MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 990540dfd1ae0c36f10eb89ab3791726869ffc976bf6ebe08b73de3ecba908bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 990540dfd1ae0c36f10eb89ab3791726869ffc976bf6ebe08b73de3ecba908bf
SHA3-384 hash: ddd125c98d6b677809e490a4b084276c3e4c150f0cf6194569da51408703344cc9626e592cb8a721e347d79b27e088d8
SHA1 hash: 96ba2a5b3a7ccb9159f9d8edc7e96cc11d40fc9a
MD5 hash: 0a66bf57eee4d5554d2d3816b5a7946c
humanhash: fish-chicken-two-sodium
File name:0a66bf57eee4d5554d2d3816b5a7946c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'276'133 bytes
First seen:2022-03-04 19:31:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 49152:V5O0qrb/+7XxxE22Gf9JS929DC1O0dUEkRY0yrWmNKnImzKu6FYkixHtnSfN/hF4:V5hqrb/+diKPDQOnRY0yxyzfUixNSlD4
Threatray 12'067 similar samples on MalwareBazaar
TLSH T182E53301FAC384B3D52745360A193BA2B07D79213E2C8EBB73889E9DA9311515B35FB7
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247449/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Running batch commands
Launching a process
Searching for analyzing tools
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
DNS request
Using the Windows Management Instrumentation requests
Searching for the browser window
Sending a TCP request to an infection source
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8255/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3ed9261e-e749-421e-a899-ecb2c8f9b226
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950984
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Drops script or batch files to the startup folder
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 583466 Sample: enVMNJLC9S.exe Startdate: 04/03/2022 Architecture: WINDOWS Score: 100 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 9 other signatures 2->97 8 enVMNJLC9S.exe 8 2->8         started        11 Windows Service.exe 2->11         started        14 cmd.exe 2->14         started        process3 file4 71 C:\Windows\Temp\setup.exe, PE32 8->71 dropped 73 C:\Windows\Temp\s.exe, PE32 8->73 dropped 16 setup.exe 15 11 8->16         started        21 s.exe 1 8->21         started        23 cmd.exe 2 8->23         started        25 cmd.exe 13 8->25         started        115 Hides threads from debuggers 11->115 27 chrome.exe 14->27         started        29 conhost.exe 14->29         started        signatures5 process6 dnsIp7 75 checkip.dyndns.com 193.122.6.168, 49800, 80 ORACLE-BMC-31898US United States 16->75 77 raw.githubusercontent.com 185.199.108.133, 443, 49777 FASTLYUS Netherlands 16->77 79 2 other IPs or domains 16->79 61 C:\Users\user\AppData\...\Windows Service.exe, PE32 16->61 dropped 63 C:\Users\user\AppData\...\toncrypto.dll, PE32+ 16->63 dropped 65 C:\Users\user\...\libcrypto-1_1-x64.dll, PE32+ 16->65 dropped 69 2 other files (none is malicious) 16->69 dropped 99 Detected unpacking (changes PE section rights) 16->99 101 Query firmware table information (likely to detect VMs) 16->101 103 Tries to detect sandboxes and other dynamic analysis tools (window names) 16->103 113 4 other signatures 16->113 31 schtasks.exe 16->31         started        33 schtasks.exe 16->33         started        35 schtasks.exe 16->35         started        46 2 other processes 16->46 105 Writes to foreign memory regions 21->105 107 Allocates memory in foreign processes 21->107 109 Injects a PE file into a foreign processes 21->109 48 2 other processes 21->48 67 C:\Users\user\AppData\Roaming\...\lol.bat, ASCII 23->67 dropped 111 Drops script or batch files to the startup folder 23->111 37 conhost.exe 23->37         started        39 chrome.exe 12 200 25->39         started        42 conhost.exe 25->42         started        44 chrome.exe 27->44         started        file8 signatures9 process10 dnsIp11 50 conhost.exe 31->50         started        52 conhost.exe 33->52         started        54 conhost.exe 35->54         started        81 192.168.2.1 unknown unknown 39->81 83 239.255.255.250 unknown Reserved 39->83 56 chrome.exe 15 39->56         started        59 conhost.exe 46->59         started        process12 dnsIp13 85 bigsoul.biz 51.15.15.73, 443, 49748 OnlineSASFR France 56->85 87 clients.l.google.com 142.250.203.110, 443, 49730, 49734 GOOGLEUS United States 56->87 89 6 other IPs or domains 56->89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/990540dfd1ae0c36f10eb89ab3791726869ffc976bf6ebe08b73de3ecba908bf/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-03-04 19:32:23 UTC
File Type:
PE (Exe)
Extracted files:
164
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tecubx6rvygdn4ioxcnlg6ixe2dj77exnp3oxyeloppd5s5jbc7q._file
Verdict:
malicious
Similar samples:
0ea0d467809f6db13fbbc3949ca3a4a0f90f60c80cb5cdc03aecdc6e060f0869
RedLineStealer
29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03
RedLineStealer
324a89be242f69318c7aebe527f99698e39124572567ab3978c5278be373eeb0
RedLineStealer
38cfb802b835e2f9129680bbcbe93248ad21659931b8230e9c2109b3b496a873
RedLineStealer
4951979c61129c8e58a18dfa428d3a0fa872f6b9c28101aa5d12d4c71fa45ced
RedLineStealer
55ded456339aef89e7d891f0c7f494c11d8983233106d64069bc767ab06ceb71
RedLineStealer
7f29e92787b0c1f4146e09aeed12b6ba1689dbf55ff37851d81cd02dbf9e3484
RedLineStealer
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
RedLineStealer
dd496554f084af7bdd9c216bdb8718cd3de154d804b8955f4894c0954dad266c
RedLineStealer
e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d
RedLineStealer
+ 12'057 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/220304-x8yrvsffg8/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Gathering data
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/990540dfd1ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/990540dfd1ae0c36f10eb89ab3791726869ffc976bf6ebe08b73de3ecba908bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 990540dfd1ae0c36f10eb89ab3791726869ffc976bf6ebe08b73de3ecba908bf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2073214/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/247449/

Comments