MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9de0ab9937450843d884d96a20bf99a9500444bafb09fa898a2168752443172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9de0ab9937450843d884d96a20bf99a9500444bafb09fa898a2168752443172
SHA3-384 hash: 895d46846347767ef1687a800f80c1b6ee9c9d46d65eefa5082b6114fb4eeba85440271eecf7e3cd206723be94259e35
SHA1 hash: 639b3f8d6e0057f8ad0ae9df9ceaf87c8f254044
MD5 hash: d52d4605e143e652bd35c81722eac315
humanhash: winter-one-potato-zebra
File name:D52D4605E143E652BD35C81722EAC315.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'966'031 bytes
First seen:2021-05-16 02:00:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:pAI+X/sAfNmBZW6hiZyNeMR33s+BBAuDcp8IRIBWzj8Zk9:pAI+EAloWZZyNeaHhDc+IE8Og
Threatray 163 similar samples on MalwareBazaar
TLSH A69523349185817AD1520831891FA77AF17FFB5067BA98CFB6DD0E2889336091E783DB
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
52.6.206.192:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
52.6.206.192:80 https://threatfox.abuse.ch/ioc/42660/

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
D52D4605E143E652BD35C81722EAC315.exe
Verdict:
No threats detected
Analysis date:
2021-05-16 02:02:20 UTC
Tags:
installer
Link:
https://app.any.run/tasks/5b8cba8a-4a3e-4f74-a1ac-0e6ec1c7bdba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157496/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a file in the Windows subdirectories
Sending a custom TCP request
Sending a UDP request
Launching a process
Replacing files
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/782919
Signature
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is protected by VMProtect
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 415315 Sample: 8Fw25C6DZc.exe Startdate: 16/05/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Antivirus detection for dropped file 2->58 60 11 other signatures 2->60 7 8Fw25C6DZc.exe 14 12 2->7         started        process3 file4 30 C:\Program Files (x86)\...\md8_8eus.exe, PE32 7->30 dropped 32 C:\Program Files (x86)\Company\...\file4.exe, PE32 7->32 dropped 34 C:\Program Files (x86)\...\customer2.exe, PE32 7->34 dropped 36 3 other files (2 malicious) 7->36 dropped 10 customer2.exe 1 1 7->10         started        14 md8_8eus.exe 29 7->14         started        17 Tastevin.exe 15 2 7->17         started        19 file4.exe 7->19         started        process5 dnsIp6 42 uyg5wye.2ihsfa.com 88.218.92.148, 49725, 49732, 49734 ENZUINC-US Netherlands 10->42 44 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 10->44 52 3 other IPs or domains 10->52 38 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 10->38 dropped 21 jfiag3g_gg.exe 1 10->21         started        24 jfiag3g_gg.exe 2 10->24         started        26 jfiag3g_gg.exe 10->26         started        28 5 other processes 10->28 46 101.36.107.74, 49719, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 14->46 48 iplogger.org 88.99.66.31, 443, 49720 HETZNER-ASDE Germany 14->48 40 C:\Users\user\Documents\...\md8_8eus.exe, PE32 14->40 dropped 64 Tries to harvest and steal browser information (history, passwords, etc) 14->64 50 luchiki.store 52.6.206.192, 49740, 49759, 80 AMAZON-AESUS United States 17->50 file7 signatures8 process9 signatures10 62 Multi AV Scanner detection for dropped file 21->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9de0ab9937450843d884d96a20bf99a9500444bafb09fa898a2168752443172/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 19:32:00 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhpavomtoriiipmijwlkec7ztkkqarclv6yj7keyuiliousegfza._file
Verdict:
malicious
Similar samples:
12bbe24de7cb5efda944526935ce54a013d93d99b366b9f74a19828ddc987ebc
RedLineStealer
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
RedLineStealer
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
RedLineStealer
5397b6d592556e4d65cd442190cfbcba5b3d253b0fbfcc0a16f1c6f2b48a58c4
RedLineStealer
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
RedLineStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
RedLineStealer
9329d5d88208298ef930bd5f126aec96ac18c08933872b36bdbbf041a6cb462a
RedLineStealer
97fe546f4790b24b92895fd102ab528c84187dde94b00e4efc16e78dba9f80a4
RedLineStealer
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
RedLineStealer
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
RedLineStealer
+ 153 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:pub01-1 discovery evasion infostealer spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210516-jbg4ess6rs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
VMProtect packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
luchiki.store:80
elochka2021.store:80
girlanda2021.store:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9de0ab9937450843d884d96a20bf99a9500444bafb09fa898a2168752443172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157496/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-16 03:01:51 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [F0002.002] Collection::Polling
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
5) [C0032.001] Data Micro-objective::CRC32::Checksum
6) [C0060] Data Micro-objective::Compression Library
7) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0046] File System Micro-objective::Create Directory
10) [C0048] File System Micro-objective::Delete Directory
11) [C0047] File System Micro-objective::Delete File
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0051] File System Micro-objective::Read File
14) [C0050] File System Micro-objective::Set File Attributes
15) [C0052] File System Micro-objective::Writes File
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
18) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
19) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
20) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
21) [C0017] Process Micro-objective::Create Process
22) [C0041] Process Micro-objective::Set Thread Local Storage Value
23) [C0018] Process Micro-objective::Terminate Process