MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9946d190d1959c1528763ea9d0c8bd9f3b8bb9af65078035609527e81e742302. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9946d190d1959c1528763ea9d0c8bd9f3b8bb9af65078035609527e81e742302
SHA3-384 hash: 5cdd92e3c6b5ec89b70c01a334eecbb49053790a1e7a6c5854c79b9c5ab7d5a3de51a6e5fb3b8527265b80c6bcd49534
SHA1 hash: 4be4822b98e1a3cd339ec08625e4c8c33e08c114
MD5 hash: 4c8b20479e35b380a034faf7238f9ea2
humanhash: georgia-whiskey-kilo-kilo
File name:4c8b20479e35b380a034faf7238f9ea2
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'089'922 bytes
First seen:2021-07-21 00:29:24 UTC
Last seen:2021-07-21 01:40:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a011f8d93026fd9f5e9442faeeff606d (8 x RedLineStealer, 2 x ModiLoader, 1 x ServHelper)
ssdeep 24576:x7W7ob8mwnePfjhxyiUkLkjzfsFI+H9CW8:pqEPdnFI
Threatray 651 similar samples on MalwareBazaar
TLSH T1D535DF4238E03469D002DEBBA49516FB34911E433676B66D3FD432635A3DD83FDAC92A
dhash icon 71e8c6aaa8f0f071 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8
Verdict:
Malicious activity
Analysis date:
2021-07-19 22:12:19 UTC
Tags:
trojan evasion stealer vidar loader ficker rat redline phishing opendir
Link:
https://app.any.run/tasks/e2a3344a-f474-4043-b167-c8547435763e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172907/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.44402.11992.28419.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/98a5b831-a7ab-47c6-ae94-eb0a2abcd366
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/819269
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451680 Sample: 54v7F4Y7xJ Startdate: 21/07/2021 Architecture: WINDOWS Score: 80 60 Multi AV Scanner detection for submitted file 2->60 62 Sigma detected: Drops script at startup location 2->62 9 54v7F4Y7xJ.exe 7 2->9         started        12 wscript.exe 2->12         started        14 eRntMwARsh.exe.com 2->14         started        process3 dnsIp4 68 Contains functionality to register a low level keyboard hook 9->68 17 cmd.exe 1 9->17         started        70 Creates processes via WMI 12->70 50 WRdPtjUOQbgYzvB.WRdPtjUOQbgYzvB 14->50 signatures5 process6 signatures7 52 Submitted sample is a known malware sample 17->52 54 Obfuscated command line found 17->54 56 Uses ping.exe to sleep 17->56 58 Uses ping.exe to check the status of other devices and networks 17->58 20 cmd.exe 3 17->20         started        23 conhost.exe 17->23         started        process8 signatures9 64 Obfuscated command line found 20->64 66 Uses ping.exe to sleep 20->66 25 Acre.exe.com 20->25         started        28 PING.EXE 1 20->28         started        31 findstr.exe 1 20->31         started        process10 dnsIp11 72 Drops PE files with a suspicious file extension 25->72 34 Acre.exe.com 6 25->34         started        46 127.0.0.1 unknown unknown 28->46 48 192.168.2.1 unknown unknown 28->48 42 C:\Users\user\AppData\Local\...\Acre.exe.com, Targa 31->42 dropped file12 signatures13 process14 dnsIp15 44 WRdPtjUOQbgYzvB.WRdPtjUOQbgYzvB 34->44 38 C:\Users\user\AppData\...\eRntMwARsh.exe.com, PE32 34->38 dropped 40 C:\Users\user\AppData\...\eRntMwARsh.url, MS 34->40 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9946d190d1959c1528763ea9d0c8bd9f3b8bb9af65078035609527e81e742302/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 23:04:41 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfdndegrswobkkdwh2u5bsf5t45yxonpmudyanlasut6qhtuemba._file
Verdict:
malicious
Similar samples:
845f1bcb80321f9183258fdcd714a4ca61a26b02590dd02cf4bd4cb07c757cdd
RedLineStealer
92ffcaa512f2f1fe06c8d381f9fdf80a8f9d28fce269544d6a66afc02601d1a0
RedLineStealer
9431f9d5bf8a3d2ee34dc7624d8996e87af05e91ecb27b50843d5ddcb2f8f6bd
RedLineStealer
9bae907c90204ebf2ac85fe63e96ffb3422505631698ce9165053ab0125d1d9a
RedLineStealer
aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
RedLineStealer
ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
RedLineStealer
b459692e802efcbc858497ef0d54eb5f30d2ae75e703d4cb85ce29d895adc911
RedLineStealer
d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124
RedLineStealer
fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6
RedLineStealer
+ 641 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:19ruzk discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210721-cl2jj9d7ka/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.0.61.155:10790
Unpacked files
SH256 hash:
7fd0dfdcd1a200a916ec99eba74da1ab825bc149b649f420af3a3c1c91fb2225
MD5 hash:
436ff4a085f97079e8ffbe87d857d65f
SHA1 hash:
4eb299ac687b9d8645bf639f5fa3770e926560cd
Link:
https://www.unpac.me/results/909a2cb3-3759-4118-b874-ab4754bfcb16/
SH256 hash:
836ef6da1f4ead60b1a4aacbff3c72f1a7fd6eb567bb22f421a6709488b7ec43
MD5 hash:
df7901becf06c6265c26e22c0e54553e
SHA1 hash:
9869b45df103f33a2c02fb6a6668493a4f733c40
Link:
https://www.unpac.me/results/909a2cb3-3759-4118-b874-ab4754bfcb16/
SH256 hash:
9946d190d1959c1528763ea9d0c8bd9f3b8bb9af65078035609527e81e742302
MD5 hash:
4c8b20479e35b380a034faf7238f9ea2
SHA1 hash:
4be4822b98e1a3cd339ec08625e4c8c33e08c114
Link:
https://www.unpac.me/results/909a2cb3-3759-4118-b874-ab4754bfcb16/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9946d190d1959c1528763ea9d0c8bd9f3b8bb9af65078035609527e81e742302

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9946d190d1959c1528763ea9d0c8bd9f3b8bb9af65078035609527e81e742302

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172907/
  
URLhaus
https://urlhaus.abuse.ch/url/1469678/

Comments


Avatar
zbet commented on 2021-07-21 00:29:25 UTC

url : hxxp://136.144.41.201/EU/yad.exe