MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5
SHA3-384 hash: d72ff2f94d8015054910d5038215fd6deba34a1d452ca6f864179a217366b4be33f3b93c5895211ab21cefb1072474d9
SHA1 hash: 786f93d12910979c125ae6de7335d1aa80b5ed3e
MD5 hash: 5c7a96e9e751658f051daa79ac1e4cf0
humanhash: salami-enemy-connecticut-uniform
File name:5c7a96e9e751658f051daa79ac1e4cf0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:741'325 bytes
First seen:2021-07-25 22:38:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 12288:GY20AljdZgBPfKfrLQxAogJfqsUsz0cX0wJxzGn+jKyiiTquHVQ:P20gPgFKjLQxAVBbIcXr6n+LTqsVQ
Threatray 91 similar samples on MalwareBazaar
TLSH T129F4122272D1C072E8A329309DE4D772EA78BE316A71A54FBBD11B1D3B71AA1C315703
dhash icon 6862eae6b696c6ec (1 x RedLineStealer, 1 x Zeppelin)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5c7a96e9e751658f051daa79ac1e4cf0
Verdict:
Malicious activity
Analysis date:
2021-07-25 22:41:14 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/c865fd54-3a2e-4c03-8074-c5ef18852fe1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174044/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Moving a recently created file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP POST request
Deleting a recently created file
Sending a custom TCP request
Creating a file in the %temp% directory
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98a6aa96-5d8a-4806-a7ab-c36f36c7bdc5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821582
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops batch files with force delete cmd (self deletion)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453994 Sample: EvCa0UZmgy Startdate: 26/07/2021 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 3 other signatures 2->72 12 EvCa0UZmgy.exe 3 8 2->12         started        process3 file4 50 C:\inst1\datapjgf\yui.bat, ASCII 12->50 dropped 52 C:\inst1\datapjgf\hock.exe, PE32 12->52 dropped 80 Drops batch files with force delete cmd (self deletion) 12->80 16 wscript.exe 1 12->16         started        signatures5 process6 process7 18 cmd.exe 2 16->18         started        signatures8 74 Uses cmd line tools excessively to alter registry or file data 18->74 21 wscript.exe 1 18->21         started        23 hock.exe 5 18->23         started        26 conhost.exe 18->26         started        28 3 other processes 18->28 process9 file10 30 cmd.exe 1 21->30         started        48 C:\inst1\datapjgf\sid.exe, PE32 23->48 dropped process11 signatures12 82 Uses cmd line tools excessively to alter registry or file data 30->82 33 sid.exe 30->33         started        36 conhost.exe 30->36         started        38 timeout.exe 1 30->38         started        40 5 other processes 30->40 process13 signatures14 58 Multi AV Scanner detection for dropped file 33->58 60 Detected unpacking (changes PE section rights) 33->60 62 Detected unpacking (overwrites its own PE header) 33->62 64 6 other signatures 33->64 42 sid.exe 15 30 33->42         started        process15 dnsIp16 54 stanntinab.xyz 193.106.175.53, 49726, 49730, 49731 IQHOSTRU Russian Federation 42->54 56 api.ip.sb 42->56 76 Tries to harvest and steal browser information (history, passwords, etc) 42->76 78 Tries to steal Crypto Currency Wallets 42->78 46 conhost.exe 42->46         started        signatures17 process18
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-07-25 22:14:39 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3j7oqri5ymkdflzaegnl7r4zghsyu64incsgjn2k6tj6est26sq._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
RedLineStealer
1bc9d629a448ed06538f0fd8f58ca8de4155752c46f32163b56b6ef6be5af323
RedLineStealer
2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b
RedLineStealer
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
RedLineStealer
82902f13b895c92b0995e65d4de03ff0cd50d89bbc027dc5e7ec338d9bede821
RedLineStealer
df2ed991a6ab65f2bc05805376dcf34de7febc5c5d4b37d400546e4e01d90fc0
RedLineStealer
e64e3395c17e8de856a49a6c16eec63b95d876b957b8e2ff12946f8a93a6faad
RedLineStealer
ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df
RedLineStealer
fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
RedLineStealer
fd869766f1f735b4c1479ec1300fd63f4a203142e4ed0e6ac18f05d1cdba3ac8
RedLineStealer
+ 81 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer
Link:
https://tria.ge/reports/210725-erav3bb7ee/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets file to hidden
RedLine
RedLine Payload
Malware Config
C2 Extraction:
stanntinab.xyz:80
Unpacked files
SH256 hash:
430dfd9fa434b7107cbde0d9573b5a586bcfebf19f85d14041860c1b105ccea2
MD5 hash:
d281f026cfce4bb21f954a1622d244f6
SHA1 hash:
c61edf8945661c9f641f1b9e4d297adc02ef4663
Link:
https://www.unpac.me/results/70512bcd-6be1-4bc4-ae0b-8c8ddba1ea32/
SH256 hash:
583ffa0bc773f5b70ada63d70da67f0f2d75f1ad0020425d3d1f230da8d42baa
MD5 hash:
bf3ae018ffef8d2a0c6a6bff91a45c08
SHA1 hash:
7ebf83ac8e7af96eaa29ad7d44e0cf807fb992be
Link:
https://www.unpac.me/results/70512bcd-6be1-4bc4-ae0b-8c8ddba1ea32/
SH256 hash:
57009da0f6a563af10af6aebdcf07b56b463d47c831201402d71466ac810fe7c
MD5 hash:
58cb36b1b76a4f8ed45d8a1c6bbc670c
SHA1 hash:
a12848cb74f24021ecdf742e4deed604b6aa5e53
Link:
https://www.unpac.me/results/70512bcd-6be1-4bc4-ae0b-8c8ddba1ea32/
SH256 hash:
b2b230267f8648cc660b67c3271f3e4851774d0642a04e7b5dd3cdc5df89b220
MD5 hash:
b7b1b2801b097f1bae8d7ff6646801ab
SHA1 hash:
4b5156333345583807206d03dd2b0d0442de8c38
Link:
https://www.unpac.me/results/70512bcd-6be1-4bc4-ae0b-8c8ddba1ea32/
SH256 hash:
8132221ed129f4e15e4db666fbc05fa975f75713be589820c75cdc59a0d76f40
MD5 hash:
0d857e924f8ae8fd2e16f9fde7312e6a
SHA1 hash:
0b0fa298f9d9df63ed7c414fb9a739a3119affa8
Link:
https://www.unpac.me/results/70512bcd-6be1-4bc4-ae0b-8c8ddba1ea32/
SH256 hash:
a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5
MD5 hash:
5c7a96e9e751658f051daa79ac1e4cf0
SHA1 hash:
786f93d12910979c125ae6de7335d1aa80b5ed3e
Link:
https://www.unpac.me/results/70512bcd-6be1-4bc4-ae0b-8c8ddba1ea32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1481367/
Cape
Cape
https://www.capesandbox.com/analysis/174044/

Comments


Avatar
zbet commented on 2021-07-25 22:38:35 UTC

url : hxxp://37.0.11.8/USA/file3.exe