MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2
SHA3-384 hash: 9bf8c1a3b38c459c7dd19edc0f0bd2b69e373351fd227dc2d9f57f7e6c4513d65c200cef1278031cec699ebe0c73ae4a
SHA1 hash: 191abe2b47029f6b9f7990051aab5737c3ab9ed9
MD5 hash: c6782f53e3e3c8668ff26299a5a649db
humanhash: lithium-seventeen-uncle-lamp
File name:update.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:582'088 bytes
First seen:2022-02-27 09:06:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:rIHKOm0j1xJ9H+sJnQS03ULaHNqrxlKIQNo2EqolY3NVzrEe3+:rIRrwsJnkEaHNYK3J7oy3NVzL3+
Threatray 233 similar samples on MalwareBazaar
TLSH T180C4235A2260350CCF8B19F01B7ADA4B5F11917D50D0759EAB710FCB55246E2EB6C0EF
Reporter tech_skeech
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.119.113.192:6238 https://threatfox.abuse.ch/ioc/391107/

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245044/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Packed.Fragtor-9940182-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Creating a window
Reading critical registry keys
Сreating synchronization primitives
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/621b3f39b94fb38cb418ccdb/reports/6b254678-1a0b-4526-bb1e-8fe6ad5abf24/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/027c08d9-31b9-4219-b8a4-8826b0bf7cd6
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/946885
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 579366 Sample: update.exe Startdate: 27/02/2022 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Found malware configuration 2->94 96 9 other signatures 2->96 10 update.exe 1 2->10         started        13 RegHost.exe 1 2->13         started        process3 signatures4 100 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->100 102 Writes to foreign memory regions 10->102 104 Allocates memory in foreign processes 10->104 106 Injects a PE file into a foreign processes 10->106 15 AppLaunch.exe 15 7 10->15         started        20 conhost.exe 10->20         started        108 Multi AV Scanner detection for dropped file 13->108 110 Machine Learning detection for dropped file 13->110 112 Injects code into the Windows Explorer (explorer.exe) 13->112 114 Modifies the context of a thread in another process (thread injection) 13->114 22 bfsvc.exe 1 13->22         started        24 explorer.exe 1 13->24         started        26 conhost.exe 13->26         started        process5 dnsIp6 76 92.119.113.192, 49760, 6238 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 15->76 78 cdn.discordapp.com 162.159.130.233, 443, 49777 CLOUDFLARENETUS United States 15->78 66 C:\Users\user\AppData\Local\Temp\a.exe, PE32+ 15->66 dropped 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->80 82 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->82 84 Tries to harvest and steal browser information (history, passwords, etc) 15->84 86 Tries to steal Crypto Currency Wallets 15->86 28 a.exe 1 4 15->28         started        88 Hides threads from debuggers 22->88 33 conhost.exe 22->33         started        35 curl.exe 24->35         started        37 conhost.exe 24->37         started        39 curl.exe 24->39         started        file7 signatures8 process9 dnsIp10 74 185.137.234.33, 49781, 49784, 8080 SELECTELRU Russian Federation 28->74 68 C:\Users\user\AppData\...\RegModule.exe, PE32+ 28->68 dropped 70 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 28->70 dropped 72 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 28->72 dropped 116 Multi AV Scanner detection for dropped file 28->116 118 Machine Learning detection for dropped file 28->118 120 Injects code into the Windows Explorer (explorer.exe) 28->120 122 4 other signatures 28->122 41 bfsvc.exe 1 28->41         started        44 explorer.exe 1 28->44         started        46 conhost.exe 28->46         started        48 conhost.exe 35->48         started        file11 signatures12 process13 signatures14 98 Hides threads from debuggers 41->98 50 conhost.exe 41->50         started        52 curl.exe 1 44->52         started        54 curl.exe 1 44->54         started        56 curl.exe 1 44->56         started        58 2 other processes 44->58 process15 process16 60 conhost.exe 52->60         started        62 conhost.exe 54->62         started        64 conhost.exe 56->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-27 09:07:12 UTC
File Type:
PE (Exe)
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnty2xpfm6gwqryrarggbkntu4dpbc7egnus6clawezlrpxdulja._file
Verdict:
malicious
Similar samples:
0713ce27fefb110cda3075fae74229170582c19758c2ecb7f85e0c0b8c694e0c
RedLineStealer
2da24494535db516936e3fdf11f46423c3be7abd33afab194bd93388ab89b0cb
RedLineStealer
3a06f4cc6efdaf99f8ddeb7303f2a0b18db737261e29b95dc8571420af6fb0f7
RedLineStealer
5aaecc91eecab8970deeef790df826ad10dd5fb4a40695b1143b9a84773c3223
RedLineStealer
99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529
RedLineStealer
9bd02c78d6dc379e0906312cbf3feee3df113f1837cd41d4e13b0d07e96c5233
RedLineStealer
d057f4f00abe0297d81c25d6a1475c495b5784930ce77ca0b63bf2bad720b5e1
RedLineStealer
+ 223 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220227-k3bnxsbhd7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
19a8d9952e08eb54f2d50cef43dc5e9db675f395e969f6de4d37e3e42766cd69
MD5 hash:
7acad3a073845367fb1f9b52fa509a8c
SHA1 hash:
8a410e49d611384efc8057802e373940ad94cf47
Link:
https://www.unpac.me/results/1f7b19b7-3f5d-406a-a2c1-2df12bc51dfb/
SH256 hash:
7c972cd03824e0f9dfac0424acd1a1b0a35a15c65acbe50eba53a6ff9a33ab81
MD5 hash:
b5ba604c293da007c5d79cd9035b2aa9
SHA1 hash:
fa234da59cbcd5d8a7b6cd8d59ac454226ccf85f
Link:
https://www.unpac.me/results/1f7b19b7-3f5d-406a-a2c1-2df12bc51dfb/
SH256 hash:
ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2
MD5 hash:
c6782f53e3e3c8668ff26299a5a649db
SHA1 hash:
191abe2b47029f6b9f7990051aab5737c3ab9ed9
Link:
https://www.unpac.me/results/1f7b19b7-3f5d-406a-a2c1-2df12bc51dfb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/245044/

Comments