MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a83b168b629212e96ac8ef12adb96d9241a16c0f33a459777e31a5b1b458282e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a83b168b629212e96ac8ef12adb96d9241a16c0f33a459777e31a5b1b458282e
SHA3-384 hash: 7d9e2b0b42a48e537be8f67bb9492de892b4d7367323adb9cee0f936bc04ca7cacb9b41dba796e8ca1967328a3cacebb
SHA1 hash: 5d116e407532c60f9a5fd7e923ca1e074eab8a74
MD5 hash: f32a5cdef458cf233840a9c630cc40a2
humanhash: angel-purple-edward-pluto
File name:A83B168B629212E96AC8EF12ADB96D9241A16C0F33A45.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'128'512 bytes
First seen:2022-06-24 18:03:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:EbeuqtfLqAor54J5q1FYU0/NsgXhliicCGOpiMqNzWyg:EaDGfuW1FYv2LicCGOr
TLSH T1AE8623607BD4842BD2EF2B3EE4F0E62582799ED1D712E75F1E9130EA29323C05D41BA5
TrID 54.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
20.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.8% (.EXE) InstallShield setup (43053/19/16)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon d0f8c058f8e8d0e0 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
18.196.41.122:17044

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
18.196.41.122:17044 https://threatfox.abuse.ch/ioc/724579/

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Disney Checker.rar
Verdict:
Malicious activity
Analysis date:
2022-05-12 20:19:53 UTC
Tags:
trojan rat redline evasion stealer phishing quasar
Link:
https://app.any.run/tasks/c33a12ca-bfc7-4f01-bbc4-180125e9e37f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283139/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Sending a custom TCP request
DNS request
Sending an HTTP POST request
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a window
Setting a keyboard event handler
Reading critical registry keys
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd.exe evasive fingerprint greyware hacktool packed quasarrat rat schtasks.exe stealer
Link:
https://www.filescan.io/uploads/62b5fc9a7e9a4f0a86dd9740/reports/748f7973-98f3-44c0-9ba5-d283c3ff7ba1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a62b425-387e-4be2-b9e9-f2c46853f154
Result
Threat name:
RedLine, Vermin Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1019515
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Disables Windows Defender (via service or powershell)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Vermin Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 652011 Sample: A83B168B629212E96AC8EF12ADB... Startdate: 24/06/2022 Architecture: WINDOWS Score: 100 94 us-east-1.route-1.000webhost.awex.io 2->94 96 siyatermi.duckdns.org 2->96 98 payloads-poison.000webhostapp.com 2->98 114 Snort IDS alert for network traffic 2->114 116 Multi AV Scanner detection for domain / URL 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 19 other signatures 2->120 10 A83B168B629212E96AC8EF12ADB96D9241A16C0F33A45.exe 7 2->10         started        13 Start Process.exe 2->13         started        15 Start Process.exe 2->15         started        17 Start Process.exe 2->17         started        signatures3 process4 file5 80 C:\Users\user\AppData\...\Start Process.exe, PE32 10->80 dropped 82 C:\Users\user\AppData\...\Software Check.exe, PE32 10->82 dropped 84 A83B168B629212E96A...A16C0F33A45.exe.log, ASCII 10->84 dropped 86 C:\Users\user\Desktop\Disney+.exe, PE32 10->86 dropped 19 Start Process.exe 16 5 10->19         started        24 Software Check.exe 14 60 10->24         started        26 Disney+.exe 39 10->26         started        88 C:\Users\user\...\Start Process.exe.log, ASCII 13->88 dropped 28 cmd.exe 13->28         started        30 cmd.exe 15->30         started        process6 dnsIp7 100 ip-api.com 208.95.112.1, 49769, 49770, 80 TUT-ASUS United States 19->100 102 192.168.2.1 unknown unknown 19->102 70 C:\Users\user\AppData\...\Start Process.exe, PE32 19->70 dropped 122 Uses ping.exe to sleep 19->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->124 126 Disables Windows Defender (via service or powershell) 19->126 32 Start Process.exe 1 4 19->32         started        36 schtasks.exe 1 19->36         started        38 powershell.exe 19->38         started        46 13 other processes 19->46 104 siyatermi.duckdns.org 18.196.41.122, 1518, 17044, 49771 AMAZON-02US United States 24->104 106 api.ip.sb 24->106 128 Tries to harvest and steal browser information (history, passwords, etc) 24->128 130 Tries to steal Crypto Currency Wallets 24->130 40 conhost.exe 24->40         started        72 C:\Users\user\AppData\...\unicodedata.pyd, PE32 26->72 dropped 74 C:\Users\user\AppData\Local\...\select.pyd, PE32 26->74 dropped 76 C:\Users\user\AppData\Local\...\python37.dll, PE32 26->76 dropped 78 16 other files (none is malicious) 26->78 dropped 42 Disney+.exe 26->42         started        44 conhost.exe 26->44         started        132 Uses ping.exe to check the status of other devices and networks 28->132 48 4 other processes 28->48 50 4 other processes 30->50 file8 signatures9 process10 dnsIp11 90 siyatermi.duckdns.org 32->90 92 ip-api.com 32->92 108 Protects its processes via BreakOnTermination flag 32->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->110 112 Installs a global keyboard hook 32->112 52 schtasks.exe 32->52         started        54 conhost.exe 36->54         started        56 conhost.exe 38->56         started        58 cmd.exe 42->58         started        60 conhost.exe 46->60         started        62 conhost.exe 46->62         started        64 conhost.exe 46->64         started        66 10 other processes 46->66 signatures12 process13 process14 68 conhost.exe 52->68         started       
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a83b168b629212e96ac8ef12adb96d9241a16c0f33a459777e31a5b1b458282e/
Threat name:
ByteCode-MSIL.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 00:11:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
622
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=va5rnc3csijos2wi54jk3olnsja2c3apgosfs536ggs3dncyfaxa._file
Verdict:
malicious
Result
Malware family:
venomrat
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:redline family:venomrat botnet:awsr botnet:v/r/b discovery evasion infostealer pyinstaller rat rootkit spyware stealer suricata trojan
Link:
https://tria.ge/reports/220624-wnkttseafp/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Quasar Payload
Quasar RAT
RedLine
RedLine Payload
VenomRAT
suricata: ET MALWARE Common RAT Connectivity Check Observed
Malware Config
C2 Extraction:
siyatermi.duckdns.org:17044
siyatermi.duckdns.org:1518
Unpacked files
SH256 hash:
49d99ec8a4b72e0fb0b44349e65702d937f4f2fdf35e938bcbe472cf66821888
MD5 hash:
6124d3e3d0bf8e4cc08ac34a8272e5cf
SHA1 hash:
bb9b98b379eb600cc204f84d074c30c3ec4d4bf4
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
a168231a0f31ea82a0d74ec98d34bff9b2b6ae9c940d64f4f04feb7f3503a20b
MD5 hash:
659efc33cd752ec24ab04f1808f13c97
SHA1 hash:
900d0c3eac87ab0636a0309ef52a7981fa39a9b6
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
97bdbcbf09f425f93cf8dc0cc570a886100cce7c87a6e4f784351f16243ddb1c
MD5 hash:
d28972678b768916f24d55f3d4c20250
SHA1 hash:
f8f9d7b275adbb11865cac2477143ee58a3c9a6e
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
0b192a88494f19c5d099c2f7937534830dddde40745c30a0b1a0f24a96a2aa04
MD5 hash:
6060b0d2596bfbec7c2e3c16d5237686
SHA1 hash:
d567ed99a7f0735d5335162932ff67928a260d5e
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
bcac81c69094ea47c3a00cae028ac4c64dd6cbd4fe85e11363e3e35b48c04842
MD5 hash:
27c2436f6a1c111bef78597d37751138
SHA1 hash:
f1dabacffc82bbfc7d8db578f0a5653d7fe84bca
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
74f157d228b19efbe878feb76a5be3caeb1cdd11c59ee3ec9622dbd994081310
MD5 hash:
025e2ffb735be017523af9c9a2fbbe87
SHA1 hash:
e5fa2a222098a73ac23644675947816ca14cb1aa
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
1bb6f045a9218bacd2c0f35f2e9fb3f0a92f5bdd7efd207b070c47707a6ae82d
MD5 hash:
1634b36bb54a876f818712d1f105fe00
SHA1 hash:
deaa950169f13bd1f07103e5aff7932547962e04
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
MD5 hash:
4d97786ab8047ad6c08532ed7a017573
SHA1 hash:
a64d07233d813f9a085722295dca62ca726e291a
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
df6a46db6eb3432744df148ed6f012ad32754d0cbdd3c9252c55add89087f2f6
MD5 hash:
7bf94cd23ad3981631da7b22c8ead57a
SHA1 hash:
87d0539dbb9d781ade371a23f0acda77952e68e5
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
b35974ea9fe70c7834c8f1dfa4435470dd25c49d87897d51a7a93b77d9e2de77
MD5 hash:
7fe35126312c2ac5d47d4b75af15fad7
SHA1 hash:
d87a4e09f44887ff3f1dd1748fb1b052b266d798
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
be46d185f508934ebdef3c4d5af621ae38e3ca1ca9f21c448a4c72d551040123
MD5 hash:
16c1f8c8d1540fad60cf7d4457e2b5bf
SHA1 hash:
d83dc82fe726d4eca51b41fdc1587c0945c94e5c
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
c78b048f0831cd218700a919b0d9ab15827d2bdc6ec7e519732ddd75a28bcd23
MD5 hash:
0ba2b47e936ece6eba2463ed740a5bcd
SHA1 hash:
9e87da55a24848f2d51cad9d8481a3f81b0f4e4b
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
496ce239cf1a8a3c49a203999417521a02f70abe8197fd214fd462bf1eb90426
MD5 hash:
4b0f0c880b1330cb6b020067134a2142
SHA1 hash:
8c884888fee8d10f6e175a9dad0c23b92323323a
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
a8d71edb3c39436be7058a1181a53a92c880aba7fddee7957d900cc1438f1a7f
MD5 hash:
4675cd02cd69d349e42062b39bfd875a
SHA1 hash:
6fb7aa8b1209eef2f0f7e960f916480a0c01c4dc
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
d7e0ee857bab8b30f54ea3718609219034aad13d1496838c265d4afe3417eadf
MD5 hash:
dcf634f3ca5340bb915566ab36444014
SHA1 hash:
58d1a8f9f98b09d7f4a9fd04d62c4d01231f11b5
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
f2552eac3f2477ea24dd5f97e519793bdff9a05e88f9e5f0b1460ce0a7b33a39
MD5 hash:
3360209bfeaa0db211f9b74d63a1745d
SHA1 hash:
4f2410ccfaafad0ad80138a6b6c75d6d5e3b9164
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
1c19a7403de248facc6981b0cfbe8416d8cfbe2b14f0592fbeecb6de6b311e1e
MD5 hash:
7c8ba2a27069c26ae685ad65d89c6533
SHA1 hash:
4e6832e208de20877954360462bf0822b489f5b8
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
36b335233035a7a16409ad29c955674c873c6bae032d0c068df658fd38570430
MD5 hash:
5715102837fd290da1add1a9a5030877
SHA1 hash:
1092804da01a7e3bcf353c0a71edb33b12cfc8e1
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
SH256 hash:
a83b168b629212e96ac8ef12adb96d9241a16c0f33a459777e31a5b1b458282e
MD5 hash:
f32a5cdef458cf233840a9c630cc40a2
SHA1 hash:
5d116e407532c60f9a5fd7e923ca1e074eab8a74
Link:
https://www.unpac.me/results/53a845e4-0c72-44e4-9812-9369179bae2d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a83b168b629212e96ac8ef12adb96d9241a16c0f33a459777e31a5b1b458282e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_mem
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283139/

Comments