MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a62aca3402b4999b3db621daa96af02e7cd5d2059d0e99fbce5e39c034e6146. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a62aca3402b4999b3db621daa96af02e7cd5d2059d0e99fbce5e39c034e6146
SHA3-384 hash: 31321dd7ae4fc709fb2d3aa7d01910b95945fc7d982ad8ccbed3218229dd7a731d823b6413e3bec1ec52428ba14100ad
SHA1 hash: 003146fa82aada03297535f4e1e268cb62edcdfb
MD5 hash: d441d6c4f001dfc617a8f23f9ef2170b
humanhash: four-massachusetts-oscar-four
File name:d441d6c4f001dfc617a8f23f9ef2170b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:857'459 bytes
First seen:2021-09-20 09:49:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 12288:oY20AljdZgBPfKfm/c9twQxAogJfqsUsz0cX0JWQK5qY/CNzgYMmBXF:t20gPgFKaOwQxAVBbIcXIWWHNDMmBV
Threatray 160 similar samples on MalwareBazaar
TLSH T15305122275D1C032E96315709CE8E336FDB9F5709A75A58F77C44B2D2B31AA2831AB43
dhash icon b23b196d1971278e (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d441d6c4f001dfc617a8f23f9ef2170b
Verdict:
Malicious activity
Analysis date:
2021-09-20 09:52:39 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/0599ebb2-71ee-4617-a8d2-356e90caa0fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189375/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Moving a recently created file
Deleting a recently created file
Self-deleting of the BAT file
Launching a process
Using the Windows Management Instrumentation requests
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Connection attempt to an infection source
Sending a TCP request to an infection source
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e501d172-64a0-4c66-ab56-a829a5fbe111
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853900
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486332 Sample: geXgPcC4Y1 Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected RedLine Stealer 2->69 12 geXgPcC4Y1.exe 3 8 2->12         started        process3 file4 49 C:\Terminal8427\hoders\winfss.exe, PE32 12->49 dropped 15 wscript.exe 1 12->15         started        process5 process6 17 cmd.exe 2 15->17         started        signatures7 63 Uses cmd line tools excessively to alter registry or file data 17->63 20 wscript.exe 1 17->20         started        22 winfss.exe 5 17->22         started        25 conhost.exe 17->25         started        27 3 other processes 17->27 process8 file9 29 cmd.exe 1 20->29         started        47 C:\Terminal8427\hoders\kerclean.exe, PE32 22->47 dropped process10 signatures11 75 Uses cmd line tools excessively to alter registry or file data 29->75 32 kerclean.exe 29->32         started        35 conhost.exe 29->35         started        37 timeout.exe 1 29->37         started        39 5 other processes 29->39 process12 signatures13 55 Multi AV Scanner detection for dropped file 32->55 57 Detected unpacking (changes PE section rights) 32->57 59 Detected unpacking (overwrites its own PE header) 32->59 61 3 other signatures 32->61 41 kerclean.exe 15 34 32->41         started        process14 dnsIp15 51 185.215.113.107, 49755, 61144 WHOLESALECONNECTIONSNL Portugal 41->51 53 api.ip.sb 41->53 71 Tries to harvest and steal browser information (history, passwords, etc) 41->71 73 Tries to steal Crypto Currency Wallets 41->73 45 conhost.exe 41->45         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a62aca3402b4999b3db621daa96af02e7cd5d2059d0e99fbce5e39c034e6146/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 13:35:08 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjrkzi2afneztm63mio2vfvpalt42xjalhioth544xrzya2omfda._file
Verdict:
malicious
Similar samples:
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
RedLineStealer
5baefc57ae960f417755af1a5c0b76b3312be349dd69c3fdcab7630270ad7bf7
RedLineStealer
89ba3afda1cec9c96eb1eb933fd09f346804e8c7df46b10fc384cc8762d64582
RedLineStealer
9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875
RedLineStealer
cb8bd17e49390c51c71aeb5176fabd5c0dcef8aca83c7dce4af0b3e378c2e5ee
RedLineStealer
+ 150 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:newaq331 discovery evasion infostealer spyware stealer
Link:
https://tria.ge/reports/210920-ltyb1adeg8/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets file to hidden
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.107:61144
Unpacked files
SH256 hash:
4a92029116543bed528226cc375c81c0645b1e31ce8a42f0d9b34b80c2b7ebdb
MD5 hash:
eab5531d7a31ea9053b93cd0daa4c3a7
SHA1 hash:
c6262bda889e2dd38bec7811c5de8d244033c263
Link:
https://www.unpac.me/results/a483c33a-e515-4180-9dcd-e40856c2af29/
SH256 hash:
b2cb4b5d3616ceb151f6575c2612b7b97d21eef1ee6f5f674205928a0a1d0baa
MD5 hash:
ad9e1e701575441d3edf124fd21b4c6c
SHA1 hash:
b2887f5c3ca7ecf14ccccd5f059051d30141906e
Link:
https://www.unpac.me/results/a483c33a-e515-4180-9dcd-e40856c2af29/
SH256 hash:
8548ee44b75edc676a1f71887ee7a2483bc4476e9b1c89f84876791ffb7209c7
MD5 hash:
d950582fb851dcd7b4b7d92e43fd68f6
SHA1 hash:
662d70fc3c2047e0a732a76351cc5979056f410b
Link:
https://www.unpac.me/results/a483c33a-e515-4180-9dcd-e40856c2af29/
SH256 hash:
03cb7118a895e94624c757cdd15234d0268f8c645d12b9430ef9af22e7ba9e49
MD5 hash:
36d7c6412f112fbb077addf90897a21f
SHA1 hash:
33e078e7e0d67972aa00ee7f60fd1a392581b854
Link:
https://www.unpac.me/results/a483c33a-e515-4180-9dcd-e40856c2af29/
SH256 hash:
12c169db285b300d5af5b8d181278d917f57a5685e4fa33425fa43cc5c88e0ed
MD5 hash:
e0d1108fb6a30e92aa3850758b14aadd
SHA1 hash:
2ec3ea9c6d2487846cc407822f0515592c84b20f
Link:
https://www.unpac.me/results/a483c33a-e515-4180-9dcd-e40856c2af29/
SH256 hash:
9a62aca3402b4999b3db621daa96af02e7cd5d2059d0e99fbce5e39c034e6146
MD5 hash:
d441d6c4f001dfc617a8f23f9ef2170b
SHA1 hash:
003146fa82aada03297535f4e1e268cb62edcdfb
Link:
https://www.unpac.me/results/a483c33a-e515-4180-9dcd-e40856c2af29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a62aca3402b4999b3db621daa96af02e7cd5d2059d0e99fbce5e39c034e6146

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dridex_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9a62aca3402b4999b3db621daa96af02e7cd5d2059d0e99fbce5e39c034e6146

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189375/
  
URLhaus
https://urlhaus.abuse.ch/url/1635121/
  
URLhaus
https://urlhaus.abuse.ch/url/1635127/

Comments


Avatar
zbet commented on 2021-09-20 09:49:59 UTC

url : hxxp://195.2.74.104/booster.exe