MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683
SHA3-384 hash: fe402457b1ebaee69d8b7a3c26bab92ee38b2652bae714de2489ec536507f7ebde9bcf7915be04ed706586d3279019d2
SHA1 hash: 06509a28c407ee7a4defdc8c4959f285df6658a6
MD5 hash: 1f66f90bd2ff6aba4db2ad1b94453020
humanhash: speaker-kilo-october-finch
File name:1F66F90BD2FF6ABA4DB2AD1B94453020.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'177'859 bytes
First seen:2021-08-06 07:21:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:93TQkePt2wAV/AwusXN9mhG6Bp332uUaRLXiDoXqJG7s3Mpe2xxZ:pI1MVlFXN9m8+3dRLXi82s/p1xZ
Threatray 37 similar samples on MalwareBazaar
TLSH T172A63310BB92B532C7D109B20F6617A946B96F511F18FB1393E03653A8733A36E61E37
dhash icon e8d4b2d8cce8f8f0 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
84.252.143.187:38919

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
84.252.143.187:38919 https://threatfox.abuse.ch/ioc/165968/

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1F66F90BD2FF6ABA4DB2AD1B94453020.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 07:22:46 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/ef415ff9-4754-4798-89d3-61cf2211eb57

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176927/
Detection(s):
Win.Malware.Generic-9874383-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt
DNS request
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c51d8296-5200-4f64-be85-7680905a0ef4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828157
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460588 Sample: osiFHqvafA.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 102 Multi AV Scanner detection for submitted file 2->102 104 Yara detected RedLine Stealer 2->104 106 Yara detected RedLine Stealer 2->106 108 7 other signatures 2->108 12 osiFHqvafA.exe 9 2->12         started        15 services32.exe 2->15         started        process3 file4 90 C:\Users\user\AppData\Local\...\HWSpoofer.exe, PE32 12->90 dropped 92 C:\Users\user\AppData\Local\...\HWAntiBan.exe, PE32+ 12->92 dropped 18 HWSpoofer.exe 15 36 12->18         started        23 HWAntiBan.exe 12->23         started        134 Adds a directory exclusion to Windows Defender 15->134 25 cmd.exe 15->25         started        signatures5 process6 dnsIp7 96 123.cj36311.tmweb.ru 188.225.63.143, 49734, 80 TIMEWEB-ASRU Russian Federation 18->96 98 84.252.143.187, 38919, 49724, 49732 MASTERHOST-ASMoscowRussiaRU Russian Federation 18->98 100 api.ip.sb 18->100 86 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 18->86 dropped 112 Antivirus detection for dropped file 18->112 114 Multi AV Scanner detection for dropped file 18->114 116 Detected unpacking (changes PE section rights) 18->116 122 7 other signatures 18->122 27 fl.exe 5 18->27         started        31 conhost.exe 18->31         started        118 Machine Learning detection for dropped file 23->118 120 Adds a directory exclusion to Windows Defender 25->120 33 conhost.exe 25->33         started        35 powershell.exe 25->35         started        37 powershell.exe 25->37         started        39 2 other processes 25->39 file8 signatures9 process10 file11 88 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 27->88 dropped 128 Machine Learning detection for dropped file 27->128 130 Adds a directory exclusion to Windows Defender 27->130 41 cmd.exe 27->41         started        43 cmd.exe 1 27->43         started        signatures12 process13 signatures14 46 svchost32.exe 41->46         started        50 conhost.exe 41->50         started        124 Uses schtasks.exe or at.exe to add and modify task schedules 43->124 126 Adds a directory exclusion to Windows Defender 43->126 52 powershell.exe 24 43->52         started        54 conhost.exe 43->54         started        56 powershell.exe 43->56         started        58 2 other processes 43->58 process15 file16 94 C:\Windows\System32\services32.exe, PE32+ 46->94 dropped 136 Machine Learning detection for dropped file 46->136 138 Drops executables to the windows directory (C:\Windows) and starts them 46->138 60 services32.exe 46->60         started        63 cmd.exe 46->63         started        65 cmd.exe 46->65         started        signatures17 process18 signatures19 132 Adds a directory exclusion to Windows Defender 60->132 67 cmd.exe 60->67         started        70 conhost.exe 63->70         started        72 schtasks.exe 63->72         started        74 conhost.exe 65->74         started        76 choice.exe 65->76         started        process20 signatures21 110 Adds a directory exclusion to Windows Defender 67->110 78 conhost.exe 67->78         started        80 powershell.exe 67->80         started        82 powershell.exe 67->82         started        84 2 other processes 67->84 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 04:50:13 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fvrewd36nbohkmusnacwpw6ktxvwpzr75fqtjtrb4kehjtpe2bq._file
Verdict:
malicious
Similar samples:
275cd3c09afaacc06adbdbcd5c638b5894c81eca008446454864b537f54593bd
RedLineStealer
2dfdc495160b8492466dfe6108702ea44b5a7ff1b8d439d6a6dc9af9359a0838
RedLineStealer
3cc3678682dc887a9f5e168717967fc266e266a5fd5dfe10e210d26b7246e5c4
RedLineStealer
57430cbbfebdef7c54698b00102dbd2098aef53ba4bd5fa43660c2e306f53482
RedLineStealer
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
RedLineStealer
74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
RedLineStealer
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
RedLineStealer
e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1
RedLineStealer
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
RedLineStealer
+ 27 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/210806-c5xkk645b6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683
MD5 hash:
1f66f90bd2ff6aba4db2ad1b94453020
SHA1 hash:
06509a28c407ee7a4defdc8c4959f285df6658a6
Link:
https://www.unpac.me/results/cae094fc-c770-4462-b75f-548e531c0640/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d96b12587bf3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_mem
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176927/

Comments