MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9b24fe6f9059ed1935afdab787fb4d84faf530143c829d525df509181674c6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9b24fe6f9059ed1935afdab787fb4d84faf530143c829d525df509181674c6e
SHA3-384 hash: 721a99efe4e36be2a3f2b366bb0fcbb5bd992e7f7743c6c89127235a181e27da191f7167b511df00365add445a222ab5
SHA1 hash: 08ffca9a709e354fcc76564eef6b8c750275b707
MD5 hash: 4f195d838bea3b47d9f354381463acbc
humanhash: kilo-white-sierra-zulu
File name:SecuriteInfo.com.Variant.MSILHeracles.28350.8499.13755
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'017'840 bytes
First seen:2021-10-11 18:50:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:YV7z4HyozEEwrTHzHXvO3ClClZN7y56TlO/vTEYDtxh+DUWmFFvNBIMxIiqT8WT:1yoEE4TTHXvOSgZdy8MT3ADBmFFFSTT
Threatray 429 similar samples on MalwareBazaar
TLSH T1DC25ADB037689E5EF7864A31402CF9D4F6343C2A66CAD20BF04276587D3F25E8A949D3
File icon (PE):PE icon
dhash icon 408e86265e1753a8 (1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.MSILHeracles.28350.8499.13755
Verdict:
Malicious activity
Analysis date:
2021-10-11 18:57:23 UTC
Tags:
trojan rat redline evasion
Link:
https://app.any.run/tasks/572b5bbb-e6dc-47af-9a44-cc00f91a0a9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196728/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.28350.8499.13755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6164879afd35fe780c38aa7c/reports/ba98f708-1312-4bfc-8e35-8803f6751df7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55fdb5cd-a03f-4bdb-a5f1-af285d241bbc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867803
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500229 Sample: SecuriteInfo.com.Variant.MS... Startdate: 11/10/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected RedLine Stealer 2->35 37 6 other signatures 2->37 7 SecuriteInfo.com.Variant.MSILHeracles.28350.8499.exe 4 2->7         started        process3 file4 23 SecuriteInfo.com.V....28350.8499.exe.log, ASCII 7->23 dropped 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->39 41 May check the online IP address of the machine 7->41 43 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->43 45 Adds a directory exclusion to Windows Defender 7->45 11 SecuriteInfo.com.Variant.MSILHeracles.28350.8499.exe 15 6 7->11         started        15 powershell.exe 24 7->15         started        17 SecuriteInfo.com.Variant.MSILHeracles.28350.8499.exe 7->17         started        signatures5 process6 dnsIp7 25 45.67.228.160, 2001, 49750 SERVERIUS-ASNL Moldova Republic of 11->25 27 j41259734.myjino.ru 81.177.141.85, 49753, 80 RTCOMM-ASRU Russian Federation 11->27 29 iplogger.org 88.99.66.31, 443, 49759 HETZNER-ASDE Germany 11->29 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 49 Tries to steal Crypto Currency Wallets 11->49 19 conhost.exe 11->19         started        21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9b24fe6f9059ed1935afdab787fb4d84faf530143c829d525df509181674c6e/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 17:53:37 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gze7zxzawpnde227wvxq75u3bh26uybipectvjf35ijdalhjrxa._file
Verdict:
malicious
Similar samples:
22c23de0a046b3652861d880ad53bbfca85448d0a6814d34151b1f359839dd37
RedLineStealer
4eb02a90be27af84c49a2f62da8e179e5117d82db4e25c7a2c80e2954583bdb3
RedLineStealer
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
RedLineStealer
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58
RedLineStealer
732ba56b4b4044d7356b745db037e41fafe74dd8610e29c5b8c811a18936c09a
RedLineStealer
7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28
RedLineStealer
9896b4bf3012c8477faa6994da3dcf12b3a445359323d5a8ee697292d3be7545
RedLineStealer
cebf4c9af84506f3b683d5d4867b739244b6ba595772d583b3455781c4d91b74
RedLineStealer
d183e9e83ebe8b007903366768884e5ddfd40136f2cd436575e9f251a0f92b93
RedLineStealer
ea5236788c97196a492eb29449a57951e3df07b3d432f85fd23e511cfd02a58d
RedLineStealer
+ 419 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:hidden discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211011-xhg2eshhe9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.67.228.160:2001
Unpacked files
SH256 hash:
d434e7cb4105d7e760a39a1a8a1306338b00fbd6507025d53e4c44ede73d3788
MD5 hash:
6613b992e916924c3f38a179bb9866ab
SHA1 hash:
cd5741f4d0a4685c5fd9c9e2e708bbf33ec1691a
Link:
https://www.unpac.me/results/a22f3ab1-3a80-4623-a9bb-bcc6cf00d1f8/
SH256 hash:
e3f3b322490caf3cd3b88fc2a2f43827e633792881619eaf7426802890c4f80a
MD5 hash:
d1b43ab369612065ad1e5da021481d7c
SHA1 hash:
c64e750747e1429fbc79a1040c2556ff4436565a
Link:
https://www.unpac.me/results/a22f3ab1-3a80-4623-a9bb-bcc6cf00d1f8/
SH256 hash:
7b3a656193086323de5066263c3be72af20007653c850670a35aac1c083a89ab
MD5 hash:
7f4c839193d8331e3ec842143c927506
SHA1 hash:
0388bcd44c82bf0d761cf578e8a4acf3cc0334bb
Link:
https://www.unpac.me/results/a22f3ab1-3a80-4623-a9bb-bcc6cf00d1f8/
SH256 hash:
d9b24fe6f9059ed1935afdab787fb4d84faf530143c829d525df509181674c6e
MD5 hash:
4f195d838bea3b47d9f354381463acbc
SHA1 hash:
08ffca9a709e354fcc76564eef6b8c750275b707
Link:
https://www.unpac.me/results/a22f3ab1-3a80-4623-a9bb-bcc6cf00d1f8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d9b24fe6f905/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/d9b24fe6f9059ed1935afdab787fb4d84faf530143c829d525df509181674c6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d9b24fe6f9059ed1935afdab787fb4d84faf530143c829d525df509181674c6e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1667559/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196728/

Comments