MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a233093d08eb2f93b8a3371821c4ac3026282fb7d2ea0138f7d9d18d951b62b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a233093d08eb2f93b8a3371821c4ac3026282fb7d2ea0138f7d9d18d951b62b0
SHA3-384 hash: 5cb06cdd21ddc65280218b55f1634cfca1b02b67e433a08873711cef02cce8d052f17d9441be6593fa8def9da6c38456
SHA1 hash: 4d34b321509be53232577c768824756f50362fb7
MD5 hash: cf3fa87cfc679bddbfb4ec26b06e7f7d
humanhash: wyoming-fourteen-nebraska-cup
File name:a233093d08eb2f93b8a3371821c4ac3026282fb7d2ea0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'009'264 bytes
First seen:2021-11-06 22:21:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:iP/VdOzpdRWlrSxzgjHsCcd2Ebq7UJkSqitKMY2CgolpS6zgyPwq2NApx944ATah:myDRWlsgoRWgJFqitKM2bze4ZjAzvDyP
Threatray 2'871 similar samples on MalwareBazaar
TLSH T1B3258D4533DC6716E19A1638A3E4142F82B3A4217632DB4A2FC55F9D7CCEB8B8D112E7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
109.107.191.37:55005

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.107.191.37:55005 https://threatfox.abuse.ch/ioc/244778/

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202967/
Detection(s):
SecuriteInfo.com.VHO.Trojan-Spy.MSIL.Stealer.gen.27811.23856.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/6187000dd8143ea269cd67cf/reports/36d2fdf0-442b-4512-8af1-9230b339b781/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/345b33ba-6e5a-455a-96c9-aed482dcb8dd
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884609
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Disables UAC (registry)
Drops PE files to the startup folder
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Bypass UAC via CMSTP
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 517067 Sample: a233093d08eb2f93b8a3371821c... Startdate: 06/11/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for dropped file 2->56 58 Sigma detected: Powershell adding suspicious path to exclusion list 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 9 other signatures 2->62 7 a233093d08eb2f93b8a3371821c4ac3026282fb7d2ea0.exe 9 15 2->7         started        11 svchost.exe 2->11         started        13 breakers.exe 2->13         started        15 6 other processes 2->15 process3 file4 36 C:\Users\user\AppData\...\breakers.exe, PE32 7->36 dropped 38 C:\Program Files\Common Files\...\svchost.exe, PE32 7->38 dropped 40 C:\Users\...\breakers.exe:Zone.Identifier, ASCII 7->40 dropped 46 3 other files (1 malicious) 7->46 dropped 74 Drops PE files to the startup folder 7->74 76 Adds a directory exclusion to Windows Defender 7->76 78 Disables UAC (registry) 7->78 80 Drops PE files with benign system names 7->80 17 MSBuild.exe 7->17         started        21 MSBuild.exe 7->21         started        23 breakers.exe 7->23         started        26 14 other processes 7->26 82 Changes security center settings (notifications, updates, antivirus, firewall) 11->82 42 C:\Windows\Temp\h3rttkqi.inf, Windows 13->42 dropped 44 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->44 dropped signatures5 process6 dnsIp7 52 109.107.191.37, 49753, 49754, 55005 TELEPORT-TV-ASRU Russian Federation 17->52 64 Tries to harvest and steal browser information (history, passwords, etc) 17->64 66 Tries to steal Crypto Currency Wallets 17->66 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->68 70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->70 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 23->48 dropped 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 23->50 dropped 72 Adds a directory exclusion to Windows Defender 23->72 54 192.168.2.1 unknown unknown 26->54 28 AdvancedRun.exe 26->28         started        30 AdvancedRun.exe 26->30         started        32 conhost.exe 26->32         started        34 8 other processes 26->34 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a233093d08eb2f93b8a3371821c4ac3026282fb7d2ea0138f7d9d18d951b62b0/
Threat name:
ByteCode-MSIL.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 22:22:08 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uizqspii5mxzhofdg4mcdrfmgatcql5x2lvacohx3hiy3fi3mkya._file
Verdict:
malicious
Similar samples:
19575cb00a9f3eb2639b5e1e453334d30e4c50984c7edacea4598e76902a3eab
RedLineStealer
445201065ad563325f43f6f25d6b5ffccb437a6d15d5e43a5cc7d259050d138d
RedLineStealer
48f2f3424044a4751015b2670e5c5b9f4039ad28de0a268132084cfe76437e6e
RedLineStealer
702d02cc220387cd8f2029520cde97bd3879a1e151b198b4e3faea08b808cc9a
RedLineStealer
791eaeee5c52bdb505f648794ce04d0c2cef9cd9df9bd7b661e64e12e59a3b8c
RedLineStealer
7c790dc9174daf4135dcfdc30aad3ba8df18fc1cf4ce549c51501fa7eb7be38d
RedLineStealer
+ 2'861 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:iplogger evasion infostealer persistence spyware trojan vmprotect
Link:
https://tria.ge/reports/211106-198j8sddcq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Nirsoft
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
109.107.191.37:55005
Unpacked files
SH256 hash:
2f32fec5f3b552175dc086c01405331ff007d97a822aea8b9692581fb716fcf0
MD5 hash:
ae12de8f0ea425aa7ef65ca61af5e48c
SHA1 hash:
4cef0ab0373c4385a31a4bfd8f024556852b8552
Link:
https://www.unpac.me/results/2e75840a-0c08-48d2-b0fc-80c60555a173/
SH256 hash:
fd43b492b6e9990901d234a9497e6f0b44b4bec4a37d3620a895740665803679
MD5 hash:
9043039824d34a79ce01f21f411c9598
SHA1 hash:
fbb65849cdfcfd0bdf4e08ba55b4ff235043cb71
Link:
https://www.unpac.me/results/2e75840a-0c08-48d2-b0fc-80c60555a173/
SH256 hash:
09eb8b7ed8ed3727c1f971025fe3f32b4d3d5cfee024255aeb58786f5837755f
MD5 hash:
895157bef1dd3e466824275a6789130f
SHA1 hash:
ddd69766dab09c2a332019db2074104c27a4b0fb
Link:
https://www.unpac.me/results/2e75840a-0c08-48d2-b0fc-80c60555a173/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/2e75840a-0c08-48d2-b0fc-80c60555a173/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/2e75840a-0c08-48d2-b0fc-80c60555a173/
SH256 hash:
a233093d08eb2f93b8a3371821c4ac3026282fb7d2ea0138f7d9d18d951b62b0
MD5 hash:
cf3fa87cfc679bddbfb4ec26b06e7f7d
SHA1 hash:
4d34b321509be53232577c768824756f50362fb7
Link:
https://www.unpac.me/results/2e75840a-0c08-48d2-b0fc-80c60555a173/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a233093d08eb2f93b8a3371821c4ac3026282fb7d2ea0138f7d9d18d951b62b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a233093d08eb2f93b8a3371821c4ac3026282fb7d2ea0138f7d9d18d951b62b0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/202967/
  
URLhaus
https://urlhaus.abuse.ch/url/1759835/
  
Delivery method
Distributed via web download

Comments