1ea6049c89ef20b2ba0
SHA1 hash:
6df8932e6e91fff7b7e053c2ffb1c4a2b49fdef1
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
e60d85e3225aad5397513fb3a1247da025c0602e233587c1193258dae92ead68
MD5 hash:
b41745d1c49c1b5327ad465151649793
SHA1 hash:
56035a9c146858082bb52aeb20d44e7e55dc18d1
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
70d3d71a330c2695fbc32e6748fa0fd7efc0d4d8ddf0d14e89fd8d38159e07ec
MD5 hash:
74c930c33f869a38cfe622769ac53b27
SHA1 hash:
51c39ca6392bc160aefcb4ff748dedc8579918b6
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
e3b69cb62d2be0dd4a7cc8c7b3de17adf50aea4e4ad0a8d05c1d2a5c6bdad47a
MD5 hash:
0b9d6249615b5fe89a9f2c3add205992
SHA1 hash:
449ef8652d6a43a2ed649f095d974679f7351bac
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
697a836b03239308249ff2dcaa2d63c902cfc4d6ec855cbb9cfdad73ccbcb91e
MD5 hash:
c3a5675dd7cf3b4129aefc91205f196a
SHA1 hash:
40737a09f09efaf964fd19abd6966a6c047abaeb
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
910210de1f1629ef9eb90af95fce0a0dbcdb9b255bcd0890ba5d08e55de932fb
MD5 hash:
d5bcac04f2a7a2e8f25650629164aca8
SHA1 hash:
2585a7f2b3908a27947f0966f5095720306a9d58
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
547c58b566d30da7830285d29f4e71e036b6b5c71efeab1b545c7ddffb7898ce
MD5 hash:
133dba677eed802b497db64be5c8db53
SHA1 hash:
93b5c1aa94b9957e754f6d76f20551d1e1a8b540
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
3f70753e5ce224fff54f2a713849378aec779d78db52b42e8f219bc3dd79663d
MD5 hash:
9b57a57298e16641039ce735494948c1
SHA1 hash:
dc6bbe8c291dc64fda9d426b7b5c358964e88de5
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
a2666de1f2398f3b35bb330f966c7d02b6593f33ebff24884cf5c84d29cf1f7b
MD5 hash:
e695b0f92c16d33772a25664ef1babba
SHA1 hash:
d187d8528bceb0e2d8819d2341bbf2e21b18b41a
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
SH256 hash:
9848335d47d8bb203145e2aca78fc8f9b42fb2ba1cd91561974172ea6da43851
MD5 hash:
a79139fb8b7bf3a652f63fa89e5a6067
SHA1 hash:
c3ff4a0472171973fdbfd65c2a4e08ee44b56928
Link:
https://www.unpac.me/results/204946c9-7520-41b4-81a3-73e44abc121b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9848335d47d8bb203145e2aca78fc8f9b42fb2ba1cd91561974172ea6da43851

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210647/

Comments