MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65
SHA3-384 hash: 3376db72b3766cb7721adfd169983aa9a209b449e6780c7b3ccf1b09e3aea1fa355972c63aa7e15412ce98845f893a77
SHA1 hash: 410c2586b4b181976a93534deefe6d46aa58bfd1
MD5 hash: 43eaf2e2226cd28ba7142ddfdd47356e
humanhash: mango-illinois-stream-oven
File name:a072b6112f5ea82e5914c1f3314aafc92b234f5a252ed.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'761'936 bytes
First seen:2022-05-24 13:32:28 UTC
Last seen:2022-05-24 14:45:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:t4nXubIQGyxbPV0db26WxQqKdQsv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdOa:tqe3f67PRSffPMWrQ0Zk7
Threatray 251 similar samples on MalwareBazaar
TLSH T1D585C03FF268A53EC45E1B3245B39250997BBA60A81A8C1F07FC384DCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
85.239.53.70:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
85.239.53.70:80 https://threatfox.abuse.ch/ioc/630038/

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
PC_En-1653378944_setup_malware_analyze.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 08:09:52 UTC
Tags:
loader stealer trojan rat redline hiloti evasion opendir systembc
Link:
https://app.any.run/tasks/b7e43808-0988-4f83-abc9-24100a3a4bab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274126/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying a system file
Creating a file in the Windows subdirectories
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19864/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/628cde90afb61a3866633761/reports/67c2cc49-805e-4e3c-b54d-858cd29aab23/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f69a0522-cac6-491e-8d94-54a7a36c3abe
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1000674
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS TXT record lookups
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633166 Sample: a072b6112f5ea82e5914c1f3314... Startdate: 24/05/2022 Architecture: WINDOWS Score: 92 42 stboost.com 2->42 44 directll.com 2->44 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 2 other signatures 2->56 10 a072b6112f5ea82e5914c1f3314aafc92b234f5a252ed.exe 2 2->10         started        signatures3 process4 file5 36 a072b6112f5ea82e59...c92b234f5a252ed.tmp, PE32 10->36 dropped 66 Obfuscated command line found 10->66 14 a072b6112f5ea82e5914c1f3314aafc92b234f5a252ed.tmp 3 14 10->14         started        signatures6 process7 file8 38 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 14->38 dropped 40 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->40 dropped 17 a072b6112f5ea82e5914c1f3314aafc92b234f5a252ed.exe 2 14->17         started        process9 file10 28 a072b6112f5ea82e59...c92b234f5a252ed.tmp, PE32 17->28 dropped 48 Obfuscated command line found 17->48 21 a072b6112f5ea82e5914c1f3314aafc92b234f5a252ed.tmp 3 20 17->21         started        signatures11 process12 dnsIp13 46 multilow.com 45.10.247.80, 49725, 49726, 49733 AS-FITELNETWORKES Russian Federation 21->46 30 C:\Users\user\AppData\Local\...\service.dll, PE32 21->30 dropped 32 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 21->32 dropped 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->34 dropped 58 Injects code into the Windows Explorer (explorer.exe) 21->58 60 Writes to foreign memory regions 21->60 62 Allocates memory in foreign processes 21->62 64 Injects a PE file into a foreign processes 21->64 26 explorer.exe 21->26         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65/
Threat name:
Win32.Downloader.Satacom
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 11:38:30 UTC
File Type:
PE (Exe)
AV detection:
14 of 26 (53.85%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubzlmejpl2uc4wiuyhztcsvpzevsgt22euxnugpyrfmbvw2onjsq._file
Verdict:
unknown
Similar samples:
0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a
RedLineStealer
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
RedLineStealer
3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4
RedLineStealer
7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548
RedLineStealer
ca5309eca6c4688b50a8dd11520273ad243177d016b7b35282cc73a17ca768ed
RedLineStealer
e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e
RedLineStealer
fe528bf935539942838fb5349548427eacab028c2ae3947c30e3f93e84ae02d0
RedLineStealer
+ 241 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220524-qthnrscfe8/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/64fe4749-0840-45d9-a154-16cf538d3597/
SH256 hash:
724b85f1f97ebaa793f4e0bba29337657cd4393c04948cfae1ddc8613a3e319e
MD5 hash:
892965cf131bc5a238d8c7a190718c80
SHA1 hash:
dde8dde7d656a8ce413cb4cb8b6b46afe3a6eabb
Link:
https://www.unpac.me/results/64fe4749-0840-45d9-a154-16cf538d3597/
SH256 hash:
a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65
MD5 hash:
43eaf2e2226cd28ba7142ddfdd47356e
SHA1 hash:
410c2586b4b181976a93534deefe6d46aa58bfd1
Link:
https://www.unpac.me/results/64fe4749-0840-45d9-a154-16cf538d3597/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274126/

Comments