MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a0d57d82e15f4f45a2442d1d5355242a0fe4684039777025622dfa95a8caeec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a0d57d82e15f4f45a2442d1d5355242a0fe4684039777025622dfa95a8caeec
SHA3-384 hash: 42db66fe82020e6e61ee4d20500c0bf173259f6db94066b580d4fce14d6dc4ca4dbc4c220c6e5ec39c722f54e79fc2b1
SHA1 hash: ac8f3a8ba465e63685718ddaeea31a0080185aa2
MD5 hash: 67575d9c8848f44eb91c4bd2db209ec4
humanhash: cat-butter-louisiana-music
File name:67575d9c8848f44eb91c4bd2db209ec4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'206'272 bytes
First seen:2021-04-20 11:49:38 UTC
Last seen:2021-04-20 13:01:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:9geCU0Oru8ZsNeHqqHMPveZDMCKzbL7ta/BzU:aw0OrulkKqHMoKvL70ZI
Threatray 15 similar samples on MalwareBazaar
TLSH 4245231D63588B11F37CCAF976B001258DF0E4AF3522EAF95ED1989E0F2A7C2164C5E2
Reporter abuse_ch
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.90.46.164:6676 https://threatfox.abuse.ch/ioc/9265/

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67575d9c8848f44eb91c4bd2db209ec4.exe
Verdict:
Malicious activity
Analysis date:
2021-04-20 12:04:44 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/732f6c8d-3bff-40d6-bcc4-c121ada8d1ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/139575/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Creating a window
Sending a UDP request
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Creating a process from a recently created file
Connection attempt
Creating a process with a hidden window
Launching a process
Running batch commands
Stealing user critical data
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a0d57d82e15f4f45a2442d1d5355242a0fe4684039777025622dfa95a8caeec/
Gathering data
Verdict:
malicious
Similar samples:
07cf6baf41520d0e97f2010bf76c2ed10509fbf599209ae4bc250eb375515114
RedLineStealer
523a9d789a271e3b1f9eda837734999dddb4b8c80c772eda1fd55c2bef35c91e
RedLineStealer
68c944c28e2b06a534175149916e7daaf9a8cb12b09178e89556bcc8337d682f
RedLineStealer
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
RedLineStealer
a983859af1159996ed7ba7d66e0ba5d23b23e00a6e3add422421a016451b72e7
RedLineStealer
c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586
RedLineStealer
e1d51f402e88ba4bdb8ae2906a6158ef753c50a7eeae7d8bb5d832a8c7492027
RedLineStealer
e5b7d451f9c435d27dcfb429ae95ca97a1ba8688ba373a47a2f910efd38dcaa2
RedLineStealer
e89843256ff5ba727b9195361447d30e88fbfb660e97aaad5cb0196fd2f0991a
RedLineStealer
ed2a3e363a6e6b4e13df5e00779a1318a267376b4a7878df7b0b2e75907c747e
RedLineStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig discovery infostealer miner spyware stealer
Link:
https://tria.ge/reports/210420-pvjsfq6hfj/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Cryptocurrency Miner
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Stratum cryptominer command
XMRig Miner Payload
RedLine
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a0d57d82e15f4f45a2442d1d5355242a0fe4684039777025622dfa95a8caeec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/139575/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-20 12:37:13 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0026.002] Data Micro-objective::XOR::Encode Data