MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894
SHA3-384 hash: 37d41abd4bb1a5e696ad30cec477caf709a586aa68f831f194e8ccc02c71cf731c4f27d8a46e5360664ca4f53e5f9fd7
SHA1 hash: a4893c01aaacf84dbc7c550eb05d576edc3c227c
MD5 hash: 38c3210bf090888cb735e1fc36ee9c6a
humanhash: oranges-cardinal-table-mars
File name:ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'315'264 bytes
First seen:2023-09-07 12:48:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4830078074f8b890bae0c9712c9b8a71 (4 x RedLineStealer)
ssdeep 24576:FrIEs9ZB9cgZTgIZdkAimbngY8ccNp6g:xcB9cgZTgodkUgAHg
Threatray 947 similar samples on MalwareBazaar
TLSH T108B55C20388171A3EDF310B786EDB46A526DE0B4B72735DF15CF0AEE8A907D13A35256
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter adrian__luca
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894
Verdict:
Malicious activity
Analysis date:
2023-09-07 12:46:53 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/fb6eea6c-d0e7-4768-a7a2-ad8921f57123

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447147/
Detection(s):
SecuriteInfo.com.Trojan.PWS.RedLineNET.7.13356.1428.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control greyware lolbin redline
Link:
https://www.filescan.io/uploads/64f9c6c1e29c52e38dc87a9c/reports/1b8b3074-a172-4a0c-b706-ded5c19c86b4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1564f2f9-5922-4c9d-be16-dd2779b55679
Result
Threat name:
RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305308
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Drops password protected ZIP file
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305308 Sample: LUqvXa6btC.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 12 other signatures 2->92 11 LUqvXa6btC.exe 2->11         started        process3 signatures4 100 Writes to foreign memory regions 11->100 102 Allocates memory in foreign processes 11->102 104 Injects a PE file into a foreign processes 11->104 14 vbc.exe 15 6 11->14         started        process5 dnsIp6 72 217.196.96.130, 49728, 49734, 49735 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 14->72 74 94.142.138.4, 49723, 80 IHOR-ASRU Russian Federation 14->74 76 api.ip.sb 14->76 68 C:\Users\user\AppData\Local\...\conhost.exe, PE32 14->68 dropped 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->78 80 Found many strings related to Crypto-Wallets (likely being stolen) 14->80 82 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->82 84 2 other signatures 14->84 19 conhost.exe 8 14->19         started        file7 signatures8 process9 file10 56 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 19->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 19->58 dropped 94 Multi AV Scanner detection for dropped file 19->94 23 cmd.exe 2 19->23         started        signatures11 process12 process13 25 fi932gbf8923f23.exe 23->25         started        30 7z.exe 23->30         started        32 7z.exe 3 23->32         started        34 13 other processes 23->34 dnsIp14 70 pastebin.com 172.67.34.170, 443, 49733 CLOUDFLARENETUS United States 25->70 60 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 25->60 dropped 62 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 25->62 dropped 64 C:\ProgramData\HostData\logs.uce, ASCII 25->64 dropped 106 Sample is not signed and drops a device driver 25->106 36 cmd.exe 25->36         started        39 cmd.exe 25->39         started        41 cmd.exe 25->41         started        66 C:\Users\user\AppData\...\fi932gbf8923f23.exe, PE32 30->66 dropped file15 signatures16 process17 signatures18 96 Encrypted powershell cmdline option found 36->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 36->98 43 powershell.exe 36->43         started        46 conhost.exe 36->46         started        48 conhost.exe 39->48         started        50 schtasks.exe 39->50         started        52 conhost.exe 41->52         started        54 schtasks.exe 41->54         started        process19 signatures20 108 Found many strings related to Crypto-Wallets (likely being stolen) 43->108 110 Potential dropper URLs found in powershell memory 43->110
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-08-31 09:06:21 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrta44s7cscn7zvw2t4ga2shch6zgvgcx6gv2t3dxlidyometcka._file
Verdict:
malicious
Similar samples:
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
RedLineStealer
35b70fc462fe02d507a58c2b5a33ddd5e26aadc7ac8fe3beae2a82666c8b17c6
RedLineStealer
4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe
RedLineStealer
52c408897aed4601f6c214b657c0652a966695d59bb0e5be2c343f0c52683be1
RedLineStealer
5c43e762e23599c29a344fabf02fe235e79c9e4697da49d0a17334979faa3920
RedLineStealer
90a8447971f2150fe9ba03d2680af7bdd33de721e9e1521166a7826ed143a2d8
RedLineStealer
c60ecd5714a23a727d9749652883ec95bcdb350b9f278c34ac504edb898073e4
RedLineStealer
dd528eb464db46cd69a3a373f5cde4c4e48afb7116fb8e91eea3a1caacc800f5
RedLineStealer
e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162
RedLineStealer
+ 937 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@meownetworks infostealer spyware
Link:
https://tria.ge/reports/230907-p2c8kshg5w/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
94.142.138.4:80
Unpacked files
SH256 hash:
4dc7da6d8c43ef92640b9a823fa9f58e3b1b9276a1e1b5df408a26858cf68454
MD5 hash:
7cb497598b25e8fd4160640d419c936d
SHA1 hash:
6f0f88512b4d3a8f56284757367fa8e7b587cfb9
Link:
https://www.unpac.me/results/3ca8948c-eccb-4a78-9c03-93667bdbf278/
SH256 hash:
f6405f80088bb972d1416659226a30fc08aed8fe1573081dd1028d145c5d2f3c
MD5 hash:
4931391ebbaab96da2636ec80dc98e85
SHA1 hash:
a4daff5c2cf20458b4c84194f5ed5f7ad1329916
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3ca8948c-eccb-4a78-9c03-93667bdbf278/
SH256 hash:
ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894
MD5 hash:
38c3210bf090888cb735e1fc36ee9c6a
SHA1 hash:
a4893c01aaacf84dbc7c550eb05d576edc3c227c
Link:
https://www.unpac.me/results/3ca8948c-eccb-4a78-9c03-93667bdbf278/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac660e725f14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447147/

Comments