MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
SHA3-384 hash: 9a8a56e38aa466b4a77d20baaee325028049393710eec11697969e8a1bc59f1d1fea4d08869b87f563c5e844bc48a7f0
SHA1 hash: b06ecedaec55b6657c5a809aabce0ea4323ed7b2
MD5 hash: c6409dcd1888eed5d528f85c21b89162
humanhash: failed-orange-hydrogen-emma
File name:SecuriteInfo.com.W32.AIDetect.malware2.11743.12911
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:991'309 bytes
First seen:2021-05-26 23:38:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 24576:m9btxEOeavmxQyis4IY417H6SreppXHxGKklCOjkx:mNNeauxblYSyNxw8Kkx
Threatray 190 similar samples on MalwareBazaar
TLSH D925235137E99ABAC5D512304C63BB6916B5F3380B4CC7DBEFE80A0B5C245C6CA79389
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.11743.12911
Verdict:
Malicious activity
Analysis date:
2021-05-26 23:44:16 UTC
Tags:
autoit trojan rat redline
Link:
https://app.any.run/tasks/dbd40a2f-bea7-4d4e-9213-cdb1e2f33b9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162606/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.11743.12911.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/792974
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 425370 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 27/05/2021 Architecture: WINDOWS Score: 92 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected RedLine Stealer 2->52 54 Machine Learning detection for sample 2->54 10 SecuriteInfo.com.W32.AIDetect.malware2.11743.exe 7 2->10         started        process3 signatures4 56 Contains functionality to register a low level keyboard hook 10->56 13 cmd.exe 1 10->13         started        process5 signatures6 58 Submitted sample is a known malware sample 13->58 60 Obfuscated command line found 13->60 62 Uses ping.exe to sleep 13->62 64 Uses ping.exe to check the status of other devices and networks 13->64 16 cmd.exe 3 13->16         started        19 conhost.exe 13->19         started        process7 signatures8 44 Obfuscated command line found 16->44 46 Uses ping.exe to sleep 16->46 21 Ammirabile.exe.com 16->21         started        23 PING.EXE 1 16->23         started        26 findstr.exe 1 16->26         started        process9 dnsIp10 29 Ammirabile.exe.com 1 21->29         started        40 127.0.0.1 unknown unknown 23->40 36 C:\Users\user\AppData\...\Ammirabile.exe.com, Targa 26->36 dropped file11 process12 dnsIp13 42 CXGVubAglGFDxYMBdULdcW.CXGVubAglGFDxYMBdULdcW 29->42 38 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 29->38 dropped 66 Writes to foreign memory regions 29->66 68 Injects a PE file into a foreign processes 29->68 34 RegAsm.exe 2 29->34         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-26 22:28:12 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5xlsy5srfiqa35gevfxj5mlbb6ei2kjnsflelhxiiifcd4cygda._file
Verdict:
suspicious
Similar samples:
01e0e8312ba9622a57dfbf40615513bf2a01c38d9fba806e1bc9c08364b2041f
RedLineStealer
02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763
RedLineStealer
77347d3a92eb99a4996d266311ad9fc79a6788c5c58637fed77ad7f8a849c473
RedLineStealer
84d476538f65a15834800d95f0056d5e0f1efcadbc7dc6155185286c6af962c2
RedLineStealer
8b8a48214f0d0d1a9e210e5f871cc5f608ccb48b6079ec4bcdd5538adbd8d8f2
RedLineStealer
de92c18843a74125a6adbfdcffe97c597d88ae21a8cdc560aa10b33870f6a472
RedLineStealer
e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe
RedLineStealer
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
RedLineStealer
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
RedLineStealer
f87674db0a46d9903b10a9103dd2cad5b0d1ff7cccaaec2cc47231d5fc32007d
RedLineStealer
+ 180 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:25 infostealer
Link:
https://tria.ge/reports/210526-9r2sntj4zs/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
157.90.238.247:43252
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1288379/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/162606/

Comments