MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d7172e0fe7ca9477ac02723fcd9428dd263b5311540bdc143f8714dc4ca7962. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d7172e0fe7ca9477ac02723fcd9428dd263b5311540bdc143f8714dc4ca7962
SHA3-384 hash: d5c0e6acfbb6da678a735e5d35b1da18a1b2f6e9c9b299580ad10594bd65e39d5d8fc13a8d3f3f14dd030aceadebf81e
SHA1 hash: 5168b52a1a9d73a41187f165423265dfa105b516
MD5 hash: 8cb8551a6ea0ad7cfa16859ffdeaf4df
humanhash: batman-glucose-burger-montana
File name:8843_1648056140_4304.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:455'680 bytes
First seen:2022-03-25 07:28:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2dce54f61dcafaf101076114799be8bc (4 x RedLineStealer, 1 x Bdaejec)
ssdeep 12288:CO1T/vLlVE+cK/lGRgOUqmq9kR6lhKXp5Ec:C47r4K/cRgOnmq9g6mEc
Threatray 2'078 similar samples on MalwareBazaar
TLSH T1A5A4233AF4C6A1EFE046B6BB7B05F72F8218100925D166B10BEEB96EF1640B5374F416
Reporter JAMESWT_WT
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257572/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Dropper.XtremeRAT-9942123-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed xtremerat
Link:
https://www.filescan.io/uploads/623d6f849253b276b769ee9a/reports/2114d372-7e16-4899-a768-415311f16e26/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/66711425-32d8-483d-aa4d-9f94ce469c0f
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964331
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check for running processes (XOR)
DNS related to crypt mining pools
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 596817 Sample: 8843_1648056140_4304.exe Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 51 xmr-eu1.nanopool.org 2->51 53 easyproducts.org 2->53 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Found malware configuration 2->77 79 13 other signatures 2->79 9 8843_1648056140_4304.exe 2->9         started        11 RegHost.exe 4 2->11         started        signatures3 process4 file5 15 RegSvcs.exe 15 8 9->15         started        20 WerFault.exe 23 9 9->20         started        45 C:\Users\user\AppData\...\RegModule.exe, PE32+ 11->45 dropped 47 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 11->47 dropped 49 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 11->49 dropped 81 Writes to foreign memory regions 11->81 83 Allocates memory in foreign processes 11->83 85 Modifies the context of a thread in another process (thread injection) 11->85 87 Injects a PE file into a foreign processes 11->87 22 bfsvc.exe 1 11->22         started        24 conhost.exe 11->24         started        26 notepad.exe 11->26         started        signatures6 process7 dnsIp8 59 104.244.76.137, 4487, 49768 PONYNETUS United States 15->59 61 cdn.discordapp.com 162.159.134.233, 443, 49777, 49778 CLOUDFLARENETUS United States 15->61 63 192.168.2.1 unknown unknown 15->63 39 C:\Users\user\AppData\Local\Temp\clii.exe, PE32 15->39 dropped 41 C:\Users\user\AppData\Local\Temp\bbb.exe, PE32+ 15->41 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->65 67 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->67 69 Tries to harvest and steal browser information (history, passwords, etc) 15->69 71 Tries to steal Crypto Currency Wallets 15->71 28 clii.exe 12 15->28         started        32 bbb.exe 1 2 15->32         started        35 conhost.exe 22->35         started        file9 signatures10 process11 dnsIp12 55 188.120.232.237, 80 THEFIRST-ASRU Russian Federation 28->55 89 Antivirus detection for dropped file 28->89 91 Multi AV Scanner detection for dropped file 28->91 93 Contains functionality to check for running processes (XOR) 28->93 95 Machine Learning detection for dropped file 28->95 57 185.137.234.33, 49781, 49782, 49783 SELECTELRU Russian Federation 32->57 43 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 32->43 dropped 37 conhost.exe 32->37         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d7172e0fe7ca9477ac02723fcd9428dd263b5311540bdc143f8714dc4ca7962/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-25 06:55:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvyxfyh6psuuo6wae4r7zwkcrxjghnjrcval3qkd7byu3rgkpfra._file
Verdict:
malicious
Similar samples:
10439267c16298a7db67d926a14d5a5b0ce5e23ab6574439be521bc1239d670e
RedLineStealer
1fca453f1f9a6acf20ba5a9828178d70426e7f8e58ec6116f2aacf96053e0037
RedLineStealer
24cf5566094b9c99b75303995b503b3285531d1313658f318a931424c9ef46d3
RedLineStealer
36ee4fbc9c01f112929fdcb601c68a96a1b2e16bef985ebe0b9799e30baadcc7
RedLineStealer
4109d37d472fafa83b2c8303afd3fe9c25d58e763d706ae8f660a9f150971665
RedLineStealer
615bdcc0965d35255d99668380668e1811effaa80cc69c1c78f6a455be86c685
RedLineStealer
d4d4c170bf58fd8d9879f634a19c7acf68a6c4c5848eae9455987a7c21f14b40
RedLineStealer
fe7e378c72ec43fca46360a46a8fc8c0d5ec0f4739ce3286610774fdec47edda
RedLineStealer
+ 2'068 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220325-ja9vksgebj/
Unpacked files
SH256 hash:
3a2ebad449171d03acb8d5518ce8aafa87cd64b876b320c013cc751e64307fe9
MD5 hash:
619c0cf0de209701618b2c645f421605
SHA1 hash:
55b96af1ead301a2f5b5a2022d944efb8f476f54
Link:
https://www.unpac.me/results/8d405bf6-26be-473b-b385-4399bd5ae46a/
SH256 hash:
73929e3c1a56f59c2a37926e2b8471f365a53a2273ede4564306b9b1319e6351
MD5 hash:
6b13437898d85445ab95d7d83a68d7c3
SHA1 hash:
6d760c83a6acc836c9351eecceeffdd16008b6cd
Link:
https://www.unpac.me/results/8d405bf6-26be-473b-b385-4399bd5ae46a/
SH256 hash:
9d7172e0fe7ca9477ac02723fcd9428dd263b5311540bdc143f8714dc4ca7962
MD5 hash:
8cb8551a6ea0ad7cfa16859ffdeaf4df
SHA1 hash:
5168b52a1a9d73a41187f165423265dfa105b516
Link:
https://www.unpac.me/results/8d405bf6-26be-473b-b385-4399bd5ae46a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9d7172e0fe7ca9477ac02723fcd9428dd263b5311540bdc143f8714dc4ca7962

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/257572/

Comments