MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
SHA3-384 hash: 527759b7ed42d48cc2d583ed519fd15c18e329111e8c985e9b3ce1bcdd5db0de2869ce86ce6c4361f44ae660f6b548b7
SHA1 hash: dd4883dd089ef1490dc018eaaa6ed72b9b26f79b
MD5 hash: ad9d32f656a53feb70f09fa54040b9c0
humanhash: green-march-earth-hotel
File name:ad9d32f656a53feb70f09fa54040b9c0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:459'776 bytes
First seen:2021-08-24 11:46:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 6144:K5oaqJhJMHW69B9VjMdxPedN9ug0/9TBahLglY0OVhDrSDHskLyb5ILSijq8FZ66:K5oaqjp/9TchAkIVokSij5j6gGsP
Threatray 130 similar samples on MalwareBazaar
TLSH T19CA4F0AAB1E02088DBB581B7D5525742EB3174710B21A3DB677853B71B2B8C69F3D3A0
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
wannacry.exe
Verdict:
Malicious activity
Analysis date:
2021-08-24 10:22:36 UTC
Tags:
ransomware wannacry wannacryptor evasion trojan rat azorult stealer fareit pony raccoon loader redline opendir
Link:
https://app.any.run/tasks/f8f6b8c7-2cf9-400c-b254-9b6d4e0b0ac7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181872/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33822938.14445.490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c90292a3-5711-4f89-94b1-2e0a09e8cf93
Result
Threat name:
DCRat RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838256
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470685 Sample: l3DR3wZJlL.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 108 Multi AV Scanner detection for dropped file 2->108 110 Multi AV Scanner detection for submitted file 2->110 112 Yara detected DCRat 2->112 114 6 other signatures 2->114 10 l3DR3wZJlL.exe 9 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 9 1 2->16         started        19 6 other processes 2->19 process3 dnsIp4 80 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 10->80 dropped 21 cmd.exe 3 10->21         started        23 conhost.exe 10->23         started        122 Changes security center settings (notifications, updates, antivirus, firewall) 13->122 96 127.0.0.1 unknown unknown 16->96 98 192.168.2.1 unknown unknown 16->98 file5 signatures6 process7 process8 25 extd.exe 2 21->25         started        29 DES6_6_6.exe 15 35 21->29         started        32 setup.exe 21->32         started        34 7 other processes 21->34 dnsIp9 82 C:\Users\user\AppData\Local\...\build.exe, PE32 25->82 dropped 36 cmd.exe 25->36         started        100 45.87.3.183, 2705, 49705 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 29->100 102 81.16.141.193, 80 BITWEB-ASRU Russian Federation 29->102 104 api.ip.sb 29->104 124 Multi AV Scanner detection for dropped file 29->124 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->128 134 2 other signatures 29->134 38 conhost.exe 29->38         started        84 C:\Windows\Client.exe, PE32 32->84 dropped 86 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 32->86 dropped 88 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 32->88 dropped 130 Machine Learning detection for dropped file 32->130 132 Disables security and backup related services 32->132 40 cmd.exe 32->40         started        42 cmd.exe 32->42         started        44 cmd.exe 32->44         started        46 cmd.exe 32->46         started        106 cdn.discordapp.com 162.159.129.233, 443, 49698, 49700 CLOUDFLARENETUS United States 34->106 90 C:\...\runtimeperfdhcpsessioncrtcommon.exe, PE32 34->90 dropped 92 C:\Users\user\AppData\Local\...\setup.exe, PE32 34->92 dropped 94 C:\Users\user\AppData\Local\...\DES6_6_6.exe, PE32 34->94 dropped 48 wscript.exe 34->48         started        50 conhost.exe 34->50         started        52 sc.exe 34->52         started        file10 signatures11 process12 process13 54 runtimeperfdhcpsessioncrtcommon.exe 36->54         started        58 conhost.exe 36->58         started        60 net.exe 40->60         started        62 conhost.exe 40->62         started        64 conhost.exe 42->64         started        66 sc.exe 42->66         started        68 conhost.exe 44->68         started        file14 72 C:\Windows\System32\perfi009\conhost.exe, PE32 54->72 dropped 74 C:\Windows\System32\fdProxy\dllhost.exe, PE32 54->74 dropped 76 C:\Recovery\csrss.exe, PE32 54->76 dropped 78 2 other files (1 malicious) 54->78 dropped 116 Creates multiple autostart registry keys 54->116 118 Creates an autostart registry key pointing to binary in C:\Windows 54->118 120 Creates processes via WMI 54->120 70 net1.exe 60->70         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 09:40:10 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gayhivnm5hyvltk2r7h3kfursaboukixizt6d2xwptozjsl7kta._file
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
RedLineStealer
19f71da28ebab8fe7256a657c603698ad607a7273e85d0e8b107269643cfa5dd
RedLineStealer
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
RedLineStealer
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
RedLineStealer
b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
RedLineStealer
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
RedLineStealer
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
RedLineStealer
+ 120 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@des6_6_6 discovery infostealer spyware stealer upx
Link:
https://tria.ge/reports/210824-jgpx9qyn7j/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.87.3.183:2705
Unpacked files
SH256 hash:
f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6
MD5 hash:
ad9d32f656a53feb70f09fa54040b9c0
SHA1 hash:
dd4883dd089ef1490dc018eaaa6ed72b9b26f79b
Link:
https://www.unpac.me/results/7dd91246-be69-43fc-bc6d-7fb6eae6859a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f98183a2ad674f8aae6ad47e7da8b48c80175148ba333f0f57b3e6eca64bfaa6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1550754/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181872/

Comments