MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8cbe0475d1e2b183f00b9f04fc0188ed043e13b91fab22dbcb4af73631162e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8cbe0475d1e2b183f00b9f04fc0188ed043e13b91fab22dbcb4af73631162e5
SHA3-384 hash: 030448aec46ca368c9fdebc02a3784d7ca2d0ae2ca38d338ea17a80f2d94d3431c375eb375307f91bd668a18846cd980
SHA1 hash: 6fc9679bd536b92619b97efb1c33e823727c5e09
MD5 hash: 86e35d2ee6805548de717ae072a8de9d
humanhash: purple-kansas-rugby-carolina
File name:Loader3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'492'992 bytes
First seen:2022-01-25 15:19:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7dd6fa75115d9909f747434e40fff68 (173 x RedLineStealer, 10 x DCRat, 1 x CoinMiner.XMRig)
ssdeep 24576:hpbHhIH2ldcSnB0g1d+qO7+AScsaw51p5xXroDitTmh2O5/xRkEaHNYK3OByuI:VIWlRaU+qO7h+rBWiFmhz57Na5v
TLSH T1C86533A396CD7B7ED67FA1B1B5752D1BA8C082421AB095A6E1770F0769C4CC1FC483B8
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader3.exe
Verdict:
Malicious activity
Analysis date:
2022-01-25 15:19:19 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/94c5cfd8-b9d0-4e65-b73a-d405c4ad227c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222555/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for analyzing tools
Searching for the window
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61f01529d73ca9d46487b652/reports/196b3153-4d4e-45ea-badd-95d4a5f51ff0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15f4be9c-2cfc-4d0c-aa11-3e94113004e9
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927621
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Remote Thread Created
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 560095 Sample: Loader3.exe Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 83 Multi AV Scanner detection for domain / URL 2->83 85 Found malware configuration 2->85 87 Antivirus detection for URL or domain 2->87 89 8 other signatures 2->89 9 Loader3.exe 15 7 2->9         started        14 RegHost.exe 1 2->14         started        process3 dnsIp4 77 91.243.32.42 MATTEOGB Russian Federation 9->77 79 8.8.8.8 GOOGLEUS United States 9->79 81 2 other IPs or domains 9->81 69 C:\Users\user\AppData\Local\...\startix.exe, PE32+ 9->69 dropped 71 C:\Users\user\AppData\...\Loader3.exe.log, ASCII 9->71 dropped 101 Detected unpacking (changes PE section rights) 9->101 103 Detected unpacking (overwrites its own PE header) 9->103 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->105 113 4 other signatures 9->113 16 startix.exe 1 2 9->16         started        107 Multi AV Scanner detection for dropped file 14->107 109 Query firmware table information (likely to detect VMs) 14->109 111 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->111 115 6 other signatures 14->115 21 bfsvc.exe 14->21         started        23 conhost.exe 14->23         started        25 explorer.exe 14->25         started        file5 signatures6 process7 dnsIp8 73 185.137.234.33 SELECTELRU Russian Federation 16->73 67 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 16->67 dropped 91 Multi AV Scanner detection for dropped file 16->91 93 Query firmware table information (likely to detect VMs) 16->93 95 Machine Learning detection for dropped file 16->95 99 7 other signatures 16->99 27 bfsvc.exe 1 16->27         started        30 explorer.exe 2 16->30         started        32 curl.exe 1 16->32         started        35 conhost.exe 16->35         started        97 Hides threads from debuggers 21->97 37 conhost.exe 21->37         started        file9 signatures10 process11 dnsIp12 117 Hides threads from debuggers 27->117 39 conhost.exe 27->39         started        41 curl.exe 1 30->41         started        43 curl.exe 1 30->43         started        45 curl.exe 1 30->45         started        51 6 other processes 30->51 75 149.154.167.220 TELEGRAMRU United Kingdom 32->75 47 conhost.exe 32->47         started        49 conhost.exe 35->49         started        signatures13 process14 process15 53 conhost.exe 41->53         started        55 conhost.exe 43->55         started        57 conhost.exe 45->57         started        59 conhost.exe 51->59         started        61 conhost.exe 51->61         started        63 conhost.exe 51->63         started        65 conhost.exe 51->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8cbe0475d1e2b183f00b9f04fc0188ed043e13b91fab22dbcb4af73631162e5/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 15:20:16 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdf6ar25dyvrqpyaxhye7qayr3iehyj3sh5leln4wsxxgyyrmlsq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@souoy discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/220125-sqrhlsaah5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.243.32.42:52075
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/a89bbd7c-cc0a-4a7c-8b24-1f832def19a3/
SH256 hash:
a8cbe0475d1e2b183f00b9f04fc0188ed043e13b91fab22dbcb4af73631162e5
MD5 hash:
86e35d2ee6805548de717ae072a8de9d
SHA1 hash:
6fc9679bd536b92619b97efb1c33e823727c5e09
Link:
https://www.unpac.me/results/a89bbd7c-cc0a-4a7c-8b24-1f832def19a3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a8cbe0475d1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8cbe0475d1e2b183f00b9f04fc0188ed043e13b91fab22dbcb4af73631162e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe a8cbe0475d1e2b183f00b9f04fc0188ed043e13b91fab22dbcb4af73631162e5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/222555/

Comments