MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5adf079ee8487bfe30a6a9ea6e21a9f1fb961ab4b092bde5383df1cea66f080. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5adf079ee8487bfe30a6a9ea6e21a9f1fb961ab4b092bde5383df1cea66f080
SHA3-384 hash: fa9f4c4dd48b0100dd878e8d36fb7de2f41a310f1a9e668315b67cf4388b44f0263162b4de6763ef6efdbdf9bfa2e87e
SHA1 hash: 515f13f8d4a5bd3c3d1437d1c7198a70eeabf878
MD5 hash: 4f060e09af8e4c51ac15c91bc87771f5
humanhash: stairway-tennis-tennessee-violet
File name:4f060e09af8e4c51ac15c91bc87771f5.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'849'704 bytes
First seen:2022-04-04 18:32:04 UTC
Last seen:2022-04-04 19:49:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c5f10b723e33db252fd54b55a6e23250 (1 x RedLineStealer)
ssdeep 24576:jUA2fBij1C+xDpLGH6M5a1hmtQg+SkOHTr094GrEpz8xzqgNRrwrf:jUA+Bij1fxDFGHr5qAygbkOzr0902NR
Threatray 11'016 similar samples on MalwareBazaar
TLSH T18185F12BA3ACD857D436C076D85BCBFD7120BE15EA22855B16E43F1FB9B0118F461E0A
File icon (PE):PE icon
dhash icon d0d0f8dcf498dcdc (2 x RedLineStealer, 1 x PrivateLoader)
Reporter abuse_ch
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Seagate BarraCuda Compute ST4000DM004 2 Tb 256/7200
Issuer:Seagate BarraCuda Compute ST4000DM004 2 Tb 256/7200
Algorithm:sha1WithRSAEncryption
Valid from:2022-04-03T09:58:21Z
Valid to:2032-04-04T09:58:21Z
Serial number: 4c9880e264b09fad4146f8efbf1e60b3
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8c49b082ac11e00a72bb32d390fd912cc87f9e4c3d470897a920763c20edd4d8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260726/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.11935.26098.UNOFFICIAL
Create hunting rule

Win.Packed.Obsidium-9943095-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching a process
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624b39eadb9ca5cf841db618/reports/bbca9410-d740-4782-959f-55be740631c6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5da53738-18f2-4b2c-8a8c-1bb09ea521e5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970369
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: File Created with System Process Name
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 602861 Sample: HyR4RKAnZ0.exe Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 51 api.ip.sb 2->51 73 Found malware configuration 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected RedLine Stealer 2->77 79 4 other signatures 2->79 7 HyR4RKAnZ0.exe 8 2->7         started        12 dllhost.exe 2->12         started        14 dllhost.exe 2->14         started        signatures3 process4 dnsIp5 53 zonasertaneja.com.br 50.116.86.44, 49757, 49760, 49767 UNIFIEDLAYER-AS-1US United States 7->53 55 blackhk1.beget.tech 5.101.153.227, 49756, 80 BEGET-ASRU Russian Federation 7->55 29 C:\Users\user\AppData\Local\Temp\F5GF5.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\...\6HHG76B30ALK374.exe, PE32+ 7->31 dropped 33 C:\Users\user\AppData\Local\Temp\50HL3.exe, PE32 7->33 dropped 35 3 other malicious files 7->35 dropped 81 Query firmware table information (likely to detect VMs) 7->81 83 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->83 85 Creates HTML files with .exe extension (expired dropper behavior) 7->85 87 Tries to detect sandboxes / dynamic malware analysis system (registry check) 7->87 16 3AHE1.exe 14 2 7->16         started        20 0MM3M.exe 2 7->20         started        22 50HL3.exe 4 7->22         started        25 4 other processes 7->25 89 Multi AV Scanner detection for dropped file 12->89 91 Detected unpacking (changes PE section rights) 12->91 93 Tries to evade debugger and weak emulator (self modifying code) 12->93 95 Hides threads from debuggers 14->95 file6 signatures7 process8 dnsIp9 37 gumishosaled.xyz 185.45.192.228, 49802, 80 HSAE United Arab Emirates 16->37 39 192.168.2.1 unknown unknown 16->39 41 api.ip.sb 16->41 57 Multi AV Scanner detection for dropped file 16->57 59 Detected unpacking (changes PE section rights) 16->59 61 Performs DNS queries to domains with low reputation 16->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 16->63 43 193.150.103.38, 49804, 80 ASGENERALTELRU Russian Federation 20->43 65 Antivirus detection for dropped file 20->65 67 Tries to evade debugger and weak emulator (self modifying code) 20->67 69 Hides threads from debuggers 20->69 45 yandex.ru 5.255.255.77, 443, 49785, 49787 YANDEXRU Russian Federation 22->45 27 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 22->27 dropped 47 185.215.113.20, 21921, 49809 WHOLESALECONNECTIONSNL Portugal 25->47 49 iplogger.org 148.251.234.83, 443, 49806 HETZNER-ASDE Germany 25->49 71 May check the online IP address of the machine 25->71 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5adf079ee8487bfe30a6a9ea6e21a9f1fb961ab4b092bde5383df1cea66f080/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-04 10:42:57 UTC
File Type:
PE (Exe)
Extracted files:
336
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
170418ed34e1abffcb85b53766635c8ffd47e8c1736882079414520c8bdcac86
RedLineStealer
184536b719d7619a1bf46428c352716b4f4db46266fce6f91ca6215e81dc9c4f
RedLineStealer
40fcafc4e15c0fd2e339c23f1099ce1f58348e21e2348eac680accf77864b5c9
RedLineStealer
8a11790a57ada815e5fcb19b62fb18d2ae9f22a498f1a46b1677d3485b5c235c
RedLineStealer
8b802e9d01e925f36658b16dda785732a3d4a86c90a372a549162d40eb7710f6
RedLineStealer
d80dcd1d4d7a1ec2885b9c7a59e90f3480cac248c5b0f7198a37cb736ec69ef5
RedLineStealer
de342b73ab279eccec76de26007344ba122df43f5cb1ded839f75579206f85b0
RedLineStealer
e32152cb048a587a48e6762000d48c40494b7a0fb235ccedc3ba8056113d7364
RedLineStealer
f1a10725589836a8b8959f7ceb298f84b1e5a9736fe97f32a816028aaff55001
RedLineStealer
f56c3d4a96415875d7ee39d455be40e5ab3991386e4dfec547620a634196fd1c
RedLineStealer
+ 11'006 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/220404-w66t1safg8/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Unpacked files
SH256 hash:
bed12ce96cdb9c39c88f2d50ec53e8e3fb5dfb021b33fed8ca52cbd8e544d1c7
MD5 hash:
1c1f1f1a870168c9523f05b698ea72fc
SHA1 hash:
55df6dc02d3a9bcdc8e6419f1b68d658c47e1135
Link:
https://www.unpac.me/results/508c93fb-1357-498c-b1a2-9e6a84ae46a8/
SH256 hash:
a5adf079ee8487bfe30a6a9ea6e21a9f1fb961ab4b092bde5383df1cea66f080
MD5 hash:
4f060e09af8e4c51ac15c91bc87771f5
SHA1 hash:
515f13f8d4a5bd3c3d1437d1c7198a70eeabf878
Link:
https://www.unpac.me/results/508c93fb-1357-498c-b1a2-9e6a84ae46a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a5adf079ee8487bfe30a6a9ea6e21a9f1fb961ab4b092bde5383df1cea66f080

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a5adf079ee8487bfe30a6a9ea6e21a9f1fb961ab4b092bde5383df1cea66f080

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2127019/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/260726/

Comments