MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1fa0ec8d26f664f15e5a070657d29b1b656a54a4c08b102e791790fec3a41f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1fa0ec8d26f664f15e5a070657d29b1b656a54a4c08b102e791790fec3a41f9
SHA3-384 hash: 78bea915998db321ba42bfac7725bd9eb2751a46a0b2e034027fd05876f9988367dd10c7b2ecfc55ff22ad1c00f53db9
SHA1 hash: 088e377852a3e173e26f192dbe666ccdc537814c
MD5 hash: c7afd7c213ee18415f4b98a88298a3a6
humanhash: happy-nuts-wisconsin-jupiter
File name:AutoSetup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'739'136 bytes
First seen:2022-02-01 14:14:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep 49152:YgTzWlZtS+rmPPBXcdnwnfGRsRjLFXxFh0kDE5TE5Sy7q8QvzTK9ZSWbANa4U6Nw:mZtqXlynwfGMjnke7qZvSHMjw
Threatray 32 similar samples on MalwareBazaar
TLSH T1D0063354B5847258EC0D96F20C64EE0B8FD2B8586BD1EF3774DC1FB64E2B8938125A8D
Reporter Anonymous
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.112.83.135:15482 https://threatfox.abuse.ch/ioc/373925/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AutoSetup.exe
Verdict:
Malicious activity
Analysis date:
2022-02-01 14:12:50 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/d071ac6f-c29c-4784-8ade-9b2d1ddc35aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229181/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed raccoon
Link:
https://www.filescan.io/uploads/61f9406e6d25ac9e79f5fba7/reports/e8e0c861-00ea-442b-aaa2-24b33e46fd06/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c053a970-117f-47bf-891f-bc86f75787a0
Result
Threat name:
RedLine TON Miner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/931718
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Downloads files with wrong headers with respect to MIME Content-Type
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: File Created with System Process Name
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected TON Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 564201 Sample: AutoSetup.exe Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for URL or domain 2->108 110 Multi AV Scanner detection for submitted file 2->110 112 8 other signatures 2->112 12 AutoSetup.exe 2->12         started        process3 signatures4 122 Writes to foreign memory regions 12->122 124 Allocates memory in foreign processes 12->124 126 Injects a PE file into a foreign processes 12->126 15 AppLaunch.exe 15 7 12->15         started        20 WerFault.exe 23 9 12->20         started        process5 dnsIp6 88 185.112.83.135, 15482, 49787, 49797 SUPERSERVERSDATACENTERRU Russian Federation 15->88 80 C:\Users\user\Desktop\rundll32.exe, PE32+ 15->80 dropped 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->98 100 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->100 102 Tries to harvest and steal browser information (history, passwords, etc) 15->102 104 Tries to steal Crypto Currency Wallets 15->104 22 rundll32.exe 1 2 15->22         started        82 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->82 dropped file7 signatures8 process9 file10 84 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 22->84 dropped 114 Machine Learning detection for dropped file 22->114 116 Injects code into the Windows Explorer (explorer.exe) 22->116 118 Writes to foreign memory regions 22->118 120 4 other signatures 22->120 26 explorer.exe 2 22->26         started        28 bfsvc.exe 1 22->28         started        30 conhost.exe 22->30         started        signatures11 process12 process13 32 RegHost.exe 26->32         started        35 curl.exe 1 26->35         started        38 curl.exe 1 26->38         started        42 10 other processes 26->42 40 conhost.exe 28->40         started        dnsIp14 90 Machine Learning detection for dropped file 32->90 92 Injects code into the Windows Explorer (explorer.exe) 32->92 94 Writes to foreign memory regions 32->94 96 4 other signatures 32->96 44 explorer.exe 32->44         started        46 bfsvc.exe 32->46         started        48 conhost.exe 32->48         started        86 185.137.234.33, 49807, 49813, 49818 SELECTELRU Russian Federation 35->86 50 conhost.exe 35->50         started        52 conhost.exe 38->52         started        54 conhost.exe 42->54         started        56 conhost.exe 42->56         started        58 conhost.exe 42->58         started        60 6 other processes 42->60 signatures15 process16 process17 62 curl.exe 44->62         started        64 curl.exe 44->64         started        66 curl.exe 44->66         started        70 2 other processes 44->70 68 conhost.exe 46->68         started        process18 72 conhost.exe 62->72         started        74 conhost.exe 64->74         started        76 conhost.exe 66->76         started        78 conhost.exe 70->78         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1fa0ec8d26f664f15e5a070657d29b1b656a54a4c08b102e791790fec3a41f9/
Threat name:
ByteCode-MSIL.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-02-01 14:15:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6h5a5sgsn5te6fpfubygk7jjwg3fnjkkjqelcaxhsf4q73b2ih4q._file
Verdict:
malicious
Similar samples:
4b53dc815775a5f6d377218f9bee6b102d49f5dfc678f5a939ec2e0be0890e4b
RedLineStealer
5ed9c8e4709af1af34ea8d1e6d5177c3d164c62c7dece9adcdd3d9c1b402484f
RedLineStealer
8143c63631df50b95ccfc47822f808fbff228f1da4eb5e521c6352fbc678d118
RedLineStealer
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
RedLineStealer
9fcaa9da6fe7fa15f35c891d33764bd8d47e7e87702aae69c1d48612f97b3956
RedLineStealer
c4e9742a6a418ee7366c594a4f1206d468f6147792407fcd9ac6b452369d88bb
RedLineStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220201-sd1whsgfc5/
Unpacked files
SH256 hash:
227ed9180e101e833ade679bfbe9c9eba12f1d1577274403406f794c46ac9941
MD5 hash:
7537187d1183399a52bb6a6967b9fc57
SHA1 hash:
45b0b5c72646894f0b850353d3a1794982f182de
Link:
https://www.unpac.me/results/ba7af6e9-3b6c-43b0-8b71-55fcdc49dd90/
SH256 hash:
f1fa0ec8d26f664f15e5a070657d29b1b656a54a4c08b102e791790fec3a41f9
MD5 hash:
c7afd7c213ee18415f4b98a88298a3a6
SHA1 hash:
088e377852a3e173e26f192dbe666ccdc537814c
Link:
https://www.unpac.me/results/ba7af6e9-3b6c-43b0-8b71-55fcdc49dd90/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f1fa0ec8d26f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f1fa0ec8d26f664f15e5a070657d29b1b656a54a4c08b102e791790fec3a41f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/229181/

Comments