MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed
SHA3-384 hash: 8463b80f7f8f03c6974a6538928cb0a17af446f2a1fd018d5dc1fec0fe2ab080d0449e331ad2965ca944cf21e505e718
SHA1 hash: 166c03318e6537f41b7ef5200325e8531b55ca3a
MD5 hash: 1053a56cd35c2f1f56454de2b68b2e07
humanhash: idaho-mountain-river-quebec
File name:1053a56cd35c2f1f56454de2b68b2e07
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:878'592 bytes
First seen:2022-01-07 00:18:03 UTC
Last seen:2022-01-07 01:41:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0RDJlKDtBcegFzQj9Zag4FEWfnEqe3GTZJdOWt:5RyHg4Fpo8O
Threatray 4'251 similar samples on MalwareBazaar
TLSH T10F151ADD51C15949CFAF07F04DFBE22E857286C6130B4BEA732E91F06B620DEA56D4A0
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1053a56cd35c2f1f56454de2b68b2e07
Verdict:
No threats detected
Analysis date:
2022-01-07 00:20:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75ed1f33-69c2-4403-bee8-38b77fd07d7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217625/
Detection(s):
SecuriteInfo.com.AgentTesla-FDCV1053A56CD35C.5190.13335.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61d786c01c0d769df9d435bc/reports/acea4ecc-a1d4-4edf-9062-81e4f84350ba/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60f82e8c-3394-4886-9762-bab937e1aca1
Result
Threat name:
Clipboard Hijacker Phoenix Miner Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916586
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Phoenix Miner
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 549064 Sample: sigXcEjuPZ Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 72 192.168.2.1 unknown unknown 2->72 106 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->106 108 Multi AV Scanner detection for domain / URL 2->108 110 Antivirus detection for URL or domain 2->110 112 9 other signatures 2->112 10 sigXcEjuPZ.exe 3 2->10         started        13 oobeldr.exe 2->13         started        signatures3 process4 file5 70 C:\Users\user\AppData\...\sigXcEjuPZ.exe.log, ASCII 10->70 dropped 15 RegAsm.exe 15 10 10->15         started        process6 dnsIp7 76 c9d0e790b353537889bd47a364f5acff43c11f246.xyz 185.112.83.97, 49745, 80 SUPERSERVERSDATACENTERRU Russian Federation 15->76 78 49.12.47.66, 27973, 49747 HETZNER-ASDE Germany 15->78 80 cdn.discordapp.com 162.159.129.233, 443, 49746, 49748 CLOUDFLARENETUS United States 15->80 48 C:\Users\user\AppData\Roaming\whw.exe, PE32 15->48 dropped 50 C:\Users\user\AppData\Roaming\safas2f.exe, PE32+ 15->50 dropped 52 C:\Users\user\AppData\Roaming\e3dwefw.exe, PE32 15->52 dropped 54 C:\Users\user\AppData\Roaming\clipper.exe, PE32 15->54 dropped 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->90 92 Performs DNS queries to domains with low reputation 15->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->94 96 Tries to steal Crypto Currency Wallets 15->96 20 clipper.exe 15->20         started        23 safas2f.exe 1 2 15->23         started        26 e3dwefw.exe 1 15->26         started        28 whw.exe 3 15->28         started        file8 signatures9 process10 dnsIp11 114 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 20->114 116 Writes to foreign memory regions 20->116 118 Allocates memory in foreign processes 20->118 120 Injects a PE file into a foreign processes 20->120 31 AppLaunch.exe 20->31         started        66 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 23->66 dropped 122 Detected unpacking (changes PE section rights) 23->122 124 Detected unpacking (overwrites its own PE header) 23->124 138 2 other signatures 23->138 36 bfsvc.exe 23->36         started        38 curl.exe 1 23->38         started        40 conhost.exe 23->40         started        68 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 26->68 dropped 126 Found evasive API chain (may stop execution after checking mutex) 26->126 128 Uses schtasks.exe or at.exe to add and modify task schedules 26->128 130 Contains functionality to compare user and computer (likely to detect sandboxes) 26->130 42 schtasks.exe 1 26->42         started        74 45.147.196.146, 49800, 6213 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 28->74 132 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->132 134 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->134 136 Tries to steal Crypto Currency Wallets 28->136 file12 signatures13 process14 dnsIp15 82 185.163.204.24, 49797, 49832, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 31->82 84 5.181.156.155, 49795, 80 MIVOCLOUDMD Moldova Republic of 31->84 88 2 other IPs or domains 31->88 56 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 31->56 dropped 58 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 31->58 dropped 60 C:\Users\user\AppData\...\mozglue.dll, PE32 31->60 dropped 64 56 other files (none is malicious) 31->64 dropped 98 Tries to steal Mail credentials (via file / registry access) 31->98 100 Tries to harvest and steal browser information (history, passwords, etc) 31->100 102 DLL side loading technique detected 31->102 62 \Device\ConDrv, ASCII 36->62 dropped 104 Hides threads from debuggers 36->104 86 api.telegram.org 149.154.167.220, 443, 49751 TELEGRAMRU United Kingdom 38->86 44 conhost.exe 38->44         started        46 conhost.exe 42->46         started        file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 20:01:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqmdk2fdohk37ucizoamv3ivovvvbwglp5pd5dwgxtqelq2sc3wq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
016c36da3c46c38f9bc18970acf60b437503e15139fd1047f4b73cdad4d6342a
RedLineStealer
1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59
RedLineStealer
22c3fa70f641f2b75a8b0cdd6cab763c2b968e88318bac611f1a002022aeca39
RedLineStealer
63680cb50ca4c6ec5837dbc45a9a58f9b27fd33fb47e37e4e848225d0d0a1f2f
RedLineStealer
92ccbbead3ca1c2a221c3dd06da16bb15fe6aef02859087c09c7d248017d955d
RedLineStealer
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
RedLineStealer
+ 4'241 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220107-alm1hsbfh6/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
49.12.47.66:27973
Unpacked files
SH256 hash:
9462435ce20957316b02c1b3683c03c709270e1b0def52b95b7828cb4b25baff
MD5 hash:
640c4216fd37f39de5aac089c4b618e1
SHA1 hash:
b5a62b201c939341542418be453ce651960efd59
Link:
https://www.unpac.me/results/b04962cb-2a1d-4b1e-b321-54aed02809e0/
SH256 hash:
9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed
MD5 hash:
1053a56cd35c2f1f56454de2b68b2e07
SHA1 hash:
166c03318e6537f41b7ef5200325e8531b55ca3a
Link:
https://www.unpac.me/results/b04962cb-2a1d-4b1e-b321-54aed02809e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.78
Link:
https://yomi.yoroi.company/submissions/9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1954083/
Cape
Cape
https://www.capesandbox.com/analysis/217625/

Comments


Avatar
zbet commented on 2022-01-07 00:18:05 UTC

url : hxxp://data-host-coin-8.com/files/9772_1641478687_9270.exe