MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de995ae2a901c32c4a4800d423fa4dab1274d58bbf9f4be57ed59c5e184a04f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de995ae2a901c32c4a4800d423fa4dab1274d58bbf9f4be57ed59c5e184a04f2
SHA3-384 hash: 903173a6b5b1e0ebca45b29c966d664e7a42ec80502d8266521be777a01296a55213ef33effb7932b1abd6e21843cae0
SHA1 hash: 01fb74afc137c91533f2f19379d4c12eed4754a9
MD5 hash: 9bce4cf2cabba00cb15be050754fc478
humanhash: red-utah-queen-sodium
File name:9bce4cf2cabba00cb15be050754fc478.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:137'728 bytes
First seen:2021-09-22 18:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:tLx3eKZ8wzydMMC2FeaiggFwhgpjSCjTgvF0vy1043nrZ12zsQBm+kmzN1E4YIvH:tZe62NTxaDp59HaXI/Y16wYYe
Threatray 6'125 similar samples on MalwareBazaar
TLSH T10BD39377406150AAC5B81330E8695F0B7E6CDE240E40B6D8F04FB2EADD3DA5D8EF52A5
File icon (PE):PE icon
dhash icon 0008106060100800 (5 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9bce4cf2cabba00cb15be050754fc478.exe
Verdict:
Malicious activity
Analysis date:
2021-09-22 18:08:33 UTC
Tags:
stealer trojan rat redline evasion
Link:
https://app.any.run/tasks/f19fad68-c999-4d73-a60f-1bb4ef829980

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190370/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.9096.20987.UNOFFICIAL
Create hunting rule

Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/029d1d3c-c79a-41e2-bf31-a76ded876977
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855911
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488342 Sample: 1fZWE7rohE.exe Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 47 api.ip.sb 2->47 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected RedLine Stealer 2->69 71 .NET source code contains method to dynamically call methods (often used by packers) 2->71 73 5 other signatures 2->73 9 1fZWE7rohE.exe 15 8 2->9         started        signatures3 process4 dnsIp5 49 iplogger.org 88.99.66.31, 443, 49693, 49694 HETZNER-ASDE Germany 9->49 51 whealclothing.xyz 104.21.90.143, 443, 49681, 49684 CLOUDFLARENETUS United States 9->51 37 C:\ProgramData\8187549.exe, PE32 9->37 dropped 39 C:\ProgramData\7508152.exe, PE32 9->39 dropped 41 C:\ProgramData\3625430.exe, PE32 9->41 dropped 43 2 other malicious files 9->43 dropped 75 Detected unpacking (changes PE section rights) 9->75 77 May check the online IP address of the machine 9->77 79 Performs DNS queries to domains with low reputation 9->79 14 8187549.exe 14 3 9->14         started        18 3493123.exe 9->18         started        20 7508152.exe 9->20         started        22 3625430.exe 15 24 9->22         started        file6 signatures7 process8 dnsIp9 59 94.140.112.88, 49697, 81 TELEMACHBroadbandAccessCarrierServicesSI Latvia 14->59 61 api.ip.sb 14->61 85 Detected unpacking (changes PE section rights) 14->85 87 Query firmware table information (likely to detect VMs) 14->87 89 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->89 24 conhost.exe 14->24         started        63 188.124.36.242, 25802, 49699 SELECTELRU Russian Federation 18->63 91 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->91 93 Hides threads from debuggers 18->93 95 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->95 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->97 26 7508152.exe 14 33 20->26         started        31 WerFault.exe 20->31         started        65 all-design-space.top 104.21.74.160, 443, 49690 CLOUDFLARENETUS United States 22->65 99 Machine Learning detection for dropped file 22->99 33 conhost.exe 22->33         started        signatures10 process11 dnsIp12 53 185.215.113.104, 18754, 49696 WHOLESALECONNECTIONSNL Portugal 26->53 55 cdn.discordapp.com 162.159.129.233, 443, 49702 CLOUDFLARENETUS United States 26->55 57 2 other IPs or domains 26->57 45 C:\Users\user\AppData\Local\Temp\Clipr.exe, PE32 26->45 dropped 81 Tries to harvest and steal browser information (history, passwords, etc) 26->81 83 Tries to steal Crypto Currency Wallets 26->83 35 conhost.exe 26->35         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de995ae2a901c32c4a4800d423fa4dab1274d58bbf9f4be57ed59c5e184a04f2/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 17:36:35 UTC
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129
RedLineStealer
61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948
RedLineStealer
647c067b0bf2c8457c1d4153cf0635a662d709d881b231e06e7f307dbce46e12
RedLineStealer
7e92233d9ad854b672068825a64c442ed8e6f4f283729c874296278e235d7241
RedLineStealer
ad609feb61006710a2e85c11ddf17586c59ad11a84fb0099c8ec0bad100682b0
RedLineStealer
b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c
RedLineStealer
c88d90ab7e74383b46c41cc01a5ec7065c4e40cff87fb0c619bb7421704e8af9
RedLineStealer
d620056c5defae218de13235fc4a509d968bd55469092aa00095ff94a0246b7f
RedLineStealer
fc576ede17e81cc2d5229f3a8ff900df35ba9c46fef5c67c8bb0fbb83f418b3e
RedLineStealer
+ 6'115 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:229m4d discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210922-wps7laddc7/
Behaviour
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.104:18754
Unpacked files
SH256 hash:
ebf9d93bf4bab4c964f0462a4af731c3793ff1ac2d0c44df66e03c434954e3b8
MD5 hash:
5df0a1c60105bed41bd4f4321c95b8b7
SHA1 hash:
9a256e5d1c521094fe10bb0a337df44e3a41ad36
Link:
https://www.unpac.me/results/b643a839-6297-4ab3-ba5e-56fe8a8d4116/
SH256 hash:
de995ae2a901c32c4a4800d423fa4dab1274d58bbf9f4be57ed59c5e184a04f2
MD5 hash:
9bce4cf2cabba00cb15be050754fc478
SHA1 hash:
01fb74afc137c91533f2f19379d4c12eed4754a9
Link:
https://www.unpac.me/results/b643a839-6297-4ab3-ba5e-56fe8a8d4116/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de995ae2a901c32c4a4800d423fa4dab1274d58bbf9f4be57ed59c5e184a04f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe de995ae2a901c32c4a4800d423fa4dab1274d58bbf9f4be57ed59c5e184a04f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1635346/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190370/

Comments