MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac8b77f283d99976c3c30ad193da0e9f8fb5e12ad7f0a080b7faa3d862b6b20d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac8b77f283d99976c3c30ad193da0e9f8fb5e12ad7f0a080b7faa3d862b6b20d
SHA3-384 hash: 31d672f270a75d8b4585b4bcefa13ede485da83235be1e1df69c153336c077c41aaad6c1b62a34c90e4f45cede7e9425
SHA1 hash: c4097eee7a49c59312d8c7b7373f26c7bd003c6c
MD5 hash: b072f2b2d3691ca2e2c003f570166f5f
humanhash: blossom-alaska-winner-high
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'230'440 bytes
First seen:2022-08-30 16:03:28 UTC
Last seen:2022-08-31 13:03:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep 98304:MuwcL3iIkZH3chhtg2FnjGrlJJ59MMVaS7Y91qH90RNOI17gwr4MKcHvDLo0G:MyiZ8N9Gr/JaYY9I90RNOI2AKM/xG
TLSH T13F3602B323358055D0E28C7D4537BFE572B617274B82BCFAA68D7AD915321D0F22A983
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0ccaa5555a2ccf4 (2 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:Dell Alienware x15 R1 X15-9970) silver Core i7-11800H/32G/512G SSD 15 FHD IPS 360Hz AGNV RTX3070 8G
Issuer:Dell Alienware x15 R1 X15-9970) silver Core i7-11800H/32G/512G SSD 15 FHD IPS 360Hz AGNV RTX3070 8G
Algorithm:sha1WithRSAEncryption
Valid from:2022-08-29T11:02:46Z
Valid to:2032-08-30T11:02:46Z
Serial number: 5d2025d23e399eba4225e8da2c96db5f
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a797a5f655c2a71b3f0963e07cdab9eba00f85f9dc678fb85b2171edadb781b0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://www.naturacenterarequipa.com/wp-includes/css/v28080.exe

Intelligence

File Origin
# of uploads :
14
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-08-30 16:09:45 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2528379b-6bc7-4466-bf24-bdfc3bd38dab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302608/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.6193.20995.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the system32 subdirectories
Creating a file
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Reading critical registry keys
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a recently created file
Replacing files
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/630e351e1b96a7c80cc43e3a/reports/54056f07-e4fc-4628-9cff-64feb2047cfa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/147c9395-6a7e-4c63-a04d-4caa75cd9fc3
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1060643
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 693177 Sample: file.exe Startdate: 30/08/2022 Architecture: WINDOWS Score: 100 70 pastebin.com 2->70 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 16 other signatures 2->98 12 file.exe 15 7 2->12         started        signatures3 process4 dnsIp5 78 morewallet.org 162.55.163.158, 49752, 81 ACPCA United States 12->78 80 api.ip.sb 12->80 82 2 other IPs or domains 12->82 66 C:\Users\user\AppData\...\notification.exe, PE32 12->66 dropped 68 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 12->68 dropped 104 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->104 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->108 110 3 other signatures 12->110 17 notification.exe 8 12->17         started        file6 signatures7 process8 file9 54 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 17->54 dropped 56 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 17->56 dropped 84 Multi AV Scanner detection for dropped file 17->84 86 Contains functionality to register a low level keyboard hook 17->86 21 cmd.exe 2 17->21         started        signatures10 process11 process12 23 alex.exe 14 31 21->23         started        28 7z.exe 2 21->28         started        30 7z.exe 3 21->30         started        32 4 other processes 21->32 dnsIp13 72 github.com 140.82.121.3, 443, 49788, 49789 GITHUBUS United States 23->72 74 raw.githubusercontent.com 185.199.110.133, 443, 49792, 49793 FASTLYUS Netherlands 23->74 76 pastebin.com 104.20.67.143, 443, 49780, 49801 CLOUDFLARENETUS United States 23->76 58 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 23->58 dropped 60 C:\ProgramData\Dllhost\dllhost.exe, PE32 23->60 dropped 62 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 23->62 dropped 100 Sample is not signed and drops a device driver 23->100 34 cmd.exe 1 23->34         started        37 cmd.exe 23->37         started        39 cmd.exe 23->39         started        64 C:\Users\user\AppData\Local\Temp\...\alex.exe, PE32 28->64 dropped file14 signatures15 process16 signatures17 88 Encrypted powershell cmdline option found 34->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 34->90 41 powershell.exe 3 34->41         started        44 conhost.exe 34->44         started        46 conhost.exe 37->46         started        48 schtasks.exe 37->48         started        50 conhost.exe 39->50         started        process18 signatures19 102 Query firmware table information (likely to detect VMs) 41->102 52 wermgr.exe 41->52         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac8b77f283d99976c3c30ad193da0e9f8fb5e12ad7f0a080b7faa3d862b6b20d/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2022-08-30 16:04:13 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsfxp4ud3gmxnq6dblizhwqot6h3lyjk27ykbafx7kr5qyvwwigq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220830-thxv4achb8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine payload
Unpacked files
SH256 hash:
46f7d9f27612f30af7bc53eb3f9db3fe1362a940927ccf01b6c945da6f229ace
MD5 hash:
9ce48339541999855efd8edbf05cec61
SHA1 hash:
c305d28f587a51b257b200c21ec010b45c3929f7
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9eac3c34-90fe-441e-9f60-80567d47adaa/
SH256 hash:
8764af39880ccb299fade95fe9e63facb9503c1423f07bc42b0ea34e6e24bd1a
MD5 hash:
02e2573c378176332bc405fd03beb5fd
SHA1 hash:
784e2c96ee59744c5041417a575fa74a9dd2ab12
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9eac3c34-90fe-441e-9f60-80567d47adaa/
SH256 hash:
ac8b77f283d99976c3c30ad193da0e9f8fb5e12ad7f0a080b7faa3d862b6b20d
MD5 hash:
b072f2b2d3691ca2e2c003f570166f5f
SHA1 hash:
c4097eee7a49c59312d8c7b7373f26c7bd003c6c
Link:
https://www.unpac.me/results/9eac3c34-90fe-441e-9f60-80567d47adaa/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac8b77f283d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac8b77f283d99976c3c30ad193da0e9f8fb5e12ad7f0a080b7faa3d862b6b20d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/302608/
  
URLhaus
https://urlhaus.abuse.ch/url/2284836/

Comments