MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9940a9cef58551d84f69aacf49103fe025c250f5147e65e1431d675b1f5cf1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9940a9cef58551d84f69aacf49103fe025c250f5147e65e1431d675b1f5cf1e
SHA3-384 hash: fa316e160928eccfd1f6d481e7274135df946dfd1bb2c54a1be33c9bd906aec124762b618be40d1d220de674d9d992e3
SHA1 hash: 4b1e76fbeec2420c0f1cbcd1f634179a158835df
MD5 hash: a4da4996d9190cd13d03d1ee60381592
humanhash: ceiling-tennis-ten-beer
File name:a4da4996d9190cd13d03d1ee60381592.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'504'647 bytes
First seen:2021-03-22 20:16:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:q53uhFuZM3/NPf5QPJKdb5t1bXmq2oegKl6iJbOsxWSNPO95KCKQVoP+a1g6A:q5+hFuZYlf52It2rbwi5OsxWsQKCKQV/
Threatray 77 similar samples on MalwareBazaar
TLSH C36523113EC640B5D9E33A325C55736826BAE2730B15B2C7A3490907AF2E6F2DE3D6C5
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a4da4996d9190cd13d03d1ee60381592.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 20:26:33 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/8616417b-12f8-4a6c-915a-800a355e6807

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126279/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
DNS request
Deleting a recently created file
Searching for the window
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/648649
Signature
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373287 Sample: MmuRNUcd2B.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 84 83 Multi AV Scanner detection for submitted file 2->83 85 Sigma detected: Drops script at startup location 2->85 12 MmuRNUcd2B.exe 8 2->12         started        process3 signatures4 97 Contains functionality to register a low level keyboard hook 12->97 15 cmd.exe 1 12->15         started        17 cmd.exe 1 12->17         started        process5 signatures6 20 cmd.exe 3 15->20         started        23 conhost.exe 15->23         started        75 Submitted sample is a known malware sample 17->75 77 Obfuscated command line found 17->77 79 Uses ping.exe to sleep 17->79 81 Uses ping.exe to check the status of other devices and networks 17->81 25 conhost.exe 17->25         started        process7 signatures8 87 Obfuscated command line found 20->87 89 Uses ping.exe to sleep 20->89 27 Arrossendo.exe.com 20->27         started        30 PING.EXE 1 20->30         started        33 findstr.exe 1 20->33         started        process9 dnsIp10 95 Drops PE files with a suspicious file extension 27->95 36 Arrossendo.exe.com 6 27->36         started        71 127.0.0.1 unknown unknown 30->71 73 192.168.2.1 unknown unknown 30->73 61 C:\Users\user\AppData\...\Arrossendo.exe.com, Targa 33->61 dropped file11 signatures12 process13 dnsIp14 67 vNeBTTigkCsQlgOArXYrYUFeNuBzn.vNeBTTigkCsQlgOArXYrYUFeNuBzn 36->67 63 C:\Users\user\AppData\...\VTOoGaYgxb.exe.com, PE32 36->63 dropped 65 C:\Users\user\AppData\...\VTOoGaYgxb.url, MS 36->65 dropped 91 Injects a PE file into a foreign processes 36->91 41 Arrossendo.exe.com 21 36->41         started        file15 signatures16 process17 dnsIp18 69 banusdoret.top 8.208.95.18, 443, 49733, 49734 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 41->69 93 Tries to harvest and steal browser information (history, passwords, etc) 41->93 45 cmd.exe 1 41->45         started        47 cmd.exe 1 41->47         started        49 cmd.exe 1 41->49         started        signatures19 process20 process21 51 WMIC.exe 1 45->51         started        53 conhost.exe 45->53         started        55 makecab.exe 11 47->55         started        57 conhost.exe 47->57         started        59 conhost.exe 49->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9940a9cef58551d84f69aacf49103fe025c250f5147e65e1431d675b1f5cf1e/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 20:17:14 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gkavhhplbkr3bhwtkwpjeid7ybfyjipkfd6mxqughlhlmpvz4pa._file
Verdict:
suspicious
Similar samples:
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
RedLineStealer
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
RedLineStealer
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
RedLineStealer
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
RedLineStealer
872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f
RedLineStealer
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
RedLineStealer
b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae
RedLineStealer
bb73a38d0a3977b6a7e548f33ff5bd687ea19f9230bb822bb3b9669b71d34879
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
RedLineStealer
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210322-e78fxtd7be/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
31645862ada60d43acda8cd93c52dbe03180fc981f0ddf4ce00a3438d043cdf7
MD5 hash:
44ecb41c3f596d615bf6b7b25361966a
SHA1 hash:
8d413bf875b976b67b0fb65567465f9f0f38ffd5
Link:
https://www.unpac.me/results/e3bf728b-5f74-43ea-8df9-a9b2b309ea55/
SH256 hash:
d9940a9cef58551d84f69aacf49103fe025c250f5147e65e1431d675b1f5cf1e
MD5 hash:
a4da4996d9190cd13d03d1ee60381592
SHA1 hash:
4b1e76fbeec2420c0f1cbcd1f634179a158835df
Link:
https://www.unpac.me/results/e3bf728b-5f74-43ea-8df9-a9b2b309ea55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
HiddenRun
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9940a9cef58551d84f69aacf49103fe025c250f5147e65e1431d675b1f5cf1e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d9940a9cef58551d84f69aacf49103fe025c250f5147e65e1431d675b1f5cf1e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1083192/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/126279/

Comments