MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c
SHA3-384 hash: 3351b73a25912a4503c65d1cacd50544d6fadf8e710c235a131cb02007ebb6661fa1ffa89a108bfd7abdcf398c64d4fd
SHA1 hash: 9825c842ebf18d4994dbad51f3a787c3cbb9d3be
MD5 hash: cf3e4604439f149a715621d04d45cbbd
humanhash: queen-december-kitten-violet
File name:A05B12806135BE357756F9BFED4E77836F44919A56351.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:231'936 bytes
First seen:2022-06-07 06:10:36 UTC
Last seen:2022-06-07 06:40:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 80391c22607aed1d80054fa8f54c6b62 (1 x Tofsee, 1 x RedLineStealer)
ssdeep 6144:q4xTFwHg8LXVeZ5YBREaxtAznnNKaiNuIY1cFz:3xOg8LXe5YBqaxUiNuIYG
TLSH T175346B35B750F876E4B20436649D83F294297E307B5188EBB3967F29AA302D1D734B27
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 92aae8c8e8f2b29a (3 x RedLineStealer, 2 x GCleaner, 2 x PrivateLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.199.137.32:29712

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.199.137.32:29712 https://threatfox.abuse.ch/ioc/661523/

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://crackpcfull.com/obs-studio-crack-download/
Verdict:
Malicious activity
Analysis date:
2022-02-12 21:21:05 UTC
Tags:
trojan evasion loader rat redline phishing stealer raccoon
Link:
https://app.any.run/tasks/c1d8007c-20c3-4fe1-a341-fe503b555ba8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277204/
Detection(s):
SecuriteInfo.com.Variant.Zusy.414446.3677.32634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Running batch commands
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware zusy
Link:
https://www.filescan.io/uploads/629eec125dc88d3571678ef3/reports/df9edd50-173b-4a84-8ec0-198b75691c11/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zapchast
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c5d4646-f888-4c11-8c6c-45216b73a6a3
Result
Threat name:
Djvu, Nymaim, PrivateLoader, RedLine, Sm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007831
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 640327 Sample: A05B12806135BE357756F9BFED4... Startdate: 07/06/2022 Architecture: WINDOWS Score: 100 100 tiny.one 2->100 102 qulyneanica.com 2->102 104 3 other IPs or domains 2->104 120 Snort IDS alert for network traffic 2->120 122 Multi AV Scanner detection for domain / URL 2->122 124 Malicious sample detected (through community Yara rule) 2->124 126 26 other signatures 2->126 9 A05B12806135BE357756F9BFED4E77836F44919A56351.exe 4 49 2->9         started        14 rundll32.exe 2->14         started        signatures3 process4 dnsIp5 114 212.193.30.45, 49753, 49790, 49791 SPD-NETTR Russian Federation 9->114 116 85.202.169.116, 49754, 49788, 49844 GUDAEV-ASRU Netherlands 9->116 118 9 other IPs or domains 9->118 78 C:\Users\user\Pictures\...\wam.exe.exe, PE32+ 9->78 dropped 80 C:\Users\user\Pictures\...\test30206.bmp.exe, PE32 9->80 dropped 82 C:\Users\user\Pictures\...\real0701.bmp.exe, PE32 9->82 dropped 84 13 other files (9 malicious) 9->84 dropped 144 May check the online IP address of the machine 9->144 146 Creates HTML files with .exe extension (expired dropper behavior) 9->146 148 Disable Windows Defender real time protection (registry) 9->148 16 TrdngAnlzr649.exe.exe 8 9->16         started        20 wam.exe.exe 9->20         started        23 real0701.bmp.exe 101 9->23         started        25 9 other processes 9->25 file6 signatures7 process8 dnsIp9 86 moarkgcc.com 185.217.168.250, 49855, 49863, 49868 DEDIPATH-LLCUS Germany 16->86 88 blackhk1.beget.tech 5.101.153.227, 49854, 80 BEGET-ASRU Russian Federation 16->88 56 C:\Users\user\AppData\Local\Temp\K7BG0.exe, PE32 16->56 dropped 58 C:\Users\user\AppData\Local\Temp\B894H.exe, PE32 16->58 dropped 60 C:\Users\user\AppData\Local\Temp\A482C.exe, PE32 16->60 dropped 70 2 other files (1 malicious) 16->70 dropped 27 K7BG0.exe 16->27         started        30 conhost.exe 16->30         started        32 WerFault.exe 16->32         started        34 WerFault.exe 16->34         started        62 C:\Users\user\AppData\Local\...\SETUP_~1.EXE, PE32 20->62 dropped 128 Creates multiple autostart registry keys 20->128 36 SETUP_~1.EXE 20->36         started        90 107.189.11.124, 49858, 80 PONYNETUS United States 23->90 92 t.me 149.154.167.99, 443, 49843 TELEGRAMRU United Kingdom 23->92 94 c.im 104.21.80.230, 443, 49857 CLOUDFLARENETUS United States 23->94 64 C:\ProgramData\vcruntime140.dll, PE32 23->64 dropped 66 C:\ProgramData\softokn3.dll, PE32 23->66 dropped 68 C:\ProgramData\nss3.dll, PE32 23->68 dropped 72 3 other files (none is malicious) 23->72 dropped 130 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->130 132 Tries to harvest and steal browser information (history, passwords, etc) 23->132 134 Tries to steal Crypto Currency Wallets 23->134 96 185.106.93.11, 49885, 8295 SUPERSERVERSDATACENTERRU Russian Federation 25->96 98 37.0.8.39, 49877, 80 WKD-ASIE Netherlands 25->98 136 Query firmware table information (likely to detect VMs) 25->136 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->138 140 Maps a DLL or memory area into another process 25->140 142 4 other signatures 25->142 40 test30206.bmp.exe 25->40         started        42 cmd.exe 1 25->42         started        44 cmd.exe 25->44         started        46 3 other processes 25->46 file10 signatures11 process12 dnsIp13 106 memorial.asvp.org.br 186.202.153.98, 443, 49850, 49898 LocawebServicosdeInternetSABR Brazil 36->106 108 tiny.one 104.21.234.39, 443, 49849, 49899 CLOUDFLARENETUS United States 36->108 110 192.168.2.1 unknown unknown 36->110 74 C:\Users\user\...\Opasrbktxwooinmax1.exe, PE32 36->74 dropped 150 Machine Learning detection for dropped file 36->150 112 api.2ip.ua 162.0.217.254, 443, 49851, 49861 ACPCA Canada 40->112 76 C:\Users\user\AppData\...\test30206.bmp.exe, PE32 40->76 dropped 152 Creates multiple autostart registry keys 40->152 48 icacls.exe 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        54 rundll32.exe 46->54         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-02-12 00:18:56 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubnrfadbgw7dk52w7g762ttxqnxujem2ky2rukvbe6xi53hvjqoa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer suricata trojan
Link:
https://tria.ge/reports/220607-gxlp6affcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Modifies Windows Defender Real-time Protection settings
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Unpacked files
SH256 hash:
a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c
MD5 hash:
cf3e4604439f149a715621d04d45cbbd
SHA1 hash:
9825c842ebf18d4994dbad51f3a787c3cbb9d3be
Link:
https://www.unpac.me/results/a85defd0-0dcd-4e1d-867f-08f86465e625/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277204/

Comments