MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4f35392a0fc133f2607176175e370673855e25ae8ea1814b705289d3b00f978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4f35392a0fc133f2607176175e370673855e25ae8ea1814b705289d3b00f978
SHA3-384 hash: 9011881db1a09d9ff1659dde12a8c4cd79b7a5f4801f9445f17e8a1b47e0f5d5a37c929e5e39b160dbda7cfc23d2a30c
SHA1 hash: d5536307d1e5861bbdef3f36a7d012cdeaffb5a0
MD5 hash: 9589c93c73bb3529f9ba711a27998fd2
humanhash: massachusetts-summer-tennessee-rugby
File name:9589c93c73bb3529f9ba711a27998fd2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'449'984 bytes
First seen:2021-12-31 13:39:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6af73011d9ad7cbccf66eb190442910 (42 x RedLineStealer, 8 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 24576:sE9/HxpgaqxonW5L4gHQzzxfitKZ/NLV7XDBP9hXiAN3D2XklPD3BJkEaHNYK34y:sI/Hfqx9sgHizYtuFFzBlhXJ3D2XklP0
Threatray 823 similar samples on MalwareBazaar
TLSH T14D6533A944D1BD2FD749B5BDE41B6D6F4904342883D438C1923F379F6AC8176AA830EB
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9589c93c73bb3529f9ba711a27998fd2.exe
Verdict:
Malicious activity
Analysis date:
2021-12-31 13:42:11 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4c57c00f-c83d-4a1d-89b1-6383dfdfbb7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216943/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9907417-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Searching for the window
Creating a process from a recently created file
Creating a file
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61cf07f9ec6c6c14a90088c8/reports/30c2bc21-6c8e-4645-91e0-75935fac495b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1001d1f-b691-4e11-8128-a10d5fd97759
Result
Threat name:
BitCoin Miner RedLine SilentXMRMiner Xmr
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914319
Signature
Allocates memory in foreign processes
Detected VMProtect packer
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Performs DNS queries to domains with low reputation
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546797 Sample: YmytY81Ix0.exe Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 11 other signatures 2->82 11 YmytY81Ix0.exe 2->11         started        14 cmd.exe 2->14         started        process3 signatures4 102 Query firmware table information (likely to detect VMs) 11->102 104 Writes to foreign memory regions 11->104 106 Allocates memory in foreign processes 11->106 110 2 other signatures 11->110 16 AppLaunch.exe 15 7 11->16         started        21 WerFault.exe 23 9 11->21         started        108 Encrypted powershell cmdline option found 14->108 23 conhost.exe 14->23         started        25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        process5 dnsIp6 70 vataeagene.xyz 94.140.115.160, 49750, 81 NANO-ASLV Latvia 16->70 72 github.com 140.82.121.4, 443, 49756 GITHUBUS United States 16->72 74 2 other IPs or domains 16->74 64 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 16->64 dropped 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->84 86 Performs DNS queries to domains with low reputation 16->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->88 90 2 other signatures 16->90 29 build.exe 4 16->29         started        66 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->66 dropped file7 signatures8 process9 file10 68 C:\Users\user\AppData\...\services.exe, PE32+ 29->68 dropped 112 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->112 114 Tries to detect virtualization through RDTSC time measurements 29->114 116 Drops PE files with benign system names 29->116 33 cmd.exe 29->33         started        35 cmd.exe 1 29->35         started        38 cmd.exe 29->38         started        signatures11 process12 signatures13 40 services.exe 33->40         started        43 conhost.exe 33->43         started        92 Encrypted powershell cmdline option found 35->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 35->94 45 powershell.exe 23 35->45         started        47 conhost.exe 35->47         started        49 powershell.exe 35->49         started        51 conhost.exe 38->51         started        53 schtasks.exe 38->53         started        process14 signatures15 98 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->98 100 Tries to detect virtualization through RDTSC time measurements 40->100 55 cmd.exe 40->55         started        process16 signatures17 96 Encrypted powershell cmdline option found 55->96 58 conhost.exe 55->58         started        60 powershell.exe 55->60         started        62 powershell.exe 55->62         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4f35392a0fc133f2607176175e370673855e25ae8ea1814b705289d3b00f978/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-31 11:21:38 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytzvheva7qjt6jqhc5qxly3qm44flys25dvbqffxauuj2oya7f4a._file
Verdict:
malicious
Similar samples:
07a5ff510108132737775fd77c67f40c3ed50b414ed5aaf9e633cab96fa99c98
RedLineStealer
0c306b9f25c5a6291565e1a590282afc84a96e88fb630706bf14204451d7ca2a
RedLineStealer
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
RedLineStealer
308ad19a3f5f3665a35946ed4cca7bb3fafd761353dfe41525c42c3bda3abeeb
RedLineStealer
5a04f5e1bb3c5c4ff02bf55a47744b4069b729fad3ef07287a371bb343d8f574
RedLineStealer
96283ef1de41a1a5c4e7e0fa5ead383995198c25ae71d19d0a4138333ce88dfb
RedLineStealer
ed3b91ec20184139f90c2432c7d90567dc9c47afc45a87bb4d72fa4a6c64edd9
RedLineStealer
+ 813 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer spyware trojan vmprotect
Link:
https://tria.ge/reports/211231-qxy5xsfdgm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
vataeagene.xyz:81
Unpacked files
SH256 hash:
4833e804589389e0187b9698e76476d6532652322f70282a7c4dd0773312e6b0
MD5 hash:
a96d8f30fa238febba768dd9ac60b629
SHA1 hash:
a31511e4e4d588e5b001358dba44ed758faf77a9
Link:
https://www.unpac.me/results/547df45f-e653-4451-a6bc-114bda965d30/
SH256 hash:
c4f35392a0fc133f2607176175e370673855e25ae8ea1814b705289d3b00f978
MD5 hash:
9589c93c73bb3529f9ba711a27998fd2
SHA1 hash:
d5536307d1e5861bbdef3f36a7d012cdeaffb5a0
Link:
https://www.unpac.me/results/547df45f-e653-4451-a6bc-114bda965d30/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c4f35392a0fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4f35392a0fc133f2607176175e370673855e25ae8ea1814b705289d3b00f978

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c4f35392a0fc133f2607176175e370673855e25ae8ea1814b705289d3b00f978

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/216943/
  
URLhaus
https://urlhaus.abuse.ch/url/1939121/
  
Delivery method
Distributed via web download

Comments