MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d5ebf928258a2e9da500459de8bd2f650ef10bef03929bc0863f6b9d24481d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d5ebf928258a2e9da500459de8bd2f650ef10bef03929bc0863f6b9d24481d9
SHA3-384 hash: 3d87fc009f950389d16875402ab42cac9a6a427e5a540795c5ac5ac9306f6ec0e9d3fa327be81e82afa63dfaa675287c
SHA1 hash: 41cdda1133478d045ec4773908a9fa96fd763cc8
MD5 hash: 520c30a8b36a7b122b2b9b631d7e5f0d
humanhash: magazine-oranges-fourteen-vegan
File name:520c30a8b36a7b122b2b9b631d7e5f0d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:750'608 bytes
First seen:2022-12-03 00:45:15 UTC
Last seen:2022-12-03 02:28:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8171d3b5c355b63535e1aa2a7227f5a5 (2 x RedLineStealer)
ssdeep 12288:wsyl9DOkiXH17f0ynSzbITmGiBEswKK31Ot5kPj8Niru4IdmLxuaTtY6WQ46miql:Zyl9akiXH17f00SIZ31ObkPj8NEJf46S
TLSH T1C5F4AF3134F08436DE7324720AA4FA7459BDB8312B12A6EF579C163A6F317E06F62527
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.32.218.212:39564

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
520c30a8b36a7b122b2b9b631d7e5f0d.exe
Verdict:
Malicious activity
Analysis date:
2022-12-03 00:46:15 UTC
Tags:
trojan rat redline evasion
Link:
https://app.any.run/tasks/bdac5eeb-c4d3-4594-91b7-7eefa6e347b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/342103/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.31190.14068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending an HTTP POST request
Changing a file
Searching for analyzing tools
Creating a process with a hidden window
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes overlay packed redline
Link:
https://www.filescan.io/uploads/638a9c4c9a505ad9423cb917/reports/1c8fbffa-a7e3-4d53-bfb1-553f83be2478/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9a59337-849c-41ef-8b58-c7b5a29f5b37
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126903
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Potential malicious VBS script found (suspicious strings)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 759627 Sample: szA4lh2gwu.exe Startdate: 03/12/2022 Architecture: WINDOWS Score: 100 74 stratum-eu.rplant.xyz 2->74 76 pool-fr2.rplant.xyz 2->76 90 Snort IDS alert for network traffic 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 12 other signatures 2->96 10 szA4lh2gwu.exe 1 2->10         started        13 MoUSO.exe 2->13         started        15 cmd.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 signatures5 106 Contains functionality to inject code into remote processes 10->106 108 Writes to foreign memory regions 10->108 110 Allocates memory in foreign processes 10->110 112 Injects a PE file into a foreign processes 10->112 19 vbc.exe 18 10 10->19         started        24 WerFault.exe 24 9 10->24         started        26 conhost.exe 10->26         started        114 Antivirus detection for dropped file 13->114 116 Multi AV Scanner detection for dropped file 13->116 118 Query firmware table information (likely to detect VMs) 13->118 126 4 other signatures 13->126 120 Uses cmd line tools excessively to alter registry or file data 15->120 122 Uses powercfg.exe to modify the power settings 15->122 124 Modifies power options to not sleep / hibernate 15->124 28 conhost.exe 15->28         started        30 sc.exe 15->30         started        36 9 other processes 15->36 32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        38 7 other processes 17->38 process6 dnsIp7 78 135.125.27.235, 22883, 49706 AVAYAUS United States 19->78 80 transfer.sh 144.76.136.153, 443, 49711, 49712 HETZNER-ASDE Germany 19->80 82 cdn.discordapp.com 162.159.135.233, 443, 49707, 49708 CLOUDFLARENETUS United States 19->82 60 C:\Users\user\AppData\Local\Temp\sss.exe, PE32 19->60 dropped 62 C:\Users\user\AppData\Local\Temp\setupp.exe, PE32+ 19->62 dropped 64 C:\Users\user\AppData\Local\Temp\c.exe, PE32 19->64 dropped 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->98 100 Potential malicious VBS script found (suspicious strings) 19->100 102 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->102 104 2 other signatures 19->104 40 c.exe 17 19->40         started        45 setupp.exe 1 19->45         started        47 sss.exe 19->47         started        49 wscript.exe 19->49         started        66 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->66 dropped file8 signatures9 process10 dnsIp11 86 dba692117be7b6d3480fe5220fdd58b38bf.xyz 172.67.222.84, 443, 49709, 49710 CLOUDFLARENETUS United States 40->86 68 C:\Users\user\AppData\Local\cache\MoUSO.exe, PE32 40->68 dropped 128 Antivirus detection for dropped file 40->128 130 Multi AV Scanner detection for dropped file 40->130 132 Query firmware table information (likely to detect VMs) 40->132 150 4 other signatures 40->150 51 schtasks.exe 1 40->51         started        70 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 45->70 dropped 72 C:\Windows\System32\drivers\etc\hosts, ASCII 45->72 dropped 134 Machine Learning detection for dropped file 45->134 136 Modifies the hosts file 45->136 138 Adds a directory exclusion to Windows Defender 45->138 140 Writes to foreign memory regions 47->140 142 Allocates memory in foreign processes 47->142 144 Injects a PE file into a foreign processes 47->144 53 vbc.exe 47->53         started        56 WerFault.exe 47->56         started        88 iplogger.com 148.251.234.93, 443, 49713 HETZNER-ASDE Germany 49->88 146 System process connects to network (likely due to code injection or exploit) 49->146 148 May check the online IP address of the machine 49->148 file12 signatures13 process14 dnsIp15 58 conhost.exe 51->58         started        84 45.32.218.212, 39564, 49715 AS-CHOOPAUS United States 53->84 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d5ebf928258a2e9da500459de8bd2f650ef10bef03929bc0863f6b9d24481d9/
Threat name:
Win32.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 17:14:42 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvpl7euclcrotwsqarm55c6s6zio6ef66a4stpaimp3ltuseqhmq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) botnet:richdazscan evasion infostealer spyware stealer themida trojan upx
Link:
https://tria.ge/reports/221203-a4msgaae85/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Stops running service(s)
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
135.125.27.235:22883
45.32.218.212:39564
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/453d052d-a8ba-48e8-acfd-b83914b91d7d
Unpacked files
SH256 hash:
9d5ebf928258a2e9da500459de8bd2f650ef10bef03929bc0863f6b9d24481d9
MD5 hash:
520c30a8b36a7b122b2b9b631d7e5f0d
SHA1 hash:
41cdda1133478d045ec4773908a9fa96fd763cc8
Link:
https://www.unpac.me/results/0efaee45-4aea-45df-90fe-6678f43865e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d5ebf928258a2e9da500459de8bd2f650ef10bef03929bc0863f6b9d24481d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/342103/

Comments