MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6aba3c4bc9f9f70b86e8f41874887115b61f9b0592c1602d0b309eb75497225. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6aba3c4bc9f9f70b86e8f41874887115b61f9b0592c1602d0b309eb75497225
SHA3-384 hash: 52f9e6b29c9e5dc49fcde34c065fdfd3bd563901a2c9ad936cbbf4c2741e0558ebef8ff6f2e0bbf4e62cfa6dfbea3f5c
SHA1 hash: 88da0d5dae0fcf86cfebac355e359df425c002de
MD5 hash: a0d7d81b9b14aa8d1e6638215db789c6
humanhash: oranges-failed-batman-vegan
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:319'488 bytes
First seen:2022-09-05 20:41:37 UTC
Last seen:2022-09-06 22:47:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:L9sW4JF/3STScSSRlZY3Ctmlk0Mduyhq+hv4QIzeQS:5yPSTVSStY+Kce
Threatray 679 similar samples on MalwareBazaar
TLSH T11C64AE09A7B3CA10C38D37349663863E5739EF823173F35E2E5D426669063F5A9607E2
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://smartectechnologies.com/12/TrdngAnr6339.exe

Intelligence

File Origin
# of uploads :
38
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-09-05 20:43:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff18e6ab-f875-4b73-b611-e4bdf4803004

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307982/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Creating a file
Searching for the window
Сreating synchronization primitives
DNS request
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63165f1c2916aa429410e186/reports/1214edb4-2149-4d5a-8836-16bf3596a283/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/19840031-692f-4797-9328-96872047686a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065290
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 697816 Sample: file.exe Startdate: 05/09/2022 Architecture: WINDOWS Score: 100 136 Snort IDS alert for network traffic 2->136 138 Multi AV Scanner detection for domain / URL 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 9 other signatures 2->142 13 file.exe 14 5 2->13         started        17 msedge.exe 2->17         started        19 msedge.exe 2->19         started        21 2 other processes 2->21 process3 dnsIp4 118 cdn.discordapp.com 162.159.129.233, 443, 49725, 49759 CLOUDFLARENETUS United States 13->118 104 C:\Windows\Temp\10.exe, PE32 13->104 dropped 106 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 13->106 dropped 23 cmd.exe 1 13->23         started        25 conhost.exe 13->25         started        27 WerFault.exe 10 17->27         started        29 WerFault.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        file5 process6 process7 35 10.exe 1 23->35         started        38 conhost.exe 23->38         started        signatures8 144 Multi AV Scanner detection for dropped file 35->144 146 Creates HTML files with .exe extension (expired dropper behavior) 35->146 148 Contains functionality to inject code into remote processes 35->148 150 2 other signatures 35->150 40 10.exe 1 11 35->40         started        45 conhost.exe 35->45         started        process9 dnsIp10 112 94.26.226.51, 49726, 49727, 49731 PTC-YEMENNETYE Russian Federation 40->112 114 ge-ck365.com 103.74.123.2, 49735, 49736, 49744 FPT-AS-APTheCorporationforFinancingPromotingTechnolo Viet Nam 40->114 116 blackhk1.beget.tech 5.101.153.227, 49732, 49733, 49734 BEGET-ASRU Russian Federation 40->116 94 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 40->94 dropped 96 C:\Users\user\AppData\...\BA42ICFEE37B3JG.exe, PE32 40->96 dropped 98 C:\Users\user\AppData\...\A2I4L1IEE25G1I8.exe, PE32 40->98 dropped 100 3 other files (2 malicious) 40->100 dropped 162 Creates multiple autostart registry keys 40->162 47 A2I4L1IEE25G1I8.exe 14 5 40->47         started        52 BA42ICFEE37B3JG.exe 40->52         started        54 4A07M98EK5L35B8.exe 40->54         started        56 2 other processes 40->56 file11 signatures12 process13 dnsIp14 120 cdn.discordapp.com 47->120 88 C:\Windows\Temp\Lyla.05.09.exe, PE32 47->88 dropped 128 Machine Learning detection for dropped file 47->128 58 cmd.exe 47->58         started        122 162.159.134.233, 443, 49761 CLOUDFLARENETUS United States 52->122 124 cdn.discordapp.com 52->124 90 C:\Windows\Temp\xsv.exe, PE32+ 52->90 dropped 60 cmd.exe 52->60         started        126 iplogger.org 148.251.234.83, 443, 49763 HETZNER-ASDE Germany 54->126 130 Antivirus detection for dropped file 54->130 132 Multi AV Scanner detection for dropped file 54->132 134 May check the online IP address of the machine 54->134 92 C:\Users\user\AppData\Local\...\edH6_hNp.cpl, PE32 56->92 dropped 62 msedge.exe 56->62         started        65 control.exe 56->65         started        file15 signatures16 process17 signatures18 67 Lyla.05.09.exe 58->67         started        71 conhost.exe 58->71         started        73 xsv.exe 60->73         started        76 conhost.exe 60->76         started        164 Multi AV Scanner detection for dropped file 62->164 78 WerFault.exe 20 9 62->78         started        80 rundll32.exe 65->80         started        process19 dnsIp20 108 185.215.113.216, 21921, 49796 WHOLESALECONNECTIONSNL Portugal 67->108 152 Antivirus detection for dropped file 67->152 154 Multi AV Scanner detection for dropped file 67->154 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 67->156 160 4 other signatures 67->160 102 C:\Users\user\AppData\Roaming\...\Clipper.exe, PE32+ 73->102 dropped 158 Creates multiple autostart registry keys 73->158 82 conhost.exe 73->82         started        110 192.168.2.1 unknown unknown 78->110 84 rundll32.exe 80->84         started        file21 signatures22 process23 process24 86 rundll32.exe 84->86         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6aba3c4bc9f9f70b86e8f41874887115b61f9b0592c1602d0b309eb75497225/
Threat name:
ByteCode-MSIL.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-09-05 20:42:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
12 of 25 (48.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2v2hrf4t6pxbodor5ayosehcfnwd6nqlewbmawqwme6w5kjoisq._file
Verdict:
malicious
Similar samples:
0fbf811ae93abb614c13af884bd61a8408948d7a2fe3846641e737b49850b4da
RedLineStealer
1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
RedLineStealer
2cef44b61ff47451356f3ae57bbd4d4540b856144ab8f8a2dc9fd9eb55c6cc2a
RedLineStealer
32b0a9f36ce1bf7c1922971009dede68dac4b2b68daca1f2ed917c9e6a02703f
RedLineStealer
35b37b30779ff09b08ee04b1a284ec172dbf9767bd6afac8ade45ac09fe186b7
RedLineStealer
4fc7f1f57853c21506349c98a90fce183a1e68509ea78fbea79e22c13bec4ad2
RedLineStealer
53e715e8fa9e0ae1806e69ab59f1eec2aff8020df27bfbe45704b73aaadf1122
RedLineStealer
a44a8a9525057352a85936d8ea31408f2c5403a5f383bcab9e39fb10e99b628b
RedLineStealer
+ 669 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
miner persistence
Link:
https://tria.ge/reports/220905-zgzk7ahfd5/
Behaviour
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Downloads MZ/PE file
Executes dropped EXE
Detectes Phoenix Miner Payload
Unpacked files
SH256 hash:
a6aba3c4bc9f9f70b86e8f41874887115b61f9b0592c1602d0b309eb75497225
MD5 hash:
a0d7d81b9b14aa8d1e6638215db789c6
SHA1 hash:
88da0d5dae0fcf86cfebac355e359df425c002de
Link:
https://www.unpac.me/results/7c8cad9d-fee2-45c9-b9d3-9d5bd14363ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/a6aba3c4bc9f9f70b86e8f41874887115b61f9b0592c1602d0b309eb75497225

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2286189/
Cape
Cape
https://www.capesandbox.com/analysis/307982/

Comments