MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6e69af95b2cfafbdc192c5c34d065b8e51925534824be3d432c1e2a17375289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6e69af95b2cfafbdc192c5c34d065b8e51925534824be3d432c1e2a17375289
SHA3-384 hash: 85d94508cdb3a91e9256e8f8fbb511d18127e332993ba2b8149dad80d04b89b609bebe4a381e27d38acb51fc8ce93577
SHA1 hash: 3b9433905b18c02f8df25eb6fd85707ad7755791
MD5 hash: 9ee13d3d7d84332e2a7bf5dab6840797
humanhash: golf-mirror-ink-nuts
File name:a6e69af95b2cfafbdc192c5c34d065b8e51925534824b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:455'584 bytes
First seen:2021-10-30 09:22:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'612 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:okTsCmQxyicoO4QgJgri7KuuI80zC9MDSDPlvE2Mj0oei:ok7VNyrFqzCpDPlkj0fi
Threatray 2'218 similar samples on MalwareBazaar
TLSH T18AA4102C2DC2CA13D9A06572C6AFAE44BF33A9D7431347C8675B97F4AE061216E11F9C
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
138.124.186.58:48619

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
138.124.186.58:48619 https://threatfox.abuse.ch/ioc/239802/

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-30 08:50:30 UTC
Tags:
trojan rat redline loader evasion stealer opendir vidar formbook
Link:
https://app.any.run/tasks/51d6221e-bdc6-4a20-8a2e-08c19d90646d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Forced shutdown of a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/643a121d-f0e0-4a59-a8b1-93e3536a9a14
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879769
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512203 Sample: a6e69af95b2cfafbdc192c5c34d... Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 96 Found malware configuration 2->96 98 Sigma detected: Powershell download and execute file 2->98 100 Yara detected BitCoin Miner 2->100 102 5 other signatures 2->102 14 a6e69af95b2cfafbdc192c5c34d065b8e51925534824b.exe 3 2->14         started        17 services32.exe 2->17         started        process3 signatures4 150 Writes to foreign memory regions 14->150 152 Injects a PE file into a foreign processes 14->152 19 RegAsm.exe 15 7 14->19         started        154 Multi AV Scanner detection for dropped file 17->154 156 Allocates memory in foreign processes 17->156 158 Creates a thread in another existing process (thread injection) 17->158 24 conhost.exe 17->24         started        process5 dnsIp6 82 fortnightgalaxyswapper.ru 81.177.135.61, 443, 49767, 49807 RTCOMM-ASRU Russian Federation 19->82 84 138.124.186.58, 48619, 49766 NOKIA-ASFI Norway 19->84 86 192.168.2.1 unknown unknown 19->86 74 C:\Users\user\AppData\Local\Temp\soldd.exe, PE32 19->74 dropped 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->108 110 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->110 112 Tries to harvest and steal browser information (history, passwords, etc) 19->112 114 Tries to steal Crypto Currency Wallets 19->114 26 soldd.exe 19->26         started        file7 signatures8 process9 signatures10 122 Multi AV Scanner detection for dropped file 26->122 124 Adds a directory exclusion to Windows Defender 26->124 29 cmd.exe 1 26->29         started        process11 signatures12 144 Suspicious powershell command line found 29->144 146 Tries to download and execute files (via powershell) 29->146 148 Adds a directory exclusion to Windows Defender 29->148 32 powershell.exe 29->32         started        34 powershell.exe 29->34         started        36 powershell.exe 25 29->36         started        39 4 other processes 29->39 process13 dnsIp14 43 sold.exe 32->43         started        46 Amongus.exe 34->46         started        104 Drops PE files to the user root directory 36->104 106 Powershell drops PE file 36->106 88 fortnightgalaxyswapper.ru 39->88 90 fortnightgalaxyswapper.ru 39->90 78 C:\Users\user\AppData\Roaming\sold.exe, PE32+ 39->78 dropped 80 C:\Users\user\Amongus.exe, PE32 39->80 dropped file15 signatures16 process17 dnsIp18 126 Multi AV Scanner detection for dropped file 43->126 128 Writes to foreign memory regions 43->128 130 Allocates memory in foreign processes 43->130 132 Creates a thread in another existing process (thread injection) 43->132 49 conhost.exe 43->49         started        92 ip-api.com 208.95.112.1, 49834, 80 TUT-ASUS United States 46->92 94 api.telegram.org 149.154.167.220, 443, 49836 TELEGRAMRU United Kingdom 46->94 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->134 136 May check the online IP address of the machine 46->136 52 conhost.exe 46->52         started        signatures19 process20 file21 72 C:\Windows\System32\services32.exe, PE32+ 49->72 dropped 54 cmd.exe 49->54         started        57 cmd.exe 49->57         started        process22 signatures23 118 Drops executables to the windows directory (C:\Windows) and starts them 54->118 59 services32.exe 54->59         started        62 conhost.exe 54->62         started        120 Uses schtasks.exe or at.exe to add and modify task schedules 57->120 64 conhost.exe 57->64         started        66 schtasks.exe 57->66         started        process24 signatures25 138 Writes to foreign memory regions 59->138 140 Allocates memory in foreign processes 59->140 142 Creates a thread in another existing process (thread injection) 59->142 68 conhost.exe 59->68         started        process26 file27 76 C:\Windows\System32\...\sihost32.exe, PE32+ 68->76 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 68->116 signatures28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6e69af95b2cfafbdc192c5c34d065b8e51925534824be3d432c1e2a17375289/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-10-30 09:23:04 UTC
AV detection:
8 of 44 (18.18%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3tjv6k3ft5pxxazfrodjudfxdsrsjktjasl4pkdfqpcufzxkkeq._file
Verdict:
malicious
Similar samples:
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
RedLineStealer
a855f110470f35fa83d40ffa1eb3748a0c2fc4cf11bdb4bb01e171c031097bf1
RedLineStealer
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
RedLineStealer
f1e4cf5b0fc8658f900febca637c9071fe7396f410015c41284768eac593ffa5
RedLineStealer
f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0
RedLineStealer
fd50e5ce3b80417115401a4cc61ba7efd5c4d6f13d9166c26cc456b111d39fbb
RedLineStealer
+ 2'208 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211030-lcgb6aegb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
138.124.186.58:48619
Dropper Extraction:
https://fortnightgalaxyswapper.ru/sold.exe
https://fortnightgalaxyswapper.ru/Amongus.exe
Unpacked files
SH256 hash:
96b2d7c49a9458205c4186e616348cf3a6d97eecacd3f28b5c4f39eabc95ae95
MD5 hash:
0567c68bca3d87517a8a09ba7196ded8
SHA1 hash:
abd357bfa24f54028b3c595a56ebbc98c0d04722
Link:
https://www.unpac.me/results/f98c5482-d8f5-4f75-a18f-bd7c31845289/
SH256 hash:
a6e69af95b2cfafbdc192c5c34d065b8e51925534824be3d432c1e2a17375289
MD5 hash:
9ee13d3d7d84332e2a7bf5dab6840797
SHA1 hash:
3b9433905b18c02f8df25eb6fd85707ad7755791
Link:
https://www.unpac.me/results/f98c5482-d8f5-4f75-a18f-bd7c31845289/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6e69af95b2cfafbdc192c5c34d065b8e51925534824be3d432c1e2a17375289

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments