MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7
SHA3-384 hash: c077bfc5caa6ae3ad55a4c225aad8610eb17c16a90974681e50e128b9e34439f6a70a755be43d0e6975c741885b3aedb
SHA1 hash: c801a344975d60c2833c5c387ce1ec54c56ee372
MD5 hash: 6ad7031275c1cb2e33b97e0c181b2fea
humanhash: equal-hotel-coffee-angel
File name:6ad7031275c1cb2e33b97e0c181b2fea
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:938'290 bytes
First seen:2021-11-01 23:38:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 24576:G20gPgFK0LQxAVBbIcX8TuxmQ3fq9KnfQBiFEvkatVv0ag:PK4xAjIEvYQvdfQBSEfVsx
Threatray 191 similar samples on MalwareBazaar
TLSH T1D815122236C18072E9535970ACE46332EA79FD306B72A68BB7C08F5E7F35592C716312
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ad7031275c1cb2e33b97e0c181b2fea
Verdict:
Malicious activity
Analysis date:
2021-11-01 23:40:43 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/bd8216fc-91cc-4b2e-8350-7674c6284505

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201225/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Moving a recently created file
Deleting a recently created file
Self-deleting of the BAT file
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61807a989982ff7c3f797b8f/reports/e119d58a-b755-4ce7-8ec6-f375e0c0f59f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4c1e1ec8-af32-4191-8956-f415f367665a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880875
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513304 Sample: 0eAM7Q1CQ4 Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected RedLine Stealer 2->56 58 Found many strings related to Crypto-Wallets (likely being stolen) 2->58 11 0eAM7Q1CQ4.exe 3 7 2->11         started        process3 file4 46 C:\PLK5043546\PLK5043546.exe, PE32 11->46 dropped 14 wscript.exe 1 11->14         started        process5 process6 16 cmd.exe 2 14->16         started        signatures7 50 Uses cmd line tools excessively to alter registry or file data 16->50 19 wscript.exe 1 16->19         started        21 PLK5043546.exe 5 16->21         started        24 conhost.exe 16->24         started        26 3 other processes 16->26 process8 file9 28 cmd.exe 1 19->28         started        44 C:\PLK5043546\pgfujyu.exe, PE32 21->44 dropped process10 signatures11 64 Uses cmd line tools excessively to alter registry or file data 28->64 31 pgfujyu.exe 28->31         started        34 conhost.exe 28->34         started        36 timeout.exe 1 28->36         started        38 5 other processes 28->38 process12 signatures13 66 Multi AV Scanner detection for dropped file 31->66 68 Detected unpacking (changes PE section rights) 31->68 70 Detected unpacking (overwrites its own PE header) 31->70 72 5 other signatures 31->72 40 pgfujyu.exe 5 31->40         started        process14 dnsIp15 48 80.66.87.55, 11327, 49746 WORLDSTREAMNL Russian Federation 40->48 60 Tries to harvest and steal browser information (history, passwords, etc) 40->60 62 Tries to steal Crypto Currency Wallets 40->62 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-01 23:39:04 UTC
AV detection:
12 of 44 (27.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=toedtrjci3ibw5d5g6xtiqb2qafma26u2fcb5wki4dig7qjda73q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf
RedLineStealer
5baefc57ae960f417755af1a5c0b76b3312be349dd69c3fdcab7630270ad7bf7
RedLineStealer
89ba3afda1cec9c96eb1eb933fd09f346804e8c7df46b10fc384cc8762d64582
RedLineStealer
9a62aca3402b4999b3db621daa96af02e7cd5d2059d0e99fbce5e39c034e6146
RedLineStealer
9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875
RedLineStealer
b8ca6d1a4a9eb79150cc8ac9a36f1c5f9448be4b41eae668b5e32c25aa34a837
RedLineStealer
c095ab547c4a1ce16be8742ab6ebbd79989a304fdabdcbfae390087d4c438592
RedLineStealer
f71af69d5802a003452e0401c936c344911f215d6d8a9f34359b9d1cdc758542
RedLineStealer
+ 181 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:new discovery evasion infostealer spyware stealer
Link:
https://tria.ge/reports/211101-3m96nafhfm/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets file to hidden
RedLine
RedLine Payload
Malware Config
C2 Extraction:
80.66.87.55:11327
Unpacked files
SH256 hash:
183dae82720c46284736f57c17dc9c24c8661c4701b2660d70d02a4190a3c027
MD5 hash:
0506e1b5b472dfadbab872535dae5947
SHA1 hash:
8127dfdb0a9944e552073d9e2405045fc21aaa1f
Link:
https://www.unpac.me/results/0eb06278-9ece-4a31-ae69-40034511ae8b/
SH256 hash:
837ee3cb4e581323373b8648afea8855349fe164de3fd98893feef087f8ae10c
MD5 hash:
a0225cff113153116518eda7246fa7b8
SHA1 hash:
1cf5fbebd935c1c389a537fbcd6e43c26cfee2d2
Link:
https://www.unpac.me/results/0eb06278-9ece-4a31-ae69-40034511ae8b/
SH256 hash:
e3a2b496e75e442eb847c086ffd128fef10c83cf36060b66bb69179cd7c84bd5
MD5 hash:
da5936e5b4d60cc97c7500b145cc3223
SHA1 hash:
db3a5c63502100b68a4cf7c801e56df65651e56e
Link:
https://www.unpac.me/results/0eb06278-9ece-4a31-ae69-40034511ae8b/
SH256 hash:
a8bf055aca1ae35d450264bfd4621014174b4fd0be33c3d3da56fdb5118d5031
MD5 hash:
aed25bcef22d6321ca7b3f4aaec30601
SHA1 hash:
a342e615cb86635fea783f8529053e6fcc8eb969
Link:
https://www.unpac.me/results/0eb06278-9ece-4a31-ae69-40034511ae8b/
SH256 hash:
0bf85a1be4d3e63f475eb6589c41a2990de78f77ab91dc2113c535ead5d13ec0
MD5 hash:
c43620e31c29bda3b08b8474fbb2d5f6
SHA1 hash:
84bd8d76ef025ee145d863a59de708a56decf77d
Link:
https://www.unpac.me/results/0eb06278-9ece-4a31-ae69-40034511ae8b/
SH256 hash:
9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7
MD5 hash:
6ad7031275c1cb2e33b97e0c181b2fea
SHA1 hash:
c801a344975d60c2833c5c387ce1ec54c56ee372
Link:
https://www.unpac.me/results/0eb06278-9ece-4a31-ae69-40034511ae8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1737619/
Cape
Cape
https://www.capesandbox.com/analysis/201225/

Comments


Avatar
zbet commented on 2021-11-01 23:38:15 UTC

url : hxxp://94.103.88.253/Registry.exe