MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f63561d5a1e218408d76c24a79ea9053cb0f5a1dddf386c795c587c2c8acd6cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f63561d5a1e218408d76c24a79ea9053cb0f5a1dddf386c795c587c2c8acd6cf
SHA3-384 hash: 1007bff320a398c5fd62724a97d6aa746cf131d5fbf6e9430c8eb488c2306bf5942d66f000df51a2324364317ff8c891
SHA1 hash: 72024a36c41aa287dcf56e2ae727a7b93d4a3fe2
MD5 hash: c65f201e2ad99d37e1d87d78c9664059
humanhash: juliet-cat-vermont-item
File name:c65f201e2ad99d37e1d87d78c9664059.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:49'152 bytes
First seen:2021-12-27 11:46:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 768:iWmfbILUWQw+jiVtelDSN+iV08Ybyge9SHwArYqJvEgK/JDeVc6KN:iWmV4VtKDs4zb1rH1rYWnkJDeVclN
Threatray 3'523 similar samples on MalwareBazaar
TLSH T181236C403BD88136F1BD4BB4ADF2A24187B9D6672903D65E6CC814EA1F13BC596036FE
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.161.193.99:64703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.161.193.99:64703 https://threatfox.abuse.ch/ioc/287974/

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CrackingIsland.exe
Verdict:
Malicious activity
Analysis date:
2021-12-21 22:55:32 UTC
Tags:
trojan rat redline asyncrat
Link:
https://app.any.run/tasks/8db3a625-7b93-4ee9-ac14-9163388e025b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216537/
Detection(s):
Win.Malware.Generickdz-9865912-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a file
Launching a process
DNS request
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Changing a file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the User Account Control
Blocking the Windows Defender launch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm asyncrat coinminer dcrat evasive hacktool njrat obfuscated packed rat
Link:
https://www.filescan.io/uploads/61c9a7b98991ba72b39ada45/reports/8ac329e9-8f27-4baf-bd54-a1c5f0a88c9e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d880a8f-1c17-4fd5-9572-013a7e098a81
Result
Threat name:
AsyncRAT RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913108
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Schedule system process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545586 Sample: JnBNepHH7K.exe Startdate: 27/12/2021 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 15 other signatures 2->87 9 svchost.exe 3 4 2->9         started        14 JnBNepHH7K.exe 7 2->14         started        process3 dnsIp4 61 MaxTodor-27383.portmap.host 193.161.193.99, 27383, 49740, 49769 BITREE-ASRU Russian Federation 9->61 53 C:\Users\user\AppData\Local\Temp\build.exe, PE32 9->53 dropped 89 Antivirus detection for dropped file 9->89 91 System process connects to network (likely due to code injection or exploit) 9->91 93 Multi AV Scanner detection for dropped file 9->93 95 Machine Learning detection for dropped file 9->95 16 cmd.exe 9->16         started        19 powershell.exe 19 9->19         started        21 powershell.exe 9->21         started        27 13 other processes 9->27 55 C:\Users\user\AppData\Local\...\svchost.exe, PE32 14->55 dropped 57 C:\Users\user\AppData\...\tmpC180.tmp.bat, DOS 14->57 dropped 59 C:\Users\user\AppData\...\JnBNepHH7K.exe.log, ASCII 14->59 dropped 97 Detected unpacking (overwrites its own PE header) 14->97 99 Drops PE files with benign system names 14->99 23 cmd.exe 1 14->23         started        25 cmd.exe 1 14->25         started        file5 signatures6 process7 signatures8 67 Suspicious powershell command line found 16->67 29 powershell.exe 16->29         started        31 conhost.exe 16->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        69 Bypasses PowerShell execution policy 23->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 23->71 37 conhost.exe 23->37         started        39 schtasks.exe 1 23->39         started        41 svchost.exe 3 25->41         started        43 2 other processes 25->43 45 13 other processes 27->45 process9 process10 47 build.exe 29->47         started        dnsIp11 63 exara32-64703.portmap.host 47->63 65 api.ip.sb 47->65 73 Antivirus detection for dropped file 47->73 75 Multi AV Scanner detection for dropped file 47->75 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->77 79 3 other signatures 47->79 51 conhost.exe 47->51         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f63561d5a1e218408d76c24a79ea9053cb0f5a1dddf386c795c587c2c8acd6cf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 06:51:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6y2wdvnb4imebdlwyjfht2uqkpfq6wq53xzynr4vywd4fsfm23hq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
25e21f55b7fbffe0d90e6845044e3e907964a5c278f29fcd1cf0fff9916a2ac3
RedLineStealer
4d5367bf571dfd7837563c0b9d58f5557cc251ba6fafdd26dd07bb3646b3bd1b
RedLineStealer
51e4dce11e58aa2be5d3c73056bf45652de5032dcb29636b28f2c1659df135db
RedLineStealer
7da096df4561ecc9169365841e2f024e40165377384e25e82922b2d1f16b8aa0
RedLineStealer
97f116891027a9cb8a2c59d5a0de5bd169ae05829b9b4e034bdb9326a54c8dd6
RedLineStealer
ca84e70120b5fb479ca54211645ac24d562849107ef0e04df6741c0b88d6d168
RedLineStealer
e19812727031bef0368880c6734ea4309368302e8fb5c6c3dea1dfa4821b26f7
RedLineStealer
ec1773386924814a953850ec438551a133c27541b156e6d685d9eda1477a65b4
RedLineStealer
fe154355036477bd31cfddcfe4f12d1d8a8baad12f088a6abf5836071509c50e
RedLineStealer
+ 3'513 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline botnet:cheat botnet:default discovery evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/211227-nxv26abber/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Async RAT payload
AsyncRat
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
UAC bypass
Malware Config
C2 Extraction:
MaxTodor-27383.portmap.host:27383
exara32-64703.portmap.host:64703
Unpacked files
SH256 hash:
f63561d5a1e218408d76c24a79ea9053cb0f5a1dddf386c795c587c2c8acd6cf
MD5 hash:
c65f201e2ad99d37e1d87d78c9664059
SHA1 hash:
72024a36c41aa287dcf56e2ae727a7b93d4a3fe2
Link:
https://www.unpac.me/results/7580de3e-7f45-4e36-9845-19155be01e25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f63561d5a1e218408d76c24a79ea9053cb0f5a1dddf386c795c587c2c8acd6cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216537/

Comments