MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4d4c170bf58fd8d9879f634a19c7acf68a6c4c5848eae9455987a7c21f14b40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4d4c170bf58fd8d9879f634a19c7acf68a6c4c5848eae9455987a7c21f14b40
SHA3-384 hash: 8d0ee8b564c83955b070e68cdda211f42b813696a4ea7da8b34c1cd94840b8e7facca5cae1d5484eb88f980a7ba534eb
SHA1 hash: 9b951229f8099b7aaff5feff675eea5490090049
MD5 hash: 3c9703006c87d975494adbda41f5ce29
humanhash: chicken-papa-zulu-bacon
File name:3c9703006c87d975494adbda41f5ce29
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:637'952 bytes
First seen:2022-03-24 21:29:08 UTC
Last seen:2022-03-24 23:43:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:DsjG2TZ9xaHSKbCQF7EEEa9LWaLXMiQS03ULaHNqrxlKIQNoAEqolY3NVzrEeK1:eG2ZfVKbNBjLTXjkEaHNYK3/7oy3NVzo
Threatray 1'902 similar samples on MalwareBazaar
TLSH T148D423AB7384386DC59E32B47936E6459457DAFCBDE4B25B82380DC3291D092B80D8FD
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257399/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Sending a TCP request to an infection source
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed racealer
Link:
https://www.filescan.io/uploads/623ce48ba19c64941289d180/reports/18a48475-7ac3-4fc6-85c2-c6b356233bf0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9fc45c1-63ef-4bc1-a7ec-52e0284fbdc1
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964128
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Blacklisted process start detected (Windows program)
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Notepad Making Network Connection
Sigma detected: Suspicious Process Parents
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596605 Sample: 9RfELGcdw7 Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 74 Sigma detected: Xmrig 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 13 other signatures 2->80 9 9RfELGcdw7.exe 1 2->9         started        12 RegHost.exe 1 2->12         started        process3 signatures4 82 Writes to foreign memory regions 9->82 84 Allocates memory in foreign processes 9->84 86 Injects a PE file into a foreign processes 9->86 14 AppLaunch.exe 15 7 9->14         started        19 conhost.exe 9->19         started        88 Tries to detect virtualization through RDTSC time measurements 12->88 21 conhost.exe 12->21         started        23 bfsvc.exe 12->23         started        process5 dnsIp6 60 92.255.85.137, 41320, 49778 SOVTEL-ASRU Russian Federation 14->60 62 file-coin-coin-10.com 45.10.244.53, 49793, 80 AS-FITELNETWORKES Russian Federation 14->62 56 C:\Users\user\...\9719_1648118128_858.exe, PE32+ 14->56 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->66 68 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->68 70 Tries to harvest and steal browser information (history, passwords, etc) 14->70 72 Tries to steal Crypto Currency Wallets 14->72 25 9719_1648118128_858.exe 1 5 14->25         started        file7 signatures8 process9 dnsIp10 58 185.137.234.33, 49794, 49795, 8080 SELECTELRU Russian Federation 25->58 48 C:\Users\user\AppData\...\RegModule.exe, PE32+ 25->48 dropped 50 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 25->50 dropped 52 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 25->52 dropped 54 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 25->54 dropped 90 Hijacks the control flow in another process 25->90 92 Injects code into the Windows Explorer (explorer.exe) 25->92 94 Modifies the context of a thread in another process (thread injection) 25->94 96 Tries to detect virtualization through RDTSC time measurements 25->96 30 notepad.exe 1 25->30         started        34 explorer.exe 1 25->34         started        36 bfsvc.exe 1 25->36         started        38 conhost.exe 25->38         started        file11 signatures12 process13 dnsIp14 64 xmr.2miners.com 51.89.96.41 OVHFR France 30->64 98 System process connects to network (likely due to code injection or exploit) 30->98 100 Query firmware table information (likely to detect VMs) 30->100 102 Blacklisted process start detected (Windows program) 30->102 40 conhost.exe 30->40         started        42 conhost.exe 34->42         started        44 curl.exe 34->44         started        46 conhost.exe 36->46         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4d4c170bf58fd8d9879f634a19c7acf68a6c4c5848eae9455987a7c21f14b40/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 11:48:42 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tkmc4f7ld6y3gdz6y2kdhd2z5uknrgfqshk5fcvtb5hyiprjnaa._file
Verdict:
malicious
Similar samples:
1430de888f5ef501e60e80398b0309a05f453a8b2e8c9b24fdaa5e722d2f8242
RedLineStealer
555f9877823f5f80c071719d9b384857f29eaee4fafd6aa1f921994fb412bf36
RedLineStealer
56a34b76ba7c81e554eeb1dcfe93a6d0f61103536f9a0387fb220768bd2149df
RedLineStealer
615bdcc0965d35255d99668380668e1811effaa80cc69c1c78f6a455be86c685
RedLineStealer
641b9d5b4543b83154505b255b80b88f96e8689f32f6278f07f0dc22360d84ee
RedLineStealer
6d13242db3b7161ab420c01a3baa628fa3fa656a7e2019fa41f285d9b82c3fe6
RedLineStealer
c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322
RedLineStealer
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b
RedLineStealer
f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91
RedLineStealer
+ 1'892 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@felix_lzt infostealer spyware
Link:
https://tria.ge/reports/220324-1chmjseff3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Malware Config
C2 Extraction:
92.255.85.137:41320
Unpacked files
SH256 hash:
4829abc53b23fadb6d397ba87e4e926c0f10ff39aa1d77c3e84a2e82c1b17a22
MD5 hash:
8681ff1aceaa846dadff3d9f03a8f5d5
SHA1 hash:
ee52f2e645e52b5da6158e4e4b958c698f0ed21e
Link:
https://www.unpac.me/results/44a00e3d-e287-46d6-b3f9-feae3da1f13e/
SH256 hash:
ac5845992bb13c872b77184ef042cdc302b14691410d81a65051be427a4ef588
MD5 hash:
1f36a9b99e73f9ad824b6379696978ee
SHA1 hash:
81dd0c2cd37eac295673aeb76d7553a0788a9b05
Link:
https://www.unpac.me/results/44a00e3d-e287-46d6-b3f9-feae3da1f13e/
SH256 hash:
d4d4c170bf58fd8d9879f634a19c7acf68a6c4c5848eae9455987a7c21f14b40
MD5 hash:
3c9703006c87d975494adbda41f5ce29
SHA1 hash:
9b951229f8099b7aaff5feff675eea5490090049
Link:
https://www.unpac.me/results/44a00e3d-e287-46d6-b3f9-feae3da1f13e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d4d4c170bf58/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4d4c170bf58fd8d9879f634a19c7acf68a6c4c5848eae9455987a7c21f14b40

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d4d4c170bf58fd8d9879f634a19c7acf68a6c4c5848eae9455987a7c21f14b40

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/257399/
  
URLhaus
https://urlhaus.abuse.ch/url/2114449/

Comments


Avatar
zbet commented on 2022-03-24 21:29:10 UTC

url : hxxp://37.120.222.60/mysite/catimages/219.exe