MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5
SHA3-384 hash: 49532004b942b4c975979f98885ce754613e8bab0d397b3b09b8958e4cbda0a29df79376c62cf468310abd6d5b8f393d
SHA1 hash: b0225393df8ed257ade0d6cb95ca14f0a92f4ea4
MD5 hash: 6e0fc3d593968917c8ed6ea577195296
humanhash: montana-papa-bluebird-finch
File name:6e0fc3d593968917c8ed6ea577195296
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:993'280 bytes
First seen:2022-01-13 11:03:08 UTC
Last seen:2022-01-13 12:54:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Te6pjUMgraGSkYlwz/PPoLDvD07euMwtOPGjpBnPkJwV:TwSkY4/PAIK7GFBPWw
Threatray 1 similar samples on MalwareBazaar
TLSH T1942509DD91D15849CFEF07F00DFBE22E857296C613474BEA732E95F06B2208EA56D4A0
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6e0fc3d593968917c8ed6ea577195296
Verdict:
Malicious activity
Analysis date:
2022-01-13 11:04:39 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/be01e04d-8c05-47fb-a9a1-daa6bbf5dd9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218980/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.31742.14848.31328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending a custom TCP request
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/61e00725f2e8ec86fef79d06/reports/3e34a289-6648-4662-a27e-6ac4b8d2d2b8/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/528d259b-b7b3-41c7-aa4a-f75ab7d8bb0a
Result
Threat name:
Clipboard Hijacker MicroClip Phoenix Min
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919984
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected MicroClip
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552458 Sample: tivDpdRokf Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 110 Antivirus detection for URL or domain 2->110 112 Multi AV Scanner detection for dropped file 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 9 other signatures 2->116 9 tivDpdRokf.exe 3 2->9         started        13 RegHost.exe 2->13         started        15 RegHost.exe 2->15         started        17 2 other processes 2->17 process3 file4 90 C:\Users\user\AppData\...\tivDpdRokf.exe.log, ASCII 9->90 dropped 150 Writes to foreign memory regions 9->150 152 Injects a PE file into a foreign processes 9->152 19 RegAsm.exe 15 10 9->19         started        154 Antivirus detection for dropped file 13->154 156 Multi AV Scanner detection for dropped file 13->156 158 Detected unpacking (changes PE section rights) 13->158 160 Machine Learning detection for dropped file 13->160 24 bfsvc.exe 13->24         started        26 conhost.exe 13->26         started        28 explorer.exe 13->28         started        162 Injects code into the Windows Explorer (explorer.exe) 15->162 164 Allocates memory in foreign processes 15->164 166 Modifies the context of a thread in another process (thread injection) 15->166 30 bfsvc.exe 15->30         started        32 explorer.exe 15->32         started        34 conhost.exe 15->34         started        168 Hides threads from debuggers 17->168 36 schtasks.exe 17->36         started        38 2 other processes 17->38 signatures5 process6 dnsIp7 92 c9d0e790b353537889bd47a364f5acff43c11f247.xyz 185.112.83.97, 49747, 80 SUPERSERVERSDATACENTERRU Russian Federation 19->92 94 91.243.32.73, 49749, 7171 MATTEOGB Russian Federation 19->94 98 3 other IPs or domains 19->98 74 C:\Users\user\AppData\Roaming\whw.exe, PE32 19->74 dropped 76 C:\Users\user\AppData\Roaming\safas2f.exe, PE32+ 19->76 dropped 78 C:\Users\user\AppData\Roaming\e3dwefw.exe, PE32 19->78 dropped 80 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 19->80 dropped 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->118 120 Performs DNS queries to domains with low reputation 19->120 122 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->122 40 safas2f.exe 1 2 19->40         started        44 whw.exe 3 19->44         started        47 e3dwefw.exe 1 19->47         started        49 RuntimeBroker.exe 19->49         started        82 \Device\ConDrv, ASCII 30->82 dropped 124 Hides threads from debuggers 30->124 96 192.168.2.1 unknown unknown 32->96 51 conhost.exe 36->51         started        file8 signatures9 process10 dnsIp11 84 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 40->84 dropped 128 Antivirus detection for dropped file 40->128 130 Multi AV Scanner detection for dropped file 40->130 132 Detected unpacking (changes PE section rights) 40->132 146 6 other signatures 40->146 53 explorer.exe 40->53         started        55 bfsvc.exe 40->55         started        58 curl.exe 1 40->58         started        61 conhost.exe 40->61         started        102 46.3.197.253, 15761, 49789 ALEXHOST_SRLMD Russian Federation 44->102 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->134 136 Machine Learning detection for dropped file 44->136 138 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->138 148 2 other signatures 44->148 86 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 47->86 dropped 140 Found evasive API chain (may stop execution after checking mutex) 47->140 142 Uses schtasks.exe or at.exe to add and modify task schedules 47->142 144 Contains functionality to compare user and computer (likely to detect sandboxes) 47->144 63 schtasks.exe 1 47->63         started        88 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 49->88 dropped file12 signatures13 process14 dnsIp15 65 RegHost.exe 53->65         started        126 Hides threads from debuggers 55->126 68 conhost.exe 55->68         started        100 api.telegram.org 149.154.167.220, 443, 49752 TELEGRAMRU United Kingdom 58->100 70 conhost.exe 58->70         started        72 conhost.exe 63->72         started        signatures16 process17 signatures18 104 Modifies the context of a thread in another process (thread injection) 65->104 106 Hides threads from debuggers 65->106 108 Injects a PE file into a foreign processes 65->108
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 00:19:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uiz3jndyfaiuesyllmlgwcmfif7igtncw53oolj4pzigjxxb5hsq._file
Verdict:
malicious
Similar samples:
a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/220113-m591lshffr/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
897234d4b2eb6210daa5285fadf15e209864ef74456cc2ec0dbf0e52abadff21
MD5 hash:
6b2045f0058a367fa9267cfe55fe398e
SHA1 hash:
8329ce45b00ec2b716372274ae031b2d0cd66a60
Link:
https://www.unpac.me/results/c3c0718e-abaa-4e65-89c4-a0c2cab1d7a1/
SH256 hash:
a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5
MD5 hash:
6e0fc3d593968917c8ed6ea577195296
SHA1 hash:
b0225393df8ed257ade0d6cb95ca14f0a92f4ea4
Link:
https://www.unpac.me/results/c3c0718e-abaa-4e65-89c4-a0c2cab1d7a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/218980/
  
URLhaus
https://urlhaus.abuse.ch/url/1973503/

Comments


Avatar
zbet commented on 2022-01-13 11:03:11 UTC

url : hxxp://rf9480.bomj.xyz/eth.bin