MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cab8335127ff3b44cf40b02a517395c6ed9f29ff6485124543a2ffa97ad4682. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cab8335127ff3b44cf40b02a517395c6ed9f29ff6485124543a2ffa97ad4682
SHA3-384 hash: f1887433d1bedcdd8d3fcd9b98dfb8eff492d5865017d8cfb50d81772915e24639bdccdbdafbfcc1e8d818cd83936d8f
SHA1 hash: 2328880d494256178b5d5ffb082137079ccb0bae
MD5 hash: 081c26384aa219057eac8f05880a8e5a
humanhash: papa-iowa-bakerloo-finch
File name:081c26384aa219057eac8f05880a8e5a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:799'232 bytes
First seen:2020-10-28 09:59:30 UTC
Last seen:2020-10-28 12:07:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b831d380405f32be656172bf4f384195 (8 x ArkeiStealer, 4 x RedLineStealer)
ssdeep 12288:KBwIYncaxr4oGnQtL3nzLoh/CBHtP1KGNYv6hFW5Lao2M:4wtcboTtLjLoh/6HtOv6hA2M
TLSH EF05F11176A1C975C09701FC4821DAA0427ABC35FAB0CA8777942FAF7F792D017A6F4A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://rrkimal.xyz/IRemotePanel

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/80439/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.71033.25543.21339.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a file
Connecting to a non-recommended domain
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Unauthorized injection to a recently created process
Connection attempt to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/514886
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 306551 Sample: 4D5cD9dKN1.exe Startdate: 28/10/2020 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Antivirus detection for URL or domain 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 8 other signatures 2->76 9 4D5cD9dKN1.exe 10 2->9         started        process3 dnsIp4 58 ip-api.com 208.95.112.1, 49737, 80 TUT-ASUS United States 9->58 60 gferhrolklm.top 185.212.128.72, 49733, 80 INTERNET-ITNL Germany 9->60 62 iplogger.org 88.99.66.31, 443, 49728 HETZNER-ASDE Germany 9->62 46 C:\Users\user\AppData\Roaming\...\bestofd.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\Roaming\...\bestof.exe, PE32 9->48 dropped 86 Detected unpacking (changes PE section rights) 9->86 88 Detected unpacking (overwrites its own PE header) 9->88 90 Contains functionality to register a low level keyboard hook 9->90 92 Sample or dropped binary is a compiled AutoHotkey binary 9->92 14 bestofd.exe 15 3 9->14         started        18 bestof.exe 14 2 9->18         started        20 WerFault.exe 9 9->20         started        22 3 other processes 9->22 file5 signatures6 process7 dnsIp8 64 jvv.nruptm.ru 81.177.135.41, 443, 49738 RTCOMM-ASRU Russian Federation 14->64 66 192.168.2.1 unknown unknown 14->66 94 Multi AV Scanner detection for dropped file 14->94 96 Writes to foreign memory regions 14->96 98 Allocates memory in foreign processes 14->98 104 2 other signatures 14->104 24 AddInProcess32.exe 14->24         started        28 AddInProcess32.exe 14->28         started        68 rrkimal.xyz 51.89.27.246, 80 OVHFR France 18->68 100 Detected unpacking (changes PE section rights) 18->100 102 Detected unpacking (overwrites its own PE header) 18->102 30 WerFault.exe 18->30         started        32 WerFault.exe 18->32         started        34 WerFault.exe 18->34         started        36 3 other processes 18->36 signatures9 process10 dnsIp11 52 WHOIS.RIPE.NET 193.0.6.135, 43, 49755 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 24->52 54 138.124.180.19, 35200, 49749 NOKIA-ASFI Norway 24->54 56 6 other IPs or domains 24->56 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 38 cmd.exe 24->38         started        82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->82 84 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->84 signatures12 process13 dnsIp14 50 127.0.0.1 unknown unknown 38->50 78 Uses ping.exe to sleep 38->78 42 conhost.exe 38->42         started        44 PING.EXE 38->44         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cab8335127ff3b44cf40b02a517395c6ed9f29ff6485124543a2ffa97ad4682/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-10-28 10:01:04 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsvygnisp7z3ithubmbkkfzzlrxnt4u76zefcjcuhix7vf5ni2ba._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201028-3g4qjy8nna/
Behaviour
Checks processor information in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
RedLine
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9cab8335127ff3b44cf40b02a517395c6ed9f29ff6485124543a2ffa97ad4682

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/80439/
  
URLhaus
https://urlhaus.abuse.ch/url/758221/
  
Delivery method
Distributed via web download

Comments