MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ced6af1ede5630e5f1dd9a1a4112f56d0af3eba0778a57592013a91a5422274e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ced6af1ede5630e5f1dd9a1a4112f56d0af3eba0778a57592013a91a5422274e
SHA3-384 hash: 8dff9bb6986e21cf350ccb3625434a053278679bdd5ee3fa09e8c5123e31cd0e38c7e4c5a4f2ccc477a9390bc94e6676
SHA1 hash: 08b87e5538753edb23e8dd0dc95c52174e356930
MD5 hash: 1bb7d9fcaffe2b8e184ca93fd3bb70e4
humanhash: white-island-failed-november
File name:1bb7d9fcaffe2b8e184ca93fd3bb70e4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'272'718 bytes
First seen:2022-03-08 13:01:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 49152:V5O9E53AjkL+9JS929DC1O0dUEkRY0yrWmNKnImzKu6FYkixHtnSfN/hFG:V5d2DQOnRY0yxyzfUixNSlDG
Threatray 12'173 similar samples on MalwareBazaar
TLSH T144E53301FAC344B3D12749320A192BB6E47D3E713E3D8EB7A3885E59A9321515B39E73
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248264/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Running batch commands
Launching a process
Searching for analyzing tools
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a process with a hidden window
Sending a custom TCP request
Searching for the browser window
DNS request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8569/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/622799dbdfdfa8501c7b6f98/reports/19f32a0b-b707-4d04-9025-e1a634d6afa7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b7a6244-66c6-448c-8e39-a002f619b916
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.mine
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/952553
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Drops script or batch files to the startup folder
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585034 Sample: IKqAH8Wr3s.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 80 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for URL or domain 2->95 97 Multi AV Scanner detection for dropped file 2->97 99 10 other signatures 2->99 8 IKqAH8Wr3s.exe 8 2->8         started        11 Windows Service.exe 2->11         started        14 Windows Service.exe 2->14         started        16 cmd.exe 2->16         started        process3 file4 73 C:\Windows\Temp\setup.exe, PE32 8->73 dropped 75 C:\Windows\Temp\s.exe, PE32 8->75 dropped 18 setup.exe 15 11 8->18         started        23 s.exe 1 8->23         started        25 cmd.exe 2 8->25         started        27 cmd.exe 13 8->27         started        117 Query firmware table information (likely to detect VMs) 11->117 119 Hides threads from debuggers 11->119 121 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->121 29 chrome.exe 16->29         started        31 conhost.exe 16->31         started        signatures5 process6 dnsIp7 77 checkip.dyndns.com 158.101.44.242, 49840, 80 ORACLE-BMC-31898US United States 18->77 79 raw.githubusercontent.com 185.199.108.133, 443, 49809 FASTLYUS Netherlands 18->79 81 2 other IPs or domains 18->81 63 C:\Users\user\AppData\...\Windows Service.exe, PE32 18->63 dropped 65 C:\Users\user\AppData\...\toncrypto.dll, PE32+ 18->65 dropped 67 C:\Users\user\...\libcrypto-1_1-x64.dll, PE32+ 18->67 dropped 71 2 other files (none is malicious) 18->71 dropped 101 Multi AV Scanner detection for dropped file 18->101 103 Detected unpacking (changes PE section rights) 18->103 105 Query firmware table information (likely to detect VMs) 18->105 115 4 other signatures 18->115 33 schtasks.exe 18->33         started        35 schtasks.exe 18->35         started        37 schtasks.exe 18->37         started        48 2 other processes 18->48 107 Writes to foreign memory regions 23->107 109 Allocates memory in foreign processes 23->109 111 Injects a PE file into a foreign processes 23->111 50 2 other processes 23->50 69 C:\Users\user\AppData\Roaming\...\lol.bat, ASCII 25->69 dropped 113 Drops script or batch files to the startup folder 25->113 39 conhost.exe 25->39         started        41 chrome.exe 14 333 27->41         started        44 conhost.exe 27->44         started        46 chrome.exe 29->46         started        file8 signatures9 process10 dnsIp11 52 conhost.exe 33->52         started        54 conhost.exe 35->54         started        56 conhost.exe 37->56         started        83 192.168.2.1 unknown unknown 41->83 85 239.255.255.250 unknown Reserved 41->85 58 chrome.exe 17 41->58         started        61 conhost.exe 48->61         started        process12 dnsIp13 87 relaxtime24.biz 62.210.26.117, 443, 49788 OnlineSASFR France 58->87 89 clients.l.google.com 142.250.203.110, 443, 49775, 52335 GOOGLEUS United States 58->89 91 6 other IPs or domains 58->91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ced6af1ede5630e5f1dd9a1a4112f56d0af3eba0778a57592013a91a5422274e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 07:54:48 UTC
File Type:
PE (Exe)
Extracted files:
165
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3lk6hw6kyyol4o5tinecexvnufph25ao6ffowjacouruvbce5ha._file
Verdict:
malicious
Similar samples:
104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb
RedLineStealer
415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8
RedLineStealer
5013372389580672743ad71d9ec522caa057a4f7863ae8fc460ebba005121fd8
RedLineStealer
55ded456339aef89e7d891f0c7f494c11d8983233106d64069bc767ab06ceb71
RedLineStealer
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
RedLineStealer
dd496554f084af7bdd9c216bdb8718cd3de154d804b8955f4894c0954dad266c
RedLineStealer
e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d
RedLineStealer
ef73634b7054d9171a92b879afeaa2318bb54ec16502f854337644a2a678014f
RedLineStealer
+ 12'163 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/220308-p9sm8sehd9/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/2b088e41-d2c9-4f56-a34c-8c809f472076/
SH256 hash:
dcccdd400304305a8ec16f363e27f6692023d67aedf32df445c1f70852216b8f
MD5 hash:
d2d7c1489fae0a74ba0599d71ddaca7c
SHA1 hash:
ecea983b8f9767bbb3dd7afce0c67acc6dd3cfcc
Link:
https://www.unpac.me/results/2b088e41-d2c9-4f56-a34c-8c809f472076/
SH256 hash:
9c9e7a2fac20e8ca27da606081b9838f4fb539b44700dc4e8b9abc12a49a622e
MD5 hash:
8c0c8b1cce7410959cdf7ac9b7d5bc38
SHA1 hash:
d886e96f146b5553ae081ecefaa39295a3162ae9
Link:
https://www.unpac.me/results/2b088e41-d2c9-4f56-a34c-8c809f472076/
SH256 hash:
85f4f921272cebabc56487b7f70fbfa00a0f943337c9c60d32baf2ab5d69411b
MD5 hash:
5dc0d78d7dc3ac73844f0c4ce5699faf
SHA1 hash:
5e44ebc8acae26842fbe5337eb15014d9d07f5fa
Link:
https://www.unpac.me/results/2b088e41-d2c9-4f56-a34c-8c809f472076/
SH256 hash:
ced6af1ede5630e5f1dd9a1a4112f56d0af3eba0778a57592013a91a5422274e
MD5 hash:
1bb7d9fcaffe2b8e184ca93fd3bb70e4
SHA1 hash:
08b87e5538753edb23e8dd0dc95c52174e356930
Link:
https://www.unpac.me/results/2b088e41-d2c9-4f56-a34c-8c809f472076/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ced6af1ede56/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ced6af1ede5630e5f1dd9a1a4112f56d0af3eba0778a57592013a91a5422274e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ced6af1ede5630e5f1dd9a1a4112f56d0af3eba0778a57592013a91a5422274e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2073214/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248264/
  
URLhaus
https://urlhaus.abuse.ch/url/2084558/

Comments