MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd404b5d3eff0840ba192d8b5c5a25a475feee2f73b069799bffd38ec43edb0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd404b5d3eff0840ba192d8b5c5a25a475feee2f73b069799bffd38ec43edb0c
SHA3-384 hash: e14a6ee4f910fde8a966c72d0e3d28d7b693c744fad30d686d995eae1c680e416ba43a3fbbb17afc30e5a42102f2b40a
SHA1 hash: d8f8dc5abcd6ab0c62a8bacdfb93a2c5d3caa8df
MD5 hash: 31a4ae5bc26bde205a7ae29cdc947890
humanhash: alanine-mango-network-berlin
File name:HackLoader.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'589'760 bytes
First seen:2021-12-02 21:00:48 UTC
Last seen:2021-12-02 22:47:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7dd6fa75115d9909f747434e40fff68 (173 x RedLineStealer, 10 x DCRat, 1 x CoinMiner.XMRig)
ssdeep 49152:Xz5kIpKzQ1HqbySh3X7BQbDRc+IcLFB/YzamCdNam/7Wpq:d1FKbySttQJ1BQemaj/x
TLSH T1757533FF4329F680CA2506F86986BC794D99F121F1D4D5CEAB1A244AFDF4409CC6C2B6
Reporter tech_skeech
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HackLoader.exe
Verdict:
Malicious activity
Analysis date:
2021-12-02 21:04:06 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/aefbd44c-fdfe-4f25-b932-251d0c295f77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210875/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Searching for synchronization primitives
Launching a process
Searching for the window
Stealing user critical data
Query of malicious DNS domain
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/595/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a93411707a51cfe28be0a1/reports/c0d626e6-6db8-4478-b1bb-17ccb4be9392/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54c3e9af-57fb-43ec-8f7f-7c3de9d7ec21
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900498
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532972 Sample: HackLoader.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 103 bitbucket.org 2->103 129 Antivirus detection for URL or domain 2->129 131 Antivirus detection for dropped file 2->131 133 Multi AV Scanner detection for dropped file 2->133 135 8 other signatures 2->135 10 HackLoader.exe 15 8 2->10         started        15 RegHost.exe 2->15         started        17 RegHost.exe 2->17         started        signatures3 process4 dnsIp5 115 185.223.92.157, 44160, 49740 DDOS-GUARDRU Netherlands 10->115 117 cdn.discordapp.com 162.159.129.233, 443, 49743 CLOUDFLARENETUS United States 10->117 123 2 other IPs or domains 10->123 97 C:\Users\user\AppData\Local\Temp\3.exe, PE32 10->97 dropped 99 C:\Users\user\AppData\Local\Temp\2.exe, PE32+ 10->99 dropped 101 C:\Users\user\AppData\...\HackLoader.exe.log, ASCII 10->101 dropped 163 Detected unpacking (changes PE section rights) 10->163 165 Detected unpacking (overwrites its own PE header) 10->165 167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->167 175 5 other signatures 10->175 19 2.exe 22 10->19         started        24 3.exe 15 10->24         started        119 bitbucket.org 15->119 169 Machine Learning detection for dropped file 15->169 171 Injects code into the Windows Explorer (explorer.exe) 15->171 173 Writes to foreign memory regions 15->173 177 3 other signatures 15->177 26 explorer.exe 15->26         started        28 bfsvc.exe 15->28         started        30 cmd.exe 15->30         started        38 3 other processes 15->38 121 bitbucket.org 17->121 32 cmd.exe 17->32         started        34 cmd.exe 17->34         started        36 conhost.exe 17->36         started        file6 signatures7 process8 dnsIp9 105 bitbucket.org 104.192.141.1, 443, 49747, 49749 AMAZON-02US United States 19->105 107 s3-w.us-east-1.amazonaws.com 52.217.109.12, 443, 49748, 49750 AMAZON-02US United States 19->107 111 2 other IPs or domains 19->111 83 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 19->83 dropped 85 C:\Users\user\AppData\Roaming\...\7z.exe, PE32+ 19->85 dropped 87 C:\Users\user\AppData\Roaming\...\7z.dll, PE32+ 19->87 dropped 91 2 other files (none is malicious) 19->91 dropped 137 Machine Learning detection for dropped file 19->137 139 Uses cmd line tools excessively to alter registry or file data 19->139 141 Contains functionality to inject code into remote processes 19->141 40 cmd.exe 19->40         started        50 10 other processes 19->50 109 ccf9ba3695b15b4f0787e6290e0f63allcomejroo839jxi13.xyz 207.244.237.176, 49745, 80 CONTABOUS United States 24->109 143 Multi AV Scanner detection for dropped file 24->143 145 Performs DNS queries to domains with low reputation 24->145 43 conhost.exe 24->43         started        147 Query firmware table information (likely to detect VMs) 26->147 149 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->149 45 RegHost.exe 26->45         started        89 \Device\ConDrv, ASCII 28->89 dropped 151 Hides threads from debuggers 28->151 48 conhost.exe 28->48         started        52 2 other processes 30->52 54 2 other processes 32->54 56 2 other processes 34->56 58 4 other processes 38->58 file10 signatures11 process12 dnsIp13 153 Uses cmd line tools excessively to alter registry or file data 40->153 61 reg.exe 40->61         started        63 conhost.exe 40->63         started        125 bitbucket.org 45->125 155 Writes to foreign memory regions 45->155 157 Allocates memory in foreign processes 45->157 159 Modifies the context of a thread in another process (thread injection) 45->159 161 Injects a PE file into a foreign processes 45->161 65 cmd.exe 45->65         started        68 conhost.exe 45->68         started        70 curl.exe 50->70         started        73 conhost.exe 50->73         started        75 conhost.exe 50->75         started        77 11 other processes 50->77 93 C:\Users\user\AppData\...\RegHost_Temp.exe, PE32+ 58->93 dropped 95 C:\Users\user\AppData\...\RegData_Temp.exe, PE32+ 58->95 dropped file14 signatures15 process16 dnsIp17 79 conhost.exe 61->79         started        127 Uses cmd line tools excessively to alter registry or file data 65->127 81 conhost.exe 65->81         started        113 api.telegram.org 149.154.167.220, 443, 49746 TELEGRAMRU United Kingdom 70->113 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd404b5d3eff0840ba192d8b5c5a25a475feee2f73b069799bffd38ec43edb0c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 21:01:19 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3vaewxj674eeboqzfwfvywrfur2753rpooygs6m377jy5rb63mga._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer persistence spyware stealer suricata themida trojan upx
Link:
https://tria.ge/reports/211202-ztweasbhdm/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/69149cb5-f84e-4533-8a7c-f3ea6a77b014/
SH256 hash:
dd404b5d3eff0840ba192d8b5c5a25a475feee2f73b069799bffd38ec43edb0c
MD5 hash:
31a4ae5bc26bde205a7ae29cdc947890
SHA1 hash:
d8f8dc5abcd6ab0c62a8bacdfb93a2c5d3caa8df
Link:
https://www.unpac.me/results/69149cb5-f84e-4533-8a7c-f3ea6a77b014/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd404b5d3eff0840ba192d8b5c5a25a475feee2f73b069799bffd38ec43edb0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe dd404b5d3eff0840ba192d8b5c5a25a475feee2f73b069799bffd38ec43edb0c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/210875/

Comments