MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc
SHA3-384 hash: 0718fdec753a9b77a034d56796d07a4cf29379cc6d1721edfb8a4d869e350e7c1edf9dd239911711f4a1fce8212fc0c1
SHA1 hash: d9d40e2ff79d79c777dc42f4361a92f1af210043
MD5 hash: a68be0b82b06bbc7e27c6f8f0f7a2b9f
humanhash: artist-august-indigo-winner
File name:a68be0b82b06bbc7e27c6f8f0f7a2b9f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'974'160 bytes
First seen:2021-07-13 03:26:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:06L7+y1DbscmrHENfu7WSxiXdrzrJ3+HcjOVWOMSMmfZS7BD2enoOQu4oZ1g6:06H+y1DKbENQiz1OVWObZYZoAPZ15
Threatray 781 similar samples on MalwareBazaar
TLSH T1C8D52386AAC114B2C2A239348FF5D7714B78BC320B3456D762D83F1F7A785D3A612762
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.198.57.69:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.198.57.69:80 https://threatfox.abuse.ch/ioc/159867/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SYNAPSE_keygen_by_KeygenSumo.zip
Verdict:
Malicious activity
Analysis date:
2021-06-27 10:25:47 UTC
Tags:
evasion trojan rat azorult stealer miner fareit pony redline danabot phishing vidar raccoon
Link:
https://app.any.run/tasks/38a29fce-0e2b-4126-ae45-3df8e152b3ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171209/
Detection(s):
Win.Dropper.Pswtool-9857488-0
Create hunting rule

Win.Trojan.Jaik-9869659-0
Create hunting rule

Win.Trojan.Jaik-9873403-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e9fa078-b0f4-408f-9a1e-99d8aaf94ad6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815247
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates files with lurking names (e.g. Crack.exe)
Detected VMProtect packer
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447658 Sample: GbVqGgFffu.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Antivirus detection for dropped file 2->77 79 6 other signatures 2->79 9 GbVqGgFffu.exe 14 2->9         started        process3 file4 45 C:\Users\user\AppData\Local\...\note866.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\hbggg.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\IDWCH1.exe, PE32 9->49 dropped 51 2 other malicious files 9->51 dropped 99 Creates files with lurking names (e.g. Crack.exe) 9->99 13 Crack.exe 6 9->13         started        17 note866.exe 19 9->17         started        signatures5 process6 dnsIp7 53 C:\Users\user\AppData\Local\...\install.dll, PE32 13->53 dropped 55 C:\Users\user\AppData\...\adobe_caps.dll, PE32 13->55 dropped 101 Antivirus detection for dropped file 13->101 103 Multi AV Scanner detection for dropped file 13->103 105 Machine Learning detection for dropped file 13->105 20 rundll32.exe 3 13->20         started        23 conhost.exe 13->23         started        59 101.36.107.74, 49713, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 17->59 61 iplogger.org 88.99.66.31, 443, 49714 HETZNER-ASDE Germany 17->61 63 192.168.2.1 unknown unknown 17->63 57 C:\Users\user\Documents\...\note866.exe, PE32 17->57 dropped 107 Drops PE files to the document folder of the user 17->107 109 May check the online IP address of the machine 17->109 111 Tries to harvest and steal browser information (history, passwords, etc) 17->111 file8 signatures9 process10 signatures11 81 Writes to foreign memory regions 20->81 83 Allocates memory in foreign processes 20->83 85 Creates a thread in another existing process (thread injection) 20->85 25 svchost.exe 1 20->25 injected 28 svchost.exe 20->28 injected 30 svchost.exe 20->30 injected 32 12 other processes 20->32 process12 signatures13 91 System process connects to network (likely due to code injection or exploit) 25->91 93 Contains functionality to infect the boot sector 25->93 95 Contains functionality to inject threads in other processes 25->95 97 5 other signatures 25->97 34 svchost.exe 4 14 25->34         started        39 svchost.exe 2 25->39         started        process14 dnsIp15 65 208.95.112.1 TUT-ASUS United States 34->65 67 104.21.21.221 CLOUDFLARENETUS United States 34->67 69 172.67.200.215 CLOUDFLARENETUS United States 34->69 41 C:\Users\user\AppData\...\Login Data.tmp, SQLite 34->41 dropped 43 C:\Users\user\AppData\Local\...\Cookies.tmp, SQLite 34->43 dropped 87 Query firmware table information (likely to detect VMs) 34->87 89 Tries to harvest and steal browser information (history, passwords, etc) 34->89 71 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 39->71 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 20:05:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpeelin4wwucy6dmkx4po6go6vv47nhgn3waofzmct5uz54nz7ga._file
Verdict:
malicious
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
RedLineStealer
20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3
RedLineStealer
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
RedLineStealer
419dbec500b45dcb0aca32df66ed6107975ae346cea116494e7f36445746aa27
RedLineStealer
5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d
RedLineStealer
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RedLineStealer
cc161c44340b9944936e1af83913c62bfe6cdc92703e19fc036e556bd89caf79
RedLineStealer
fdccd5539f179d7b405ebbc63749ce662af29a3bbe0b66816cce09029e785aaf
RedLineStealer
+ 771 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210713-kqfe1w3rh2/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
2ae5fee0c10d1982569a3425c8ff263e6adefb901fe33d1ff9f24c51d10fb98d
MD5 hash:
b4df5fa0622752e29d596c9985e30b55
SHA1 hash:
95fbb881cb8e18ad1351da1a3a8ae5d8a9e07309
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
SH256 hash:
01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7
MD5 hash:
5e6df381ce1c9102799350b7033e41df
SHA1 hash:
f8a4012c9547d9bb2faecfba75fc69407aaec288
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
SH256 hash:
b26d99296cc1f38ad735c36a305eb206b8a9022e92b463886ed918f42dee0b04
MD5 hash:
9decb9ebf19e4e45bd75f175140e1018
SHA1 hash:
c9d35d2bc78dd37270dbe17f2555324c6f560d11
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
SH256 hash:
77e0f82d79fd53a30339ae2f169c16cb1e5ea7b8748ce85b38961d14518ed9a9
MD5 hash:
8d0591eae29a31dbc761ab29c46f3b25
SHA1 hash:
09a984c3b78925713cfa934294de70d21b3205d9
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
SH256 hash:
c38130ec7c62555eda06f13e6ae9fd4097ed7a593c99b12cee1d4acde51a6b1a
MD5 hash:
737869cf009bba2a64fba96464e3f12b
SHA1 hash:
af8879df525f677663e215873bf1614be1791e1a
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
SH256 hash:
14675731cbdbdb602f156601122ebc188520a2949929db244563d4d7c187c363
MD5 hash:
6583fd607a9fcbc5b662cb70fbf07563
SHA1 hash:
8e9e632f15f33d5efb16aefefe2698e06b0fa496
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
SH256 hash:
6bd7b729f80adcdedc268e36948b528ab4f4dd907d5c06a1c9a1c683d8d101c7
MD5 hash:
c3893ca56b38041ee8c26c1c12cba9d9
SHA1 hash:
be32791dfbf7612f5cd058e3913faef4c28d3c7b
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
SH256 hash:
abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc
MD5 hash:
a68be0b82b06bbc7e27c6f8f0f7a2b9f
SHA1 hash:
d9d40e2ff79d79c777dc42f4361a92f1af210043
Link:
https://www.unpac.me/results/5cc88210-3060-4849-a469-949e2fd5d04b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171209/

Comments