MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
SHA3-384 hash: 1dab215bc418a7580208b4e9333739540be62f0b6de9c875cdd900223f1e883e582ec774625b8120b932809095375e16
SHA1 hash: 668b8ec9e4f09bdcaf0883d044721857b7593133
MD5 hash: b02a24fd40e55b36649f01a1aab25e98
humanhash: xray-twenty-autumn-may
File name:b02a24fd40e55b36649f01a1aab25e98
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'491'016 bytes
First seen:2021-12-21 22:53:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:PNHWtAlaMz2gTZE3cJYjuEcskgCKg8C5TvhoSbxkCu38Lsc2NbiG0jD/Z+9:PN+Un2gS35HDE5jBStoUQo9
Threatray 77 similar samples on MalwareBazaar
TLSH T1D3A633829DD9D276E9A02D31D9387A611A7DA5200F39CE6B93884FCDD8715C07C34BEB
File icon (PE):PE icon
dhash icon 35c2c46c6ba6a459 (1 x CoinMiner, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b02a24fd40e55b36649f01a1aab25e98
Verdict:
Malicious activity
Analysis date:
2021-12-21 22:56:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/975ed8eb-38e5-4983-bf38-850dc5ede445

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215714/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2898/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61c25b0f4ab5c44cbf4bfaab/reports/5326f575-d02b-40d1-8c44-10c6c3c75986/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fa9d2e9-7d4e-4acd-848a-ab6b35402aac
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911274
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543748 Sample: nDDzaKRagi Startdate: 22/12/2021 Architecture: WINDOWS Score: 100 57 131.153.56.98, 49794, 80 CWIEUS United States 2->57 59 pool.hashvault.pro 2->59 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected RedLine Stealer 2->67 69 8 other signatures 2->69 9 nDDzaKRagi.exe 10 2->9         started        12 services64.exe 2->12         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 file5 53 C:\Users\user\AppData\Local\...\ProtonVPN.exe, PE32+ 9->53 dropped 55 C:\Users\user\AppData\Local\Temp\...\21.exe, PE32 9->55 dropped 19 21.exe 9->19         started        22 ProtonVPN.exe 5 9->22         started        85 Detected unpacking (changes PE section rights) 12->85 87 Machine Learning detection for dropped file 12->87 89 Hides threads from debuggers 12->89 91 Changes security center settings (notifications, updates, antivirus, firewall) 15->91 25 MpCmdRun.exe 15->25         started        93 System process connects to network (likely due to code injection or exploit) 17->93 27 WerFault.exe 17->27         started        signatures6 process7 file8 71 Multi AV Scanner detection for dropped file 19->71 73 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 19->73 75 Writes to foreign memory regions 19->75 83 2 other signatures 19->83 29 AppLaunch.exe 5 19->29         started        33 WerFault.exe 19->33         started        51 C:\Users\user\Microsoft\services64.exe, PE32+ 22->51 dropped 77 Detected unpacking (changes PE section rights) 22->77 79 Machine Learning detection for dropped file 22->79 81 Hides threads from debuggers 22->81 35 cmd.exe 1 22->35         started        37 cmd.exe 22->37         started        39 conhost.exe 25->39         started        signatures9 process10 dnsIp11 61 5.206.227.11, 49737, 63730 DOTSIPT Portugal 29->61 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->95 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->97 99 Tries to harvest and steal browser information (history, passwords, etc) 29->99 101 Tries to steal Crypto Currency Wallets 29->101 103 Encrypted powershell cmdline option found 35->103 105 Uses schtasks.exe or at.exe to add and modify task schedules 35->105 41 powershell.exe 24 35->41         started        43 conhost.exe 35->43         started        45 powershell.exe 35->45         started        47 conhost.exe 37->47         started        49 schtasks.exe 37->49         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 17:52:45 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5hy5iepj6qftauh5npwdzlzrnmeynphd7amfwzjj57dfq2aa7vfa._file
Verdict:
malicious
Similar samples:
02f0bbe79e7b4fbda98d68a49691f8a9c0b019437b146e3f509730181eb74f1c
RedLineStealer
3426d12d872333a290c333ef0cff53ccd94966fe5826106ebc3d819cf078698b
RedLineStealer
3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17
RedLineStealer
565b1484478b1644bd1e8954e079f653b8f71c9f16997d4b7fc53f83da609e35
RedLineStealer
64edbaff99fe8c87c2f5f826b0d1741c575295e3ab0c3d16db8bbacd2baebd30
RedLineStealer
f3a0806bf7e9030e703483f4469a2292d9595d500a2365336de454a3bf047e26
RedLineStealer
feb365d784b06535c3bd3ab5c525e771521f0f7dcc71c8c3e800226fdb117085
RedLineStealer
+ 67 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211221-2vjs1afedn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
7d51d50cede9b69a1a8d0bc205510fb25e1a0657d9cc4aeb3e31e2542b27b387
MD5 hash:
28b6b30d8b27e6f378a606aa17663e18
SHA1 hash:
99d05a6df3377571d4dd41dcde47cd52a3ade4d1
Link:
https://www.unpac.me/results/77cc7f9e-0469-46f4-a9b7-be98a6d19746/
SH256 hash:
9a44fc39eff8bdd3cf54c22d21ead3f92c4de4733daf7f6dbec812763e4dacaf
MD5 hash:
90de6bde9a45d34dc7c85fd093d6f83f
SHA1 hash:
429b98bd63ee307b68da59dc182b5067c7fdd481
Link:
https://www.unpac.me/results/77cc7f9e-0469-46f4-a9b7-be98a6d19746/
SH256 hash:
e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
MD5 hash:
b02a24fd40e55b36649f01a1aab25e98
SHA1 hash:
668b8ec9e4f09bdcaf0883d044721857b7593133
Link:
https://www.unpac.me/results/77cc7f9e-0469-46f4-a9b7-be98a6d19746/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1908491/
Cape
Cape
https://www.capesandbox.com/analysis/215714/

Comments


Avatar
zbet commented on 2021-12-21 22:53:48 UTC

url : hxxp://data-file-data-7.com/files/3256_1640017333_1110.exe