MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dc068d7399a4e643d3076bd39ed690b25eb9c25714d03cb1846449733f5eba9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dc068d7399a4e643d3076bd39ed690b25eb9c25714d03cb1846449733f5eba9
SHA3-384 hash: 291024a27dca4c0942c13f68b75220485aaa8fe4c2571aa2feb10ebd1f3593926b38694b5ef00a02331bdd68cbc3fe8d
SHA1 hash: 694a28630f79a888b9a63adcb05b195758996b0b
MD5 hash: b6ea02f9fb9013e15efd1ed1e83630a8
humanhash: johnny-kentucky-march-arkansas
File name:b6ea02f9fb9013e15efd1ed1e83630a8
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'620'352 bytes
First seen:2022-09-21 14:00:02 UTC
Last seen:2022-09-21 16:28:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2557b21b8e913903bc66159999899c81 (12 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 98304:43k4iJYKPpNqJWj8CsupZGlE/hSR+EmO4:43k4iJYKPpNEWj8ZupZAEZSR+E4
TLSH T102F5631F6D6159FCC4A859A940DF672F4220411E1A2DEF8E4A1C1FBB92F134AF71A24F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6ea02f9fb9013e15efd1ed1e83630a8
Verdict:
Suspicious activity
Analysis date:
2022-09-21 14:03:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3aebd64-2d11-4e70-9089-227817cf99a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312078/
Detection(s):
SecuriteInfo.com.Variant.Tedy.207408.26429.26392.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process from a recently created file
DNS request
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/632b19261bf7950e75ae659f/reports/7916022d-a446-4eaa-935d-5b8a40411570/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/60994579-743f-45a9-a97a-6d619ef97582
Result
Threat name:
CryptOne, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074653
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected VMProtect packer
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected CryptOne packer
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 707195 Sample: OmQTa8z7or.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 106 Snort IDS alert for network traffic 2->106 108 Multi AV Scanner detection for domain / URL 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 10 other signatures 2->112 11 OmQTa8z7or.exe 2 2->11         started        15 dllhost.exe 2->15         started        17 dllhost.exe 2->17         started        19 2 other processes 2->19 process3 file4 84 C:\Users\user\AppData\...\OmQTa8z7or.exe.log, ASCII 11->84 dropped 138 Creates HTML files with .exe extension (expired dropper behavior) 11->138 140 Contains functionality to inject code into remote processes 11->140 142 Drops PE files with benign system names 11->142 21 OmQTa8z7or.exe 2 11 11->21         started        26 conhost.exe 11->26         started        144 Multi AV Scanner detection for dropped file 15->144 146 Machine Learning detection for dropped file 15->146 148 Injects a PE file into a foreign processes 15->148 28 conhost.exe 15->28         started        30 dllhost.exe 15->30         started        32 conhost.exe 17->32         started        34 dllhost.exe 17->34         started        36 WerFault.exe 10 19->36         started        38 WerFault.exe 10 19->38         started        signatures5 process6 dnsIp7 96 94.26.226.51, 49707, 80 PTC-YEMENNETYE Russian Federation 21->96 98 afrigit.com 94.126.169.160, 49713, 49716, 49717 FLESK-ASPT Portugal 21->98 100 blackhk1.beget.tech 5.101.153.227, 49708, 49709, 49710 BEGET-ASRU Russian Federation 21->100 74 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 21->74 dropped 76 C:\Users\user\AppData\...\explorer.exe, PE32+ 21->76 dropped 78 C:\Users\user\AppData\...\M4ADBAHIA400HH3.exe, PE32 21->78 dropped 80 4 other malicious files 21->80 dropped 122 Creates multiple autostart registry keys 21->122 40 H3929JBC10KK6AK.exe 2 21->40         started        43 M4ADBAHIA400HH3.exe 21->43         started        45 J8767HL9EI8HL98.exe 2 21->45         started        47 3 other processes 21->47 102 192.168.2.1 unknown unknown 36->102 file8 signatures9 process10 dnsIp11 124 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->124 126 Machine Learning detection for dropped file 40->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->128 51 H3929JBC10KK6AK.exe 4 40->51         started        130 Multi AV Scanner detection for dropped file 43->130 132 Injects a PE file into a foreign processes 43->132 55 M4ADBAHIA400HH3.exe 43->55         started        58 J8767HL9EI8HL98.exe 45->58         started        104 iplogger.org 148.251.234.83 HETZNER-ASDE Germany 47->104 72 C:\Users\user\AppData\Local\Temp\DRubd.s2, PE32 47->72 dropped 134 Antivirus detection for dropped file 47->134 136 May check the online IP address of the machine 47->136 60 explorer.exe 47->60         started        62 control.exe 47->62         started        file12 signatures13 process14 dnsIp15 86 185.215.113.122 WHOLESALECONNECTIONSNL Portugal 51->86 114 Tries to harvest and steal browser information (history, passwords, etc) 51->114 116 Tries to steal Crypto Currency Wallets 51->116 88 passport.yandex.ru 213.180.204.24 YANDEXRU Russian Federation 55->88 90 yandex.ru 5.255.255.60 YANDEXRU Russian Federation 55->90 94 2 other IPs or domains 55->94 82 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 55->82 dropped 118 Creates multiple autostart registry keys 55->118 92 185.215.113.216 WHOLESALECONNECTIONSNL Portugal 58->92 120 Multi AV Scanner detection for dropped file 60->120 64 WerFault.exe 20 9 60->64         started        66 rundll32.exe 62->66         started        file16 signatures17 process18 process19 68 rundll32.exe 66->68         started        process20 70 rundll32.exe 68->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dc068d7399a4e643d3076bd39ed690b25eb9c25714d03cb1846449733f5eba9/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 14:00:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=txagrvzztjhgipjqo26tt3ljbms6xhbfofgqhsyyizcjom7v5ouq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:lyla3.18.9 botnet:sep16as1 discovery infostealer miner persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/220921-razzdacaek/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Detectes Phoenix Miner Payload
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.215.113.122:15386
185.215.113.216:21921
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6b990b8c-dd38-4f28-afed-dc5f818707ef
Unpacked files
SH256 hash:
179a2888d029db15c0d07ae1ad11ce237c0912fa975235bbac07087674884db2
MD5 hash:
6a08b034d3759c98a2ead16e880d3c66
SHA1 hash:
bc2e01fe4bc22d9ad7364022afae42997737a6ee
Link:
https://www.unpac.me/results/ad247a9c-2f6c-44c9-ab8b-b7e5acdb837e/
SH256 hash:
9dc068d7399a4e643d3076bd39ed690b25eb9c25714d03cb1846449733f5eba9
MD5 hash:
b6ea02f9fb9013e15efd1ed1e83630a8
SHA1 hash:
694a28630f79a888b9a63adcb05b195758996b0b
Link:
https://www.unpac.me/results/ad247a9c-2f6c-44c9-ab8b-b7e5acdb837e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9dc068d7399a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dc068d7399a4e643d3076bd39ed690b25eb9c25714d03cb1846449733f5eba9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9dc068d7399a4e643d3076bd39ed690b25eb9c25714d03cb1846449733f5eba9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/312078/
  
URLhaus
https://urlhaus.abuse.ch/url/2309163/

Comments


Avatar
zbet commented on 2022-09-21 14:00:10 UTC

url : hxxps://manomav.com/12/TrdngAnlzr472032.exe