MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875
SHA3-384 hash: 8e908a637844a263c0175391de5733d0aea128419034e22b25e6ee2da5c9b09592e8864310a7a788cadf3f4e0ab24ec8
SHA1 hash: dd333960f92e5feaa96071641cf485d210dbf7ee
MD5 hash: 6265ce87d54f68b1031341d5f335e970
humanhash: cold-vegan-ink-oscar
File name:6265ce87d54f68b1031341d5f335e970
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:739'451 bytes
First seen:2021-08-12 02:50:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 12288:pY20AljdZgBPfKf34MQxAogJfqsUsz0cX0s5liCQie/cR0NzvnZ3/YW+5:e20gPgFKQMQxAVBbIcXpwC/ekRuZ3QR5
Threatray 106 similar samples on MalwareBazaar
TLSH T1FEF4122236D1E031E96315309DF4A767EA7CB9316E76658BB7900B1E3F716A2C227703
dhash icon 70f0e0f0f0f0f070 (1 x RedLineStealer, 1 x Kovter)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6265ce87d54f68b1031341d5f335e970
Verdict:
Malicious activity
Analysis date:
2021-08-12 02:51:10 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/adae23bb-7c8b-4a08-820c-f792b16a1b2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178424/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a recently created file
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Deleting a recently created file
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Query of malicious DNS domain
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b39533a3-fbb9-4423-ac8d-991145a154f4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831366
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops batch files with force delete cmd (self deletion)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 463797 Sample: AVtmEjHPZh Startdate: 12/08/2021 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 Antivirus detection for URL or domain 2->70 72 4 other signatures 2->72 12 AVtmEjHPZh.exe 3 8 2->12         started        process3 file4 50 C:\Soft\trusted\trust_cert.com, PE32 12->50 dropped 52 C:\Soft\trusted\1at.bat, ASCII 12->52 dropped 80 Drops batch files with force delete cmd (self deletion) 12->80 82 Drops PE files with a suspicious file extension 12->82 16 wscript.exe 1 12->16         started        signatures5 process6 process7 18 cmd.exe 2 16->18         started        signatures8 74 Uses cmd line tools excessively to alter registry or file data 18->74 21 wscript.exe 1 18->21         started        23 trust_cert.com 5 18->23         started        26 conhost.exe 18->26         started        28 3 other processes 18->28 process9 file10 30 cmd.exe 1 21->30         started        48 C:\Soft\trusted\ledarx.exe, PE32 23->48 dropped process11 signatures12 84 Uses cmd line tools excessively to alter registry or file data 30->84 33 ledarx.exe 30->33         started        36 conhost.exe 30->36         started        38 timeout.exe 1 30->38         started        40 5 other processes 30->40 process13 signatures14 58 Multi AV Scanner detection for dropped file 33->58 60 Detected unpacking (changes PE section rights) 33->60 62 Detected unpacking (overwrites its own PE header) 33->62 64 6 other signatures 33->64 42 ledarx.exe 15 30 33->42         started        process15 dnsIp16 54 warinneyan.xyz 212.224.105.82, 49722, 49730, 80 DE-FIRSTCOLOwwwfirst-colonetDE Germany 42->54 56 api.ip.sb 42->56 76 Tries to harvest and steal browser information (history, passwords, etc) 42->76 78 Tries to steal Crypto Currency Wallets 42->78 46 conhost.exe 42->46         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4zc35aw3dbvb5lxm56bmvhp3yu3lo74bhrfcbadsu6rv57dpb2q._file
Verdict:
malicious
Similar samples:
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
RedLineStealer
390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf
RedLineStealer
4da1e9b11e61a8f2633da08aa63bb869e7130d04b15d06a81db1047f687ebcc5
RedLineStealer
577bbf239604ed454f342bdb85a2f12d460861440c11b372773197ae40310d70
RedLineStealer
8db349616cde817bced583746ee9440259932f320056c442282785a9972a4b01
RedLineStealer
a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5
RedLineStealer
cb8bd17e49390c51c71aeb5176fabd5c0dcef8aca83c7dce4af0b3e378c2e5ee
RedLineStealer
+ 96 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:kubunt discovery evasion infostealer spyware stealer
Link:
https://tria.ge/reports/210812-cs4kpy429x/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets file to hidden
RedLine
RedLine Payload
Malware Config
C2 Extraction:
warinneyan.xyz:80
Unpacked files
SH256 hash:
b107eff8eff65341e2e897794a9ccff1b898bd8fae618a953dce079b0ec952e4
MD5 hash:
ee31fd025db7d25e1411c5ac9337431b
SHA1 hash:
9a634d2221be80a60d7e83c57afe64c0b1529e9b
Link:
https://www.unpac.me/results/3e242a16-3d17-4936-94be-9ff570ef8680/
SH256 hash:
a1c1a0e5c041f60d10e2ae426739c44393d13fec575cda29275a5f5554d6b5ec
MD5 hash:
e84aab33aba710a7f3d65085c46ccb0f
SHA1 hash:
927f84bafd08af73b6ad3cb2b97616c6aee62f6b
Link:
https://www.unpac.me/results/3e242a16-3d17-4936-94be-9ff570ef8680/
SH256 hash:
4f9fb94d254f9e0359bd737def48eb87429f1cfcdd9cb37a04781ceaaf3a006e
MD5 hash:
38a9bb2896759f65c0b87966da6607b7
SHA1 hash:
5e85d6300cf297a357f98c2bed4343d27a688f04
Link:
https://www.unpac.me/results/3e242a16-3d17-4936-94be-9ff570ef8680/
SH256 hash:
8a5a7cfe5004ac878e741976a71439ca54a4f81f04462744ce66f23e8be9bd1b
MD5 hash:
ef4eccc48ae5031ab23858191c4ce782
SHA1 hash:
8855bf2e9abd8a10a7a13d8a3a68a09c98ad628c
Link:
https://www.unpac.me/results/3e242a16-3d17-4936-94be-9ff570ef8680/
SH256 hash:
c77d247e732575cd9ecb2457b0f4e5281d6e468d1d4bbc3a6afdb836d10c3458
MD5 hash:
d31e16c357e10d9c82931a7e81723029
SHA1 hash:
272073d6c1f46812291a440037e14024bc3ab4d7
Link:
https://www.unpac.me/results/3e242a16-3d17-4936-94be-9ff570ef8680/
SH256 hash:
9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875
MD5 hash:
6265ce87d54f68b1031341d5f335e970
SHA1 hash:
dd333960f92e5feaa96071641cf485d210dbf7ee
Link:
https://www.unpac.me/results/3e242a16-3d17-4936-94be-9ff570ef8680/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9f322df416d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9f322df416d8c350f577677c1654efde29b5bbfc09e2510403953d1af7e37875

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1526475/
Cape
Cape
https://www.capesandbox.com/analysis/178424/

Comments


Avatar
zbet commented on 2021-08-12 02:50:19 UTC

url : hxxp://193.142.59.221/blog/images/file.exe