MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
SHA3-384 hash: cbe836dd7cc337688c398fcb964ed126949d67550a2832af5120c5b58377b1e795bf64768cf26da78434060a079d9d5b
SHA1 hash: 469e08aca116b63ae250eae2e3111e755ffd2204
MD5 hash: 1f1a207b2d7d87e9d27a9119787bb8cd
humanhash: august-failed-colorado-nitrogen
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'480'792 bytes
First seen:2023-01-20 21:36:28 UTC
Last seen:2023-01-21 14:43:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 145a02be0a61fd719025956c6adee49f (2 x Rhadamanthys, 1 x RedLineStealer)
ssdeep 24576:iEbheD43H+slwOqHqM868tqO1BPfqt/6oN+6pL:7zqHSBw/I6pL
Threatray 323 similar samples on MalwareBazaar
TLSH T1B865DFD350699031DEACD2B66A4E5AD1F23C6F26256486D34784263CECA0B73ED736CC
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0d0f07092f2e0cc (1 x Socelars, 1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:arxiv.org
Issuer:InCommon RSA Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-11T00:00:00Z
Valid to:2023-07-11T23:59:59Z
Serial number: 10506974ed0d4838b1a23952bab80ef8
Thumbprint Algorithm:SHA256
Thumbprint: 0184c723c7e5d59b883f463b4146fc95e01902b77da2f6466d910ac6afeb3e62
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc139074685_654644394?hash=1vZtDPopTbgOdaaGBgFVItCn79crWAW0CXO4hLZk3Tz&dl=GEZTSMBXGQ3DQNI:1674205614:7WezI2K6oMPoH2zX9BS82zRSU4xF6kkbshQaW3aI0cg&api=1&no_preview=1#ck300us

Intelligence

File Origin
# of uploads :
34
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-20 21:37:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55a13148-1e37-4f71-8568-1a9fb2ac11fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355160/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Launching a process
Creating a file in the %temp% directory
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Reading critical registry keys
Creating a window
Sending an HTTP GET request
Creating a file in the %AppData% directory
Changing a file
Deleting a recently created file
Possible injection to a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61883/overview
Behaviour
MalwareBazaar
AntidebugCommonApi
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63cb097f89bd67c10fd8e55b/reports/d49bc018-0026-4132-94bf-ecdeed2ffe17/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/502a0a89-999a-4b5d-8f34-d9afd2d71222
Result
Threat name:
RHADAMANTHYS, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155896
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Encrypted powershell cmdline option found
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 788626 Sample: file.exe Startdate: 20/01/2023 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for URL or domain 2->78 80 9 other signatures 2->80 11 file.exe 9 2->11         started        process3 dnsIp4 64 toif2ecrw3hidctd58wfbufux.sxfaqihfuogupwd 11->64 56 C:\Users\user\AppData\Local\...\4077703.dll, PE32 11->56 dropped 114 Detected unpacking (creates a PE file in dynamic memory) 11->114 116 Writes to foreign memory regions 11->116 118 Allocates memory in foreign processes 11->118 120 Injects a PE file into a foreign processes 11->120 16 fontview.exe 1 11->16         started        21 ngentask.exe 5 11->21         started        23 ngentask.exe 11->23         started        25 2 other processes 11->25 file5 signatures6 process7 dnsIp8 60 109.206.243.168, 49698, 49699, 49709 AWMLTNL Germany 16->60 48 C:\Users\user\AppData\...\nsis_uns3ed524.dll, PE32+ 16->48 dropped 82 Query firmware table information (likely to detect VMs) 16->82 84 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 16->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->86 96 3 other signatures 16->96 27 rundll32.exe 16->27         started        62 5.75.172.247, 11969, 49697 HETZNER-ASDE Germany 21->62 88 Tries to harvest and steal browser information (history, passwords, etc) 21->88 90 Tries to steal Crypto Currency Wallets 21->90 92 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->94 50 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->50 dropped 52 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->52 dropped file9 signatures10 process11 signatures12 106 System process connects to network (likely due to code injection or exploit) 27->106 108 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->108 110 Tries to steal Mail credentials (via file / registry access) 27->110 112 4 other signatures 27->112 30 dllhost.exe 5 27->30         started        35 WerFault.exe 27->35         started        process13 dnsIp14 68 transfer.sh 144.76.136.153, 443, 49710 HETZNER-ASDE Germany 30->68 70 192.168.2.1 unknown unknown 30->70 58 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 30->58 dropped 72 System process connects to network (likely due to code injection or exploit) 30->72 37 Library.exe 30->37         started        file15 signatures16 process17 file18 54 C:\Users\user\AppData\Roaming\...\IGCPU.exe, PE32+ 37->54 dropped 98 Creates an undocumented autostart registry key 37->98 100 Machine Learning detection for dropped file 37->100 102 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 37->102 104 5 other signatures 37->104 41 powershell.exe 37->41         started        43 MSBuild.exe 37->43         started        signatures19 process20 dnsIp21 46 conhost.exe 41->46         started        66 45.159.189.105, 49713, 80 HOSTING-SOLUTIONSUS Netherlands 43->66 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd/
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 21:37:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7evydss65plpp64x6deu3euhjsl5oog3ksehiinyfsw6hjf6sdgq._file
Verdict:
malicious
Similar samples:
2be47a55c0d9a863fb620ba88c0c276c2f97fa775eaa435c20d8065af267784e
RedLineStealer
2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d
RedLineStealer
590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052
RedLineStealer
6b955c6b75fd243f374ffffc38466f94889e3a5ccb3947babf4e79e8358db6fe
RedLineStealer
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
RedLineStealer
b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956
RedLineStealer
dabdfc50cc2a6bc20b098b7feee83bedf463d58e0a9f824831290acefddc703c
RedLineStealer
ee8ea5570b0a2c9f6aef8e551cc0d3fbd0be45dc5c11c50ca7056eef2d85d77d
RedLineStealer
fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595
RedLineStealer
+ 313 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:redline family:rhadamanthys botnet:jancoy infostealer spyware stealer
Link:
https://tria.ge/reports/230120-1ggaaabg6w/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Detect rhadamanthys stealer shellcode
RedLine
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
5.75.172.247:11969
Unpacked files
SH256 hash:
32391b126336331b56bcbcbabd1db0c8076a2aae682b1dde2444b8f56be42a84
MD5 hash:
88e1228a8712f02681b11cbc81d03f19
SHA1 hash:
23279a4d759acf6757fc48a1b36028ad6803d505
Link:
https://www.unpac.me/results/1c93dc89-ed20-4920-b8ca-e5cdcfaeec25/
SH256 hash:
f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
MD5 hash:
1f1a207b2d7d87e9d27a9119787bb8cd
SHA1 hash:
469e08aca116b63ae250eae2e3111e755ffd2204
Link:
https://www.unpac.me/results/1c93dc89-ed20-4920-b8ca-e5cdcfaeec25/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f92b81ca5eeb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/355160/

Comments