MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d120f86810729718538a4afeacb0c1af96953e565cfe2fa5006c9dc823f8f274. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	d120f86810729718538a4afeacb0c1af96953e565cfe2fa5006c9dc823f8f274
SHA3-384 hash:	882cbc8158b939b174017aa0742fb4b27e6ef66f9aa4b2325de906fb967925d61838f4103dcbf7b44fcf3480d49fde17
SHA1 hash:	95fdce4c9d4443b3e187687530cdd8c150cf884e
MD5 hash:	41a723792e06dead70eea84c25b9c5b6
humanhash:	mirror-carbon-fifteen-indigo
File name:	41a723792e06dead70eea84c25b9c5b6.exe
Download:	download sample
Signature	RedLineStealer Alert Create hunting rule
File size:	1'855'488 bytes
First seen:	2023-05-22 08:38:08 UTC
Last seen:	2023-05-22 10:43:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	49152:2PbIEtePMnXOoO9G1Gx/soLRN1pHbMx4Ge5LLDtyM6vPp:2APMXO9mGZzLnHbNx5DtyM6Hp
Threatray	14 similar samples on MalwareBazaar
TLSH	T1A58533452F0ACB63CF26F1B420C7FC74DBEC888E56E812495913E68B15FC4762C9B5A2
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	30e4c0d8b686e464 (27 x RedLineStealer, 2 x N-W0rm)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

235

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

UI721.bin

Verdict:

Malicious activity

Analysis date:

2023-05-21 18:58:57 UTC

Tags:

evasion loader ransomware opendir stealer rat redline lumma gcleaner amadey trojan fabookie arkei vidar lokibot remcos raccoon recordbreaker keylogger

Link:

https://app.any.run/tasks/f6a6cc23-4b97-49de-a580-6d175494a63d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Zusy.467327.30270.1859.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for analyzing tools

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Reading critical registry keys

Creating a file

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/646b2a28cf0434aa10b60658/reports/25f69c1c-f3d2-430c-8cc3-f91acd6ebd87/overview

Hybrid Analysis Zusy.Generic

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/d120f86810729718538a4afeacb0c1af96953e565cfe2fa5006c9dc823f8f274

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Generic Malware

Malware family:

Generic Malware

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a44b34cf-f67d-442a-bf25-de5864d4b645

Joe Sandbox RedLine

Result

Threat name:

RedLine

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1240197

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d120f86810729718538a4afeacb0c1af96953e565cfe2fa5006c9dc823f8f274/

ReversingLabs TitaniumCloud Win32.Trojan.Zusy

Threat name:

Win32.Trojan.Zusy

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-20 03:43:57 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

22 of 37 (59.46%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2eqpq2aqoklrqu4kjl7kzmgbv6ljkpswlt7c7jianso4qi7y6j2a._file

Threatray malicious

Verdict:

malicious

Similar samples:

1bdbc0c9494df38a4ed2fcc05ae5a70daa8a48f2407383d77359d4b5638fde19

RedLineStealer

4c6db804a366a11a3321f87543f03c45e1785fed75a1c5e21ce39b658f6bb5bd

RedLineStealer

71542a9dd0da516b5599228ace4fc9028ce2d389ec0fc1e68e9089ba174afe80

RedLineStealer

8ced69a3c6796be12a0433300b9935b4c63fe4817b0830e1965b07fffaa360df

RedLineStealer

9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9

RedLineStealer

af74b80210c8fd9f512427ff46e8ccbdf063a9eed4fa3ffe15f791880c5b8d1e

RedLineStealer

b2b465aad0a254c202bee124ff4beb540ac09ce04655f61478b5824509a1f6a2

RedLineStealer

b4bbdadeb876d22140beabe77e143cd74871461c0823f9f9ba79b41106386d26

RedLineStealer

+ 4 additional samples on MalwareBazaar

Hatching Triage redline

Result

Malware family:

redline

Alert

Create hunting rule

Score:

  10/10

Tags:

family:redline discovery evasion infostealer spyware stealer

Link:

https://tria.ge/reports/230522-kkanxahh2w/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

RedLine payload

UnpacMe

Unpacked files

SH256 hash:

d120f86810729718538a4afeacb0c1af96953e565cfe2fa5006c9dc823f8f274

MD5 hash:

41a723792e06dead70eea84c25b9c5b6

SHA1 hash:

95fdce4c9d4443b3e187687530cdd8c150cf884e

Link:

https://www.unpac.me/results/b6c5fc64-b3b5-4b15-9b6a-af21530955f4/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d120f8681072/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d120f86810729718538a4afeacb0c1af96953e565cfe2fa5006c9dc823f8f274