MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a98e93d07b5c5244ebd13d1070b580adcdd87a029b009d02c2158b3bb8962674. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a98e93d07b5c5244ebd13d1070b580adcdd87a029b009d02c2158b3bb8962674
SHA3-384 hash: c00fbf17eb276cbab28355d8abf69d71a1d3277def0b1796e4a6d08b55cecef6dd373e5def10d90a22c9ec671da9f880
SHA1 hash: c438b8f1e9fa648ef68f919a8e2387612069a9c4
MD5 hash: 183d14f2bfe921936ff4e83468dcff64
humanhash: golf-zulu-jersey-bulldog
File name:a98e93d07b5c5244ebd13d1070b580adcdd87a029b009.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'326'400 bytes
First seen:2021-03-27 21:35:40 UTC
Last seen:2021-03-27 23:46:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:tSrHJVtyfzBvTS1+A3MOJOfmYsnoEDuBec:tSrHJVtyfzocA3bJGmYoCBH
Threatray 50 similar samples on MalwareBazaar
TLSH 6455C7137D08E301D6F0993F81DE6A2823E19DCA8F33518BAF25BD651471E666DB232D
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://91.214.124.106/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.214.124.106/ https://threatfox.abuse.ch/ioc/5610/

Intelligence

File Origin
# of uploads :
2
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a98e93d07b5c5244ebd13d1070b580adcdd87a029b009.exe
Verdict:
No threats detected
Analysis date:
2021-03-27 21:38:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a86edc76-1c29-4db6-bd62-fda7aaeae117

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127299/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.63718.24508.28375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee9d1f03-a37c-4186-a2f7-ab1867a7b93d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655972
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376921 Sample: a98e93d07b5c5244ebd13d1070b... Startdate: 27/03/2021 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected RedLine Stealer 2->28 30 Found many strings related to Crypto-Wallets (likely being stolen) 2->30 6 a98e93d07b5c5244ebd13d1070b580adcdd87a029b009.exe 3 2->6         started        process3 file4 16 a98e93d07b5c5244eb...d87a029b009.exe.log, ASCII 6->16 dropped 32 Writes to foreign memory regions 6->32 34 Allocates memory in foreign processes 6->34 36 Injects a PE file into a foreign processes 6->36 38 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 6->38 10 AddInProcess32.exe 6->10         started        13 AddInProcess32.exe 15 23 6->13         started        signatures5 process6 dnsIp7 40 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->40 42 May check the online IP address of the machine 10->42 44 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->44 18 91.214.124.106, 49724, 49727, 49731 VPSSC-ASUA Ukraine 13->18 20 checkip.us-east-1.prod.check-ip.aws.a2z.com 3.211.138.232, 49726, 80 AMAZON-AESUS United States 13->20 22 4 other IPs or domains 13->22 46 Tries to harvest and steal browser information (history, passwords, etc) 13->46 signatures8
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a98e93d07b5c5244ebd13d1070b580adcdd87a029b009d02c2158b3bb8962674/
Threat name:
Win32.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 18:44:58 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vghjhud3lrjej26rhuihbnmavxg5q6qctmaj2awccwftxoewez2a._file
Verdict:
malicious
Similar samples:
18cbd61d740bd57db209365f8e69ef6da4c02c585421bcd3af7ad24672032a0f
RedLineStealer
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
RedLineStealer
3eee101d3dc8a6adfb1168bd543bcb2fe419959050878fa47e98cc9587697c26
RedLineStealer
4887639a62fab8baa56b119e5f05ec897ff95ec2b03833fc93cdc6a434f704b1
RedLineStealer
5646a28e787791605ce9bfb320ea149e566fac807ab1aa838596d2a97bb69266
RedLineStealer
7589a9119ed57667e4e4c8724daff202af68400b16338c7fa0879730437123bb
RedLineStealer
788e74f8304d3a413b6606573b90d780549c20808a63e18714f77aec1d4d4e5f
RedLineStealer
7a44d661f4c1ac837b0045dc28562b098cb66b5e371bda8a79ef00000fa66a65
RedLineStealer
a0060ae7aca834f5e12870b68920b8030c34d56658f61307fd7907073bf5f66a
RedLineStealer
fe0a5fde4fbbddd79d2938af2373c69a8219ea73831be712f1bca86150a30461
RedLineStealer
+ 40 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210327-ncsfpcm2g2/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
Unpacked files
SH256 hash:
52872a6e153007795c63f8190650c2dcf09d5180d639b71fdbd3466fa3ab0526
MD5 hash:
2e6185b0b8a414e03298967136de5f4e
SHA1 hash:
ff1f09f206f6e61c6d4eb62486adb935ede8b630
Link:
https://www.unpac.me/results/def00398-4bcd-4372-9069-21bce63b1ec0/
SH256 hash:
93475907e646a41da65ec0a972b16c25e1b30cec21acf2cafce9b462c2b8f485
MD5 hash:
e1eb32faabe2cf44967b8952d2969b85
SHA1 hash:
71dfbc4d026e34dee1d85e8679e65c79e444d126
Link:
https://www.unpac.me/results/def00398-4bcd-4372-9069-21bce63b1ec0/
SH256 hash:
a98e93d07b5c5244ebd13d1070b580adcdd87a029b009d02c2158b3bb8962674
MD5 hash:
183d14f2bfe921936ff4e83468dcff64
SHA1 hash:
c438b8f1e9fa648ef68f919a8e2387612069a9c4
Link:
https://www.unpac.me/results/def00398-4bcd-4372-9069-21bce63b1ec0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/a98e93d07b5c5244ebd13d1070b580adcdd87a029b009d02c2158b3bb8962674

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127299/

Comments