MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f980ad74c0102e182c42c66aa59dbd23879f6cfa5ee2fa40541613503b5a272a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f980ad74c0102e182c42c66aa59dbd23879f6cfa5ee2fa40541613503b5a272a
SHA3-384 hash: 2a9d8652a8fc1f345406182f65d76a5875ad6a7abf5adc5b54bdffc91c86b0a82c73f6b14bbcdeadde2c39d17f2c99bd
SHA1 hash: 41ecc8201e7b8dcd2b1d6a671a22599c9b9c85f6
MD5 hash: 3adc931e595d9c6924efd2f0562d0187
humanhash: fish-indigo-mexico-july
File name:DualHackFull.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'406'784 bytes
First seen:2021-11-17 17:46:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e48cc266501c282987b27f2c1f654e2d (52 x RedLineStealer, 3 x RaccoonStealer)
ssdeep 98304:hOy11xuFK6FEzQElAJwX78CFS4yxF5AynqZyTYhZ:hVAcCJ4AWX7pFByxF+0qZykhZ
Threatray 127 similar samples on MalwareBazaar
TLSH T1BB1633E32B98C72BE1CEBBF1418DE38D9918A8C364B9171445B6334DD473B50E9EC5A8
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DualHackFull.exe
Verdict:
Malicious activity
Analysis date:
2021-11-17 17:14:21 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/dd55e728-37cc-4d6c-a68e-d939e6f67008

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206952/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9907417-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed powershell yakes
Link:
https://www.filescan.io/uploads/619540184912a8c920a1a7d9/reports/d2c8cc8b-ae26-4d6d-8778-d281a6ae1c61/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95577d96-e2cf-4f33-a2c6-118c595bec0e
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891402
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 523876 Sample: DualHackFull.exe Startdate: 17/11/2021 Architecture: WINDOWS Score: 100 75 Found malware configuration 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected BitCoin Miner 2->79 81 5 other signatures 2->81 13 DualHackFull.exe 2->13         started        16 services32.exe 2->16         started        process3 signatures4 119 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->119 121 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 13->121 123 Writes to foreign memory regions 13->123 131 2 other signatures 13->131 18 AppLaunch.exe 15 7 13->18         started        23 WerFault.exe 23 9 13->23         started        125 Multi AV Scanner detection for dropped file 16->125 127 Allocates memory in foreign processes 16->127 129 Creates a thread in another existing process (thread injection) 16->129 25 conhost.exe 5 16->25         started        process5 dnsIp6 67 185.215.113.83, 49761, 60722 WHOLESALECONNECTIONSNL Portugal 18->67 69 cdn.discordapp.com 162.159.133.233, 443, 49771 CLOUDFLARENETUS United States 18->69 61 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 18->61 dropped 83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->83 85 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->85 87 Tries to harvest and steal browser information (history, passwords, etc) 18->87 89 Tries to steal Crypto Currency Wallets 18->89 27 build.exe 18->27         started        63 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->63 dropped 71 192.168.2.1 unknown unknown 25->71 65 C:\Users\user\AppData\...\sihost32.exe, PE32+ 25->65 dropped 30 sihost32.exe 25->30         started        file7 signatures8 process9 signatures10 101 Multi AV Scanner detection for dropped file 27->101 103 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->103 105 Writes to foreign memory regions 27->105 32 conhost.exe 4 27->32         started        107 Allocates memory in foreign processes 30->107 109 Creates a thread in another existing process (thread injection) 30->109 36 conhost.exe 2 30->36         started        process11 file12 59 C:\Users\user\services32.exe, PE32+ 32->59 dropped 73 Drops PE files to the user root directory 32->73 38 cmd.exe 1 32->38         started        40 cmd.exe 1 32->40         started        signatures13 process14 signatures15 43 services32.exe 38->43         started        46 conhost.exe 38->46         started        99 Uses schtasks.exe or at.exe to add and modify task schedules 40->99 48 conhost.exe 40->48         started        50 schtasks.exe 1 40->50         started        process16 signatures17 111 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 43->111 113 Writes to foreign memory regions 43->113 115 Allocates memory in foreign processes 43->115 117 Creates a thread in another existing process (thread injection) 43->117 52 conhost.exe 3 43->52         started        process18 process19 54 sihost32.exe 52->54         started        signatures20 91 Multi AV Scanner detection for dropped file 54->91 93 Writes to foreign memory regions 54->93 95 Allocates memory in foreign processes 54->95 97 Creates a thread in another existing process (thread injection) 54->97 57 conhost.exe 2 54->57         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f980ad74c0102e182c42c66aa59dbd23879f6cfa5ee2fa40541613503b5a272a/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 03:20:18 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gak25gacaxbqlccyzvklhn5eodz63h2l3rpuqcucyjvao22e4va._file
Verdict:
malicious
Similar samples:
5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b
RedLineStealer
67af043c52562a130a97ccd9391ea99c9aed49eef5383767c366d45f3dcf9740
RedLineStealer
6b096fad1b452e6ad6a07a1ab6d713fda4e4e5f14f6ba4c9a40f232b8f88c12a
RedLineStealer
777fe8a5d9fee21eb0ad8490b29ad99d321afce48739d306b420ea4e92697975
RedLineStealer
86f4809b73e73c837784b2a9a449d1d56f34ea22bd30b99a555962683113cde7
RedLineStealer
914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e
RedLineStealer
d1b138a211d4b9ce4d825f82669ba211e585a87eec0e877a2b8ef87a9e43ccb6
RedLineStealer
+ 117 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211117-wcvvnadec2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
cf6db815d109dbb1db3d47ced99f5ad87605f7d4fa98ba386da2fea48ef33033
MD5 hash:
2eb8ffbe225aba1857e5cb5c92aacaaf
SHA1 hash:
3dd8054be0c84b3e83f92a65e7b4b0ac8f1a819a
Link:
https://www.unpac.me/results/c0cdef16-12bd-4c7e-abcf-988fa45a6424/
SH256 hash:
f980ad74c0102e182c42c66aa59dbd23879f6cfa5ee2fa40541613503b5a272a
MD5 hash:
3adc931e595d9c6924efd2f0562d0187
SHA1 hash:
41ecc8201e7b8dcd2b1d6a671a22599c9b9c85f6
Link:
https://www.unpac.me/results/c0cdef16-12bd-4c7e-abcf-988fa45a6424/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f980ad74c010/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f980ad74c0102e182c42c66aa59dbd23879f6cfa5ee2fa40541613503b5a272a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f980ad74c0102e182c42c66aa59dbd23879f6cfa5ee2fa40541613503b5a272a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/206952/

Comments