MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA3-384 hash: 48edff78a66046c597764e3ddbcbd39bf00a76f1c473bbad7ab438c7de4e0a363ddab2fea2c8733336d47e7d459af7d7
SHA1 hash: 729cb808637568f20ac886b3fac5f3cf5ff01dee
MD5 hash: 1ab8dbca5e2bba39723f00907d266de7
humanhash: island-paris-florida-michigan
File name:RustExternal_nls..scr
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:674'304 bytes
First seen:2022-11-07 08:52:16 UTC
Last seen:2022-12-05 06:19:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY
Threatray 86 similar samples on MalwareBazaar
TLSH T1A0E4EF0B95C468BDED7656BF5B332FF997AC7A52280CCA111364167A102D4CEBD02FB2
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8213013131341131 (10 x AsyncRAT, 4 x zgRAT, 1 x RedLineStealer)
Reporter tcains1
Tags:AsyncRAT exe RedLineStealer

Intelligence

File Origin
# of uploads :
6
# of downloads :
165
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RustExternal_nls.scr
Verdict:
Malicious activity
Analysis date:
2022-11-05 02:46:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad8424f5-070f-4280-a861-5bacacce7572

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329770/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.21573.15098.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Sending a custom TCP request
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Creating a file in the %AppData% subdirectories
Changing a file
Creating a process with a hidden window
Forced shutdown of a system process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6368c76d15611f8d8bf948aa/reports/222fd4ab-ce04-4cd1-9b62-ef7a2dc7465f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b4cdcc7-29ec-4e2d-82ad-b60a4d90aaf1
Result
Threat name:
AsyncRAT, PhoenixRAT, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107065
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected PhoenixRAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 739732 Sample: RustExternal_nls..scr.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 190 Malicious sample detected (through community Yara rule) 2->190 192 Antivirus / Scanner detection for submitted sample 2->192 194 Multi AV Scanner detection for dropped file 2->194 196 10 other signatures 2->196 14 RustExternal_nls..scr.exe 3 2->14         started        18 DefenderFileSecurity.exe 3 2->18         started        20 OpenWith.exe 2->20         started        process3 file4 146 C:\Users\...\RustExternal_nls..scr.exe.log, CSV 14->146 dropped 202 Writes to foreign memory regions 14->202 204 Allocates memory in foreign processes 14->204 206 Injects a PE file into a foreign processes 14->206 22 RegAsm.exe 1 3 14->22         started        208 Multi AV Scanner detection for dropped file 18->208 signatures5 process6 file7 134 C:\Users\user\...\DEFENDERFILESECURITY.EXE, PE32+ 22->134 dropped 25 DEFENDERFILESECURITY.EXE 1 22->25         started        process8 dnsIp9 148 cdn.discordapp.com 162.159.133.233 CLOUDFLARENETUS United States 25->148 150 textbin.net 148.72.177.212 AS-30083-GO-DADDY-COM-LLCUS United States 25->150 152 192.168.2.1 unknown unknown 25->152 144 C:\Users\user\AppData\Local\Temp\0.exe, PE32 25->144 dropped 200 Multi AV Scanner detection for dropped file 25->200 30 cmd.exe 1 25->30         started        file10 signatures11 process12 process13 32 0.exe 5 30->32         started        36 conhost.exe 30->36         started        file14 102 C:\Users\user\...\DefenderFileSecurity.exe, PE32 32->102 dropped 180 Antivirus detection for dropped file 32->180 182 Multi AV Scanner detection for dropped file 32->182 184 Machine Learning detection for dropped file 32->184 186 3 other signatures 32->186 38 RegAsm.exe 13 32->38         started        41 cmd.exe 1 32->41         started        44 powershell.exe 3 32->44         started        46 RegAsm.exe 32->46         started        signatures15 process16 file17 136 C:\Users\user\...\WINDOWSSMARTSCREEN.EXE, PE32 38->136 dropped 138 C:\Users\user\...\WINDOWSSMARTSCREE.EXE, PE32 38->138 dropped 140 C:\Users\user\...\WINDOWSSHELLHOST.EXE, PE32 38->140 dropped 142 9 other malicious files 38->142 dropped 48 SECURITYHEALTHSERVIC.EXE 2 38->48         started        51 WINDOWSSHELLHOS.EXE 38->51         started        53 WINDOWSSHELLHOST.EXE 38->53         started        61 9 other processes 38->61 198 Uses schtasks.exe or at.exe to add and modify task schedules 41->198 55 conhost.exe 41->55         started        57 schtasks.exe 1 41->57         started        59 conhost.exe 44->59         started        signatures18 process19 signatures20 168 Multi AV Scanner detection for dropped file 48->168 170 Encrypted powershell cmdline option found 48->170 63 powershell.exe 48->63         started        68 powershell.exe 51->68         started        70 powershell.exe 53->70         started        72 powershell.exe 61->72         started        74 powershell.exe 61->74         started        76 powershell.exe 61->76         started        78 6 other processes 61->78 process21 dnsIp22 162 2 other IPs or domains 63->162 104 C:\Users\user\AppData\Roaming\342fd2.exe, PE32 63->104 dropped 188 Powershell drops PE file 63->188 80 342fd2.exe 63->80         started        83 conhost.exe 63->83         started        154 cdn.discordapp.com 68->154 106 C:\Users\user\AppData\Roaming\ab5321f2.exe, PE32 68->106 dropped 85 ab5321f2.exe 68->85         started        88 conhost.exe 68->88         started        156 cdn.discordapp.com 70->156 108 C:\Users\user\AppData\Roaming\ab8f2.exe, PE32 70->108 dropped 90 2 other processes 70->90 158 cdn.discordapp.com 72->158 110 C:\Users\user\AppData\Roaming\ab281f2.exe, PE32 72->110 dropped 92 2 other processes 72->92 160 cdn.discordapp.com 74->160 112 C:\Users\user\AppData\...\ab53dfs1f2.exe, PE32 74->112 dropped 94 2 other processes 74->94 164 2 other IPs or domains 76->164 114 C:\Users\user\AppData\Roaming\ab53121f2.exe, PE32 76->114 dropped 96 2 other processes 76->96 166 8 other IPs or domains 78->166 116 C:\Users\user\AppData\Roaming\ab82.exe, PE32 78->116 dropped 118 C:\Users\user\AppData\Roaming\ab541f2.exe, PE32 78->118 dropped 120 4 other malicious files 78->120 dropped 98 12 other processes 78->98 file23 signatures24 process25 file26 172 Multi AV Scanner detection for dropped file 80->172 174 Writes to foreign memory regions 80->174 176 Allocates memory in foreign processes 80->176 100 RegAsm.exe 80->100         started        122 C:\Users\user\AppData\...\DefenderProtect.exe, PE32 85->122 dropped 178 Injects a PE file into a foreign processes 85->178 124 C:\Users\user\...\SystemGuardRuntime.exe, PE32 90->124 dropped 126 C:\Users\user\...\SecurityHealthService.exe, PE32 92->126 dropped 128 C:\Users\user\...\WindowsSeissonManager.exe, PE32 94->128 dropped 130 C:\Users\user\AppData\...\pAQKPqjDAD.exe, PE32 98->130 dropped 132 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 98->132 dropped signatures27 process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac/
Threat name:
ByteCode-MSIL.Hacktool.ResInject
Create hunting rule
Status:
Malicious
First seen:
2022-11-04 23:09:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
33 of 41 (80.49%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3o2gh5gzngocqhwfsoombdhf6sktos5c6jpfv37ht6liozse6wa._file
Verdict:
malicious
Similar samples:
3aa4891da8c0e803d25b3d88b46613ba021e3f5b1b2ebfcb07fbe227fb8a5c85
RedLineStealer
4b65e45c7792d7308e822d518f9aca239c9db5c63b74c1f516744a31b9833c57
RedLineStealer
4ed4aa642d67b79463edea71fa8781461cd6a63a4a01d20c497328801381a09a
RedLineStealer
73fd7801d6077bcc2e19e05cb925ea6d4c6a1b6840385b86b866381f3536aea2
RedLineStealer
781de34d3e2706aa0b05bdb69604b9532cbdd7297f38e9f2e18a06434a958e4b
RedLineStealer
a6aba7b7f6eeeb871e7c58959307a260e3f20b54b7d4a174c9bc03ce4eb94a94
RedLineStealer
d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6
RedLineStealer
df70b7f1c190951daadb981dddb42d7e7ace1d6cba158dbfa983035398ef61aa
RedLineStealer
+ 76 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline botnet:defendersmartscren botnet:muck botnet:securityhealthservi botnet:securityhealthservic botnet:smartscreendefender botnet:system guard runtime discovery infostealer persistence rat spyware stealer upx
Link:
https://tria.ge/reports/221107-ktaehabbcp/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Async RAT payload
AsyncRat
RedLine
RedLine payload
Malware Config
C2 Extraction:
20.126.112.157:16733
217.64.31.3:8437
20.8.122.174:31682
85.105.88.221:2531
20.166.62.124:49264
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/64d23064-0470-40ae-903b-ff06bcd63210
Unpacked files
SH256 hash:
8131070ebc5fb44c1f243957c725bce04be0afd2da2428ba585268bb4925847f
MD5 hash:
31092fcff9ec5ccaf8fa87a64b74a97b
SHA1 hash:
cc0877393ed9f019cb871be2a4035b1bb2da921e
Link:
https://www.unpac.me/results/a680ff7c-795f-4984-a17d-cbc41ec53e2f/
SH256 hash:
c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
MD5 hash:
1ab8dbca5e2bba39723f00907d266de7
SHA1 hash:
729cb808637568f20ac886b3fac5f3cf5ff01dee
Link:
https://www.unpac.me/results/a680ff7c-795f-4984-a17d-cbc41ec53e2f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6dda31fa6cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

(this sample)

AsyncRAT

Executable exe c8a05d068f0325e63c8964274949828710fb95880e939c2c3da06a1396a11aac

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/329770/
  
URLhaus
https://urlhaus.abuse.ch/url/2403165/
  
URLhaus
https://urlhaus.abuse.ch/url/2403166/
  
Dropping
SHA256 c8a05d068f0325e63c8964274949828710fb95880e939c2c3da06a1396a11aac
  
Dropping
MD5 ff5342774d2647367d9b558689f06b7d
  
Dropping
SHA256 fe5bef849559a2f89c3f9e5aa7c1ce81530e7670cbefd11bdfa3e829a3c35777
  
Dropping
MD5 5f122d182bf00400247fdfc6a6ae9e80
  
Dropping
SHA256 ef99dac3c7ca6ac2ccd1188065e601591482f63a4c30922bd40b144fb6240ba2
  
Dropping
MD5 6807963a8752961df0ca331de1c9f756

Comments