MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac5e6f8e646311bf3645ccdccf7119712ada6811d973444d3a763d17083ef028. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac5e6f8e646311bf3645ccdccf7119712ada6811d973444d3a763d17083ef028
SHA3-384 hash: ed57d7fb7cce32b5e14a07916bbfedb031be282b0112bd6a0ec27e145c0f02a4ecc2d24e4ed039d61ae2ef6ae5c8f1d1
SHA1 hash: cbd988adbce3e58643aa115f58e7366add9ff7bd
MD5 hash: 5830c793bf39663018a60668a098c623
humanhash: robert-quebec-colorado-mexico
File name:SecuriteInfo.com.Variant.Ransom.Ranion.1.27807.19923
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:266'752 bytes
First seen:2021-08-20 13:08:13 UTC
Last seen:2022-09-21 03:59:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:jl3QFzxR7jChHnDCn1wbBI2j3lRzNiBDA8:pAVjSHnQa9I2j3l65A8
TLSH T14F4429F1A740C469D8A795B9843BDAA7A423B25E8D6C490D2C92FF0B7D733470027D9B
dhash icon 6cecccccb4c2f2b2 (38 x AgentTesla, 30 x Formbook, 24 x PythonStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
7
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI 23432 PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 14:46:51 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/60412293-64bc-4fdf-b182-5435903a39e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180947/
Detection(s):
SecuriteInfo.com.Variant.Ransom.Ranion.1.27807.19923.UNOFFICIAL
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Enabling the 'hidden' option for analyzed file
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Sending a UDP request
Delayed writing of the file
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15dbc984-bc23-4f7f-8cad-f8710a265c77
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836416
Signature
Contains VNC / remote desktop functionality (version string found)
Creates autostart registry keys with suspicious names
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Drops PE files to the user root directory
Found Tor onion address
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Suspicious Certutil Command
Uses certutil -decode
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468847 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for dropped file 2->61 63 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 9 other signatures 2->67 7 SecuriteInfo.com.Variant.Ransom.Ranion.1.27807.exe 17 6 2->7         started        12 r44s_2021-08-20 0309.exe 14 4 2->12         started        process3 dnsIp4 45 gcp.media-router.wixstatic.com 34.102.176.152, 443, 49699, 49705 GOOGLEUS United States 7->45 47 ipinfo.io 34.117.59.81, 443, 49700 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 7->47 53 3 other IPs or domains 7->53 37 C:\Users\Public\r44s_2021-08-20 0309.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Roaming\1knp6mw.cert, PEM 7->39 dropped 41 r44s_2021-08-20 0309.exe:Zone.Identifier, ASCII 7->41 dropped 69 Uses certutil -decode 7->69 71 May check the online IP address of the machine 7->71 73 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->73 75 5 other signatures 7->75 14 1knp6mw.exe 12 7->14         started        18 certutil.exe 3 2 7->18         started        49 media-router.wixstatic.com 12->49 51 64a10c38-6e07-4067-8bb6-af5dd1e95de9.usrfiles.com 12->51 43 C:\Users\user\AppData\Roaming\9i4twp4.cert, PEM 12->43 dropped 21 9i4twp4.exe 2 12->21         started        23 certutil.exe 2 12->23         started        file5 signatures6 process7 dnsIp8 55 37.157.195.87, 443, 49706 WEDOSCZ Czech Republic 14->55 57 86.52.65.60 STOFANETDK Denmark 14->57 59 3 other IPs or domains 14->59 77 Multi AV Scanner detection for dropped file 14->77 25 conhost.exe 14->25         started        33 C:\Users\user\AppData\Roaming\1knp6mw.exe, PE32 18->33 dropped 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        35 C:\Users\user\AppData\Roaming\9i4twp4.exe, PE32 23->35 dropped 31 conhost.exe 23->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac5e6f8e646311bf3645ccdccf7119712ada6811d973444d3a763d17083ef028/
Threat name:
ByteCode-MSIL.Trojan.Dothetuk
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 09:25:43 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrpg7dtemmi36nsfztom64izoevnu2ar3fzuitj2oy6rocb66aua._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/210820-k63ers41s6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Looks up external IP address via web service
Adds Run key to start application
Reads user/profile data of web browsers
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Executes dropped EXE
Modifies extensions of user files
suricata: ET MALWARE Observed Certificate Base64 Encoded Executable Inbound
suricata: ET MALWARE Windows executable base64 encoded
Unpacked files
SH256 hash:
ac5e6f8e646311bf3645ccdccf7119712ada6811d973444d3a763d17083ef028
MD5 hash:
5830c793bf39663018a60668a098c623
SHA1 hash:
cbd988adbce3e58643aa115f58e7366add9ff7bd
Link:
https://www.unpac.me/results/9d1c7d55-6fd8-49bc-862a-6fd08e943f7a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ac5e6f8e6463/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/ac5e6f8e646311bf3645ccdccf7119712ada6811d973444d3a763d17083ef028

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MAL_RANSOM_COVID19_Apr20_1
Create hunting rule
Author:Florian Roth
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180947/

Comments