MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7345a1a93f4c4f8f3f596be41dab44e67053b6f6bc3e57090881f07eb900ce9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7345a1a93f4c4f8f3f596be41dab44e67053b6f6bc3e57090881f07eb900ce9
SHA3-384 hash: ff040bc96bf8073688c569453dbe015b3af7d241e8c17f301073977458b9b71c0c83816649db153d7b3aa56729b5dc97
SHA1 hash: 3a5c36b366b2e771d24aa05d2b8f51eb26b68d5b
MD5 hash: a6805cbe5fa886b0562f6456c9a0ca0b
humanhash: table-freddie-asparagus-north
File name:a6805cbe5fa886b0562f6456c9a0ca0b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'710'768 bytes
First seen:2022-02-06 08:28:58 UTC
Last seen:2022-02-06 10:35:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep 98304:8g30e07dIYhUDWmjo3ScfpAubRo2O/v84SdTFaEjnYi+CO6h4S:by7GwUDdOpAWRDO/v84aFaEjSohx
TLSH T17406331634D1D494D38AE8781910BD181FF12EA01B97B4F2A9EEC466485C34BFBEEB5C
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.243.59.131:7171

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.59.131:7171 https://threatfox.abuse.ch/ioc/374000/

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6805cbe5fa886b0562f6456c9a0ca0b.exe
Verdict:
Malicious activity
Analysis date:
2022-02-06 10:54:05 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a4570792-e95c-4197-af0b-3b751a8176d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/233736/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Sending a custom TCP request
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61ff86d9a72f86da69612547/reports/b081628a-7cf3-4269-85f4-9e0d04f80b97/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/207244fe-e8e9-4342-8a82-bcbe08036325
Result
Threat name:
MicroClip RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934710
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: File Created with System Process Name
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567187 Sample: XSBje3XPsU.exe Startdate: 06/02/2022 Architecture: WINDOWS Score: 100 111 Malicious sample detected (through community Yara rule) 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 10 other signatures 2->117 11 XSBje3XPsU.exe 2->11         started        14 7goIOsdxhQsdDA377Yhz8YHMvwmntW.exe 2->14         started        process3 file4 139 Writes to foreign memory regions 11->139 141 Allocates memory in foreign processes 11->141 143 Tries to detect virtualization through RDTSC time measurements 11->143 145 Injects a PE file into a foreign processes 11->145 17 AppLaunch.exe 15 7 11->17         started        22 WerFault.exe 23 9 11->22         started        24 WerFault.exe 2 9 11->24         started        26 WerFault.exe 9 11->26         started        105 C:\...\qLtEZXPKONv6y8hfP9Ltrg30jVjap8.exe, PE32+ 14->105 dropped 147 Multi AV Scanner detection for dropped file 14->147 signatures5 process6 dnsIp7 107 91.243.59.131, 49783, 7171 MATTEOGB Russian Federation 17->107 109 cdn.discordapp.com 162.159.129.233, 443, 49792 CLOUDFLARENETUS United States 17->109 81 C:\Users\user\AppData\...\WindowsDefender.exe, PE32 17->81 dropped 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->119 121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->121 123 Tries to harvest and steal browser information (history, passwords, etc) 17->123 125 Tries to steal Crypto Currency Wallets 17->125 28 WindowsDefender.exe 3 17->28         started        83 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->83 dropped 85 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->85 dropped 87 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->87 dropped file8 signatures9 process10 file11 99 C:\Users\user\RuntimeBroker.exe, PE32+ 28->99 dropped 101 C:\Users\user\AppData\Local\Temp\paint.exe, PE32 28->101 dropped 103 C:\Users\user\AppData\Local\Temp\Java.exe, PE32+ 28->103 dropped 149 Antivirus detection for dropped file 28->149 151 Multi AV Scanner detection for dropped file 28->151 153 Drops PE files to the user root directory 28->153 155 Adds a directory exclusion to Windows Defender 28->155 32 cmd.exe 28->32         started        34 cmd.exe 28->34         started        36 cmd.exe 1 28->36         started        39 cmd.exe 28->39         started        signatures12 process13 signatures14 41 paint.exe 32->41         started        45 conhost.exe 32->45         started        47 Java.exe 34->47         started        49 conhost.exe 34->49         started        127 Bypasses PowerShell execution policy 36->127 129 Adds a directory exclusion to Windows Defender 36->129 51 powershell.exe 24 36->51         started        53 conhost.exe 36->53         started        55 powershell.exe 36->55         started        57 RuntimeBroker.exe 39->57         started        59 conhost.exe 39->59         started        process15 file16 89 C:\Users\user\AppData\Local\...\manifest.json, ASCII 41->89 dropped 91 C:\Users\user\AppData\Local\...\icon128.png, PNG 41->91 dropped 93 C:\Users\user\AppData\Local\...\background.js, ASCII 41->93 dropped 97 3 other files (2 malicious) 41->97 dropped 131 Multi AV Scanner detection for dropped file 41->131 133 Tries to harvest and steal browser information (history, passwords, etc) 41->133 61 cmd.exe 41->61         started        63 cmd.exe 41->63         started        65 cmd.exe 41->65         started        67 2 other processes 41->67 135 Detected unpacking (changes PE section rights) 47->135 137 Machine Learning detection for dropped file 47->137 95 C:\...\7goIOsdxhQsdDA377Yhz8YHMvwmntW.exe, PE32+ 57->95 dropped signatures17 process18 process19 69 conhost.exe 61->69         started        71 taskkill.exe 61->71         started        73 conhost.exe 63->73         started        75 taskkill.exe 63->75         started        77 powershell.exe 65->77         started        79 taskkill.exe 67->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7345a1a93f4c4f8f3f596be41dab44e67053b6f6bc3e57090881f07eb900ce9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-01 13:57:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 43 (67.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=642fugut6tcpr47vs27edwvujztqko3pnpb6k4eqrapqp24qbtuq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220206-kdmd5agha2/
Unpacked files
SH256 hash:
cb7fae006e52799a2d53e81d10a09a37dc2ddb461f56779fd41bb02ff2cfc521
MD5 hash:
d648051cc35b241f4479b498e181800a
SHA1 hash:
92c4c6c590a5276f4c97621b7886e6b81a3bac06
Link:
https://www.unpac.me/results/e2e906b7-c5e1-4bc0-b36b-ca03c9ba5f7e/
SH256 hash:
f7345a1a93f4c4f8f3f596be41dab44e67053b6f6bc3e57090881f07eb900ce9
MD5 hash:
a6805cbe5fa886b0562f6456c9a0ca0b
SHA1 hash:
3a5c36b366b2e771d24aa05d2b8f51eb26b68d5b
Link:
https://www.unpac.me/results/e2e906b7-c5e1-4bc0-b36b-ca03c9ba5f7e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/233736/

Comments