MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
SHA3-384 hash: db8d596323835339514f9b5fc70c57e197a147cd0bc36400e86bcc9f82b3df6b6826ee4a19ff9f04bcb889e3cb1d4d58
SHA1 hash: ddb700fccdbc70c2decc3d89e046a7ea23ee47b5
MD5 hash: 1ee04769dbc6bd6c1d9bb696c846840a
humanhash: michigan-hydrogen-avocado-east
File name:b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'070'592 bytes
First seen:2021-08-30 06:18:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 12288:qMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9/V5wsu/QRoJabsuCbacj:qnsJ39LyjbJkQFMhmC+6GD9feUr8
Threatray 25 similar samples on MalwareBazaar
TLSH T16935AF32F2D1C437D2321A3D8C5B93A5582EBE512E35794A3BE92E4C5F3D6862C252D3
dhash icon 32557571717171b2 (1 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
Verdict:
Malicious activity
Analysis date:
2021-08-30 06:28:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/234deea2-67fc-43ae-9d93-5ae41f5ae99c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183515/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Moving a recently created file
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Searching for the window
Moving a file to the %temp% directory
Modifying an executable file
Deleting a recently created file
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the system32 subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Blocking the Windows Defender launch
Infecting executable files
Enabling autorun by creating a file
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e476027-2019-4238-a983-f80ad7d6af95
Result
Threat name:
Quasar RedLine
Create hunting rule
Detection:
malicious
Classification:
expl.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842103
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Disables Windows Defender (via service or powershell)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Beds Obfuscator
Yara detected Quasar RAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474535 Sample: NuXpmdwzpV.exe Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 76 shadhk.duckdns.org 141.255.146.237, 4782 IELOIELOMainNetworkFR France 2->76 78 ip-api.com 2->78 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for dropped file 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 100 19 other signatures 2->100 10 NuXpmdwzpV.exe 1 6 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 60 C:\Users\user\...\._cache_NuXpmdwzpV.exe, PE32 10->60 dropped 62 C:\ProgramData\Synaptics\Synaptics.exe, PE32 10->62 dropped 64 C:\ProgramData\Synaptics\RCX5CEF.tmp, PE32 10->64 dropped 66 C:\...\Synaptics.exe:Zone.Identifier, ASCII 10->66 dropped 124 Contains functionality to detect sleep reduction / modifications 10->124 21 ._cache_NuXpmdwzpV.exe 6 10->21         started        25 Synaptics.exe 256 10->25         started        126 Changes security center settings (notifications, updates, antivirus, firewall) 14->126 74 127.0.0.1 unknown unknown 16->74 file6 signatures7 process8 dnsIp9 46 C:\Users\user\...\fortnite checker.exe, PE32 21->46 dropped 48 C:\Users\user\AppData\...48ewtonsoft.Json.exe, PE32 21->48 dropped 50 C:\Users\user\...\._cache_NuXpmdwzpV.exe.log, ASCII 21->50 dropped 112 Antivirus detection for dropped file 21->112 114 Machine Learning detection for dropped file 21->114 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->116 28 fortnite checker.exe 21->28         started        31 Newtonsoft.Json.exe 21->31         started        82 freedns.afraid.org 50.23.197.95, 49687, 80 SOFTLAYERUS United States 25->82 84 docs.google.com 172.217.16.142, 443, 49684, 49685 GOOGLEUS United States 25->84 86 2 other IPs or domains 25->86 52 C:\Users\user\Documents\~$cache1, PE32 25->52 dropped 54 C:\Users\user\AppData\Local\...\mQtysFWU.exe, PE32 25->54 dropped 56 C:\Users\user\AppData\Local\Temp\RCX1B5.tmp, PE32 25->56 dropped 58 C:\Users\user~1\...\mQtysFWU.exe (copy), PE32 25->58 dropped 118 Multi AV Scanner detection for dropped file 25->118 120 Drops PE files to the document folder of the user 25->120 122 Contains functionality to detect sleep reduction / modifications 25->122 file10 signatures11 process12 dnsIp13 68 C:\Users\user\Desktop\xkrackingartists.exe, PE32 28->68 dropped 70 C:\Users\user\AppData\Local\...\xsvchost.exe, PE32 28->70 dropped 72 C:\Users\user\AppData\Local\Temp\xDW.exe, PE32 28->72 dropped 35 xsvchost.exe 28->35         started        40 xDW.exe 28->40         started        88 65.21.62.31, 49227 CP-ASDE United States 31->88 90 Antivirus detection for dropped file 31->90 92 Multi AV Scanner detection for dropped file 31->92 file14 signatures15 process16 dnsIp17 80 ip-api.com 208.95.112.1, 49706, 49723, 80 TUT-ASUS United States 35->80 44 C:\Windows\SysWOW64\Startup\svchost.exe, PE32 35->44 dropped 102 Antivirus detection for dropped file 35->102 104 May check the online IP address of the machine 35->104 106 Machine Learning detection for dropped file 35->106 110 4 other signatures 35->110 108 Disables Windows Defender (via service or powershell) 40->108 42 powershell.exe 40->42         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 05:17:44 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
42 of 46 (91.30%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fbdb66d81f97c74640af563b58b4d93872ed48a0397754b5c51a5c76d32900c
RedLineStealer
26274dd1baa5be91bd6bdb0db48895d89da2a78e6fac273257557de473adc841
RedLineStealer
3ecb471f2c1a3d3f33dbe47bc9457adfb09206948ec16c2d3f9c9a29f5b44508
RedLineStealer
4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6
RedLineStealer
5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7
RedLineStealer
8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f
RedLineStealer
9a9f7ea8a021b5c4e7984076bfe6f0ab42bddb7b50fa18ef0da17c12e8ef95e1
RedLineStealer
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
RedLineStealer
ff97bd0b382bcd07b0e71fd6249426a1d1246c52b07edd238eaa64136db737df
RedLineStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:redline botnet:office04 evasion infostealer persistence spyware trojan
Link:
https://tria.ge/reports/210830-6nnfqe4782/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Windows security modification
Executes dropped EXE
Beds Protector Packer
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Quasar Payload
Quasar RAT
RedLine
RedLine Payload
Malware Config
C2 Extraction:
65.21.62.31:49227
shadhk.duckdns.org:4782
Unpacked files
SH256 hash:
73ef39c8136aea302a49839da4b858b2f60f763867bbdb4afd22b8ff76449cc5
MD5 hash:
4f625e8ee2888d3f5afa0060805d9fb2
SHA1 hash:
d3be88c4000d0e96becf6bc11e5312eedd410e91
Link:
https://www.unpac.me/results/a9186206-5892-4e57-9e3d-6d4d9f60360b/
SH256 hash:
1c5d88fbc24897d6c30a0b3eeecae575e4cdb319f572ccfececd5c44d9aa5f5f
MD5 hash:
7651ddf221f0aa01c7ed17382759a130
SHA1 hash:
b87c0bd4c7b0d88154c76725360168661f7a03a5
Link:
https://www.unpac.me/results/a9186206-5892-4e57-9e3d-6d4d9f60360b/
SH256 hash:
5bb3ecc855b8f2c78ee693b89aa6da9f61a89cdcca7ca1ae744dd32b5d8f0269
MD5 hash:
0a56e20c58b88065dc63cf74e60eeb2b
SHA1 hash:
71cea7e0a64b8d37b93a52c405f9709ae1b89c45
Link:
https://www.unpac.me/results/a9186206-5892-4e57-9e3d-6d4d9f60360b/
SH256 hash:
4051789f81b5f83ff9e5a5b2fd0521e6fc49b620a14b6c0b962e33f199091f1a
MD5 hash:
ad475f2552ea64ec3908548c88a19f56
SHA1 hash:
510be7f49ae1c3228e132e2a99edbe86df7e4a5a
Link:
https://www.unpac.me/results/a9186206-5892-4e57-9e3d-6d4d9f60360b/
SH256 hash:
b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
MD5 hash:
1ee04769dbc6bd6c1d9bb696c846840a
SHA1 hash:
ddb700fccdbc70c2decc3d89e046a7ea23ee47b5
Link:
https://www.unpac.me/results/a9186206-5892-4e57-9e3d-6d4d9f60360b/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b484b76186c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183515/

Comments