MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b6ffb5d85f80eddc907cad75de97bdd44f0dfb76ec859128f615a3ed865f665. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b6ffb5d85f80eddc907cad75de97bdd44f0dfb76ec859128f615a3ed865f665
SHA3-384 hash: 899b619153e2f2c3e7b5b9455b14a54ce8d79eed91d124c2c00db779e0cc4d0cb13bb6d0c4cf5fcd8e9a4bbd13be2185
SHA1 hash: 60389e35255bd94a98a52368c5e9e7784c94bb14
MD5 hash: 0ca43b4d6b15f7f528ed4f40b2c88cfa
humanhash: yankee-september-delaware-one
File name:0ca43b4d6b15f7f528ed4f40b2c88cfa.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'506'304 bytes
First seen:2022-02-12 20:55:47 UTC
Last seen:2022-02-12 23:08:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 12288:4Eneo4VgJrSlk+F4WSppvIounA+iIGzqS+fnfkmd2Z7m4SyFh8E00fkvam1LOQ:sN3xnA+ZiqSAfkmd7yZe
TLSH T1E6652FCD55C24989DE9F13F10DFBF63E81B286C623671BE9730E95F0A72118EA52C1A1
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.112.83.136:6223

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.112.83.136:6223 https://threatfox.abuse.ch/ioc/387272/

Intelligence

File Origin
# of uploads :
2
# of downloads :
342
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241115/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31811.28565.22075.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62081ee7289e2f3e4fcc0c37/reports/98e388d4-d9db-48bc-9a3f-3ba7f0139da6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edb02f50-65d7-4957-922a-56b89d25f526
Result
Threat name:
BitCoin Miner Clipboard Hijacker RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938866
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 571344 Sample: 7TIOTyD8o4.exe Startdate: 12/02/2022 Architecture: WINDOWS Score: 100 96 ipwhois.app 2->96 98 cdn.discordapp.com 2->98 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for URL or domain 2->120 122 Multi AV Scanner detection for submitted file 2->122 124 5 other signatures 2->124 14 7TIOTyD8o4.exe 3 2->14         started        18 home.exe 2->18         started        20 oobeldr.exe 2->20         started        signatures3 process4 file5 94 C:\Users\user\AppData\...\7TIOTyD8o4.exe.log, ASCII 14->94 dropped 142 Writes to foreign memory regions 14->142 144 Injects a PE file into a foreign processes 14->144 22 RegAsm.exe 15 9 14->22         started        146 Antivirus detection for dropped file 18->146 148 Multi AV Scanner detection for dropped file 18->148 150 Allocates memory in foreign processes 18->150 152 Creates a thread in another existing process (thread injection) 18->152 27 conhost.exe 3 18->27         started        154 Found evasive API chain (may stop execution after checking mutex) 20->154 156 Contains functionality to compare user and computer (likely to detect sandboxes) 20->156 29 schtasks.exe 1 20->29         started        signatures6 process7 dnsIp8 106 c9d0e790b353537889bd47a364f5acff43c11f2414.xyz 185.112.83.122, 49799, 49824, 80 SUPERSERVERSDATACENTERRU Russian Federation 22->106 108 185.112.83.136, 49821, 6223 SUPERSERVERSDATACENTERRU Russian Federation 22->108 110 8 other IPs or domains 22->110 84 C:\Users\user\AppData\Roaming\e3dwefw.exe, PE32 22->84 dropped 86 C:\Users\user\AppData\Roaming\asf3r3.exe, PE32 22->86 dropped 88 C:\Users\user\AppData\Roaming\asd3wwfd.exe, PE32+ 22->88 dropped 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->126 128 Performs DNS queries to domains with low reputation 22->128 130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->130 132 Tries to harvest and steal browser information (history, passwords, etc) 22->132 31 asd3wwfd.exe 22->31         started        34 e3dwefw.exe 1 22->34         started        37 asf3r3.exe 3 22->37         started        39 sihost32.exe 27->39         started        41 cmd.exe 27->41         started        43 conhost.exe 29->43         started        file9 signatures10 process11 file12 158 Antivirus detection for dropped file 31->158 160 Multi AV Scanner detection for dropped file 31->160 162 Writes to foreign memory regions 31->162 45 conhost.exe 4 31->45         started        82 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 34->82 dropped 164 Found evasive API chain (may stop execution after checking mutex) 34->164 166 Uses schtasks.exe or at.exe to add and modify task schedules 34->166 168 Contains functionality to compare user and computer (likely to detect sandboxes) 34->168 48 schtasks.exe 1 34->48         started        170 Machine Learning detection for dropped file 37->170 172 Injects a PE file into a foreign processes 37->172 50 RegAsm.exe 37->50         started        174 Allocates memory in foreign processes 39->174 176 Creates a thread in another existing process (thread injection) 39->176 53 conhost.exe 39->53         started        55 conhost.exe 41->55         started        57 taskkill.exe 41->57         started        signatures13 process14 dnsIp15 92 C:\Users\user\AppData\Roaming\home.exe, PE32+ 45->92 dropped 59 cmd.exe 1 45->59         started        61 cmd.exe 1 45->61         started        63 conhost.exe 48->63         started        100 ipwhois.app 50->100 102 c9d0e790b353537889bd47a364f5acff43c11f2414.xyz 50->102 104 4 other IPs or domains 50->104 file16 process17 process18 65 home.exe 59->65         started        68 conhost.exe 59->68         started        70 conhost.exe 61->70         started        72 schtasks.exe 1 61->72         started        signatures19 112 Writes to foreign memory regions 65->112 114 Allocates memory in foreign processes 65->114 116 Creates a thread in another existing process (thread injection) 65->116 74 conhost.exe 5 65->74         started        process20 file21 90 C:\Users\user\AppData\...\sihost32.exe, PE32+ 74->90 dropped 77 sihost32.exe 74->77         started        process22 signatures23 134 Antivirus detection for dropped file 77->134 136 Multi AV Scanner detection for dropped file 77->136 138 Writes to foreign memory regions 77->138 140 2 other signatures 77->140 80 conhost.exe 77->80         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b6ffb5d85f80eddc907cad75de97bdd44f0dfb76ec859128f615a3ed865f665/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-12 03:20:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
28 of 43 (65.12%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnx7wxmf7ahn3sihzllv32l33vcpbx5xn3efseupmfnd5wdf6zsq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220212-zq16daehhl/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.112.83.136:6223
Unpacked files
SH256 hash:
aee3a3c942bafa742560e79552e6f0be369558ae8afc566645f48b038c140e94
MD5 hash:
7534b73114fbca26ce21f10b0fef8337
SHA1 hash:
c0d25b770927a58868ccb99073e5bb3994998bbc
Link:
https://www.unpac.me/results/703a2692-85b1-45e7-a6a6-0f4d58fea51d/
SH256 hash:
9b6ffb5d85f80eddc907cad75de97bdd44f0dfb76ec859128f615a3ed865f665
MD5 hash:
0ca43b4d6b15f7f528ed4f40b2c88cfa
SHA1 hash:
60389e35255bd94a98a52368c5e9e7784c94bb14
Link:
https://www.unpac.me/results/703a2692-85b1-45e7-a6a6-0f4d58fea51d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:downloader_macros
Create hunting rule
Author:ddvvmmzz
Description:downloader macros
Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:obfuscate_macros
Create hunting rule
Author:ddvvmmzz
Description:obfuscate macros
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241115/

Comments