MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b40f999199db0e50c96506a4f66375ba4921590073e61b633d5da9fb668d3e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b40f999199db0e50c96506a4f66375ba4921590073e61b633d5da9fb668d3e5
SHA3-384 hash: 99cab24b8219976ee633d658de7d5a6a420bd76bada3c3b00df4b74cbf8d688b4158369ca05b1e34367a2b86d9baab54
SHA1 hash: 24b94acc185a1f73ecbc12f625d53d9b053e2cca
MD5 hash: 25924973bbbad9dd140451a37504ef54
humanhash: jig-uncle-high-football
File name:25924973bbbad9dd140451a37504ef54
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:926'768 bytes
First seen:2022-01-06 20:40:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7e6ef9588851289fa5923db912b0af8 (1 x RedLineStealer)
ssdeep 24576:ni+vU7Llr0zgqi1zNo20sKR1jb4sROKX/fP8H2v:i+RzgDvMR1dn
Threatray 1 similar samples on MalwareBazaar
TLSH T11C151286EB404BE0CC5987B9957ACE338B523D796838AA1C5C8E31737BBB3C5341E915
File icon (PE):PE icon
dhash icon cad2c2b2daaaaaca (1 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25924973bbbad9dd140451a37504ef54
Verdict:
Malicious activity
Analysis date:
2022-01-06 20:46:37 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/b7e410cc-7d68-4ee4-93a8-153e15f1ddce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217609/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47839426.16491.28523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
bladabindi greyware overlay packed wacatac
Link:
https://www.filescan.io/uploads/61d753e002e388f9fdb0dcfb/reports/8618c030-a542-4a48-9952-80c0f6d2cd30/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/350136a2-ad30-4a71-bc10-acf75c15649a
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916521
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548999 Sample: mLgYYyCir9 Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 83 Found malware configuration 2->83 85 Antivirus detection for URL or domain 2->85 87 Yara detected RedLine Stealer 2->87 89 8 other signatures 2->89 10 mLgYYyCir9.exe 15 8 2->10         started        15 cmd.exe 2->15         started        process3 dnsIp4 75 91.243.32.101, 1568, 49749 MATTEOGB Russian Federation 10->75 77 91.243.32.180, 49752, 49753, 80 MATTEOGB Russian Federation 10->77 63 C:\Users\user\AppData\Local\Temp\build3.exe, PE32+ 10->63 dropped 65 C:\Users\user\AppData\Local\Temp\build2.exe, PE32+ 10->65 dropped 67 C:\Users\user\AppData\...\mLgYYyCir9.exe.log, ASCII 10->67 dropped 105 Detected unpacking (changes PE section rights) 10->105 107 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->107 109 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->109 113 6 other signatures 10->113 17 build3.exe 4 10->17         started        21 build2.exe 10->21         started        111 Encrypted powershell cmdline option found 15->111 24 conhost.exe 15->24         started        26 powershell.exe 15->26         started        28 powershell.exe 15->28         started        file5 signatures6 process7 dnsIp8 61 C:\Users\user\AppData\...\services.exe, PE32+ 17->61 dropped 91 Multi AV Scanner detection for dropped file 17->91 93 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->93 95 Drops PE files with benign system names 17->95 30 cmd.exe 17->30         started        32 cmd.exe 1 17->32         started        35 cmd.exe 17->35         started        69 youtube-ui.l.google.com 142.250.186.142, 443, 49754 GOOGLEUS United States 21->69 71 accounts.google.com 172.217.16.141, 443, 49755 GOOGLEUS United States 21->71 73 www.youtube.com 21->73 97 Tries to harvest and steal browser information (history, passwords, etc) 21->97 file9 signatures10 process11 signatures12 37 services.exe 30->37         started        40 conhost.exe 30->40         started        79 Encrypted powershell cmdline option found 32->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 32->81 42 powershell.exe 22 32->42         started        44 powershell.exe 21 32->44         started        46 conhost.exe 32->46         started        48 conhost.exe 35->48         started        50 schtasks.exe 35->50         started        process13 signatures14 101 Multi AV Scanner detection for dropped file 37->101 103 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 37->103 52 cmd.exe 37->52         started        process15 signatures16 99 Encrypted powershell cmdline option found 52->99 55 conhost.exe 52->55         started        57 powershell.exe 52->57         started        59 powershell.exe 52->59         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b40f999199db0e50c96506a4f66375ba4921590073e61b633d5da9fb668d3e5/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 20:41:11 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer upx vmprotect
Link:
https://tria.ge/reports/220106-zgewsacadj/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Unpacked files
SH256 hash:
46a248fa9cc4e1ea65b8e2fd1e57f72f99460b33b03b622c19b2d7cb15416b4a
MD5 hash:
7a79ea1d8a993b5c4fc71d8a4ca5d67b
SHA1 hash:
24e1b6964de5820d1870bc836493e10a28afde4b
Link:
https://www.unpac.me/results/b4770081-f42a-4802-a07c-ee41fefc5ca1/
SH256 hash:
9b40f999199db0e50c96506a4f66375ba4921590073e61b633d5da9fb668d3e5
MD5 hash:
25924973bbbad9dd140451a37504ef54
SHA1 hash:
24b94acc185a1f73ecbc12f625d53d9b053e2cca
Link:
https://www.unpac.me/results/b4770081-f42a-4802-a07c-ee41fefc5ca1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9b40f999199d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b40f999199db0e50c96506a4f66375ba4921590073e61b633d5da9fb668d3e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9b40f999199db0e50c96506a4f66375ba4921590073e61b633d5da9fb668d3e5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1953766/
Cape
Cape
https://www.capesandbox.com/analysis/217609/

Comments


Avatar
zbet commented on 2022-01-06 20:40:48 UTC

url : hxxp://45.144.225.57/WW/blood.exe