MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
SHA3-384 hash: 0c2ca9e1166fedae4d21adf2d818e66a4b7c8a2158035e8900526275b4345a0d75914ebbbe59b8e0560144c93594c9ef
SHA1 hash: 02c677386d03c4eeb4cfa0d93eef58952f197876
MD5 hash: 4a6039bfdda3a74030d78acb4ff14829
humanhash: idaho-april-yellow-july
File name:4a6039bfdda3a74030d78acb4ff14829
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'759'904 bytes
First seen:2023-04-03 08:57:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:IBJhlk9ZODpsUr4cmoq2OwqcY1DkPipZRr14h1D:y2fU2pcmoMr+2Zne1D
Threatray 4 similar samples on MalwareBazaar
TLSH T1C3852302B9C5C9B2D1A30832567A5B11A93D7D202FA6CDEB73943E5EDA71AC1C3317B1
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4a6039bfdda3a74030d78acb4ff14829
Verdict:
Malicious activity
Analysis date:
2023-04-03 08:59:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6dfba297-24f0-41ab-9c4c-7ef55e16d591

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379538/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76237/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/642a951d155a6f1443f9f3cf/reports/2f01813d-4eb3-4105-abe3-5618c98eedcd/overview
Verdict:
Malicious
Labled as:
Trojan.Stealer
Link:
https://www.hybrid-analysis.com/sample/f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/da1addd7-2f5c-4424-8426-3bfd834edabc
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206901
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
DNS related to crypt mining pools
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 839816 Sample: SS9jGqNjgE.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 97 xmr-eu1.nanopool.org 2->97 99 pastebin.com 2->99 107 Snort IDS alert for network traffic 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for dropped file 2->111 113 14 other signatures 2->113 11 SS9jGqNjgE.exe 10 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 89 C:\Users\user\AppData\...\Mahatga523.exe, PE32 11->89 dropped 91 C:\Users\user\AppData\...\Mahatga124.exe, PE32 11->91 dropped 20 Mahatga124.exe 1 11->20         started        23 Mahatga523.exe 11->23         started        25 conhost.exe 14->25         started        27 chcp.com 14->27         started        29 conhost.exe 16->29         started        31 chcp.com 16->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        37 5 other processes 18->37 process6 signatures7 115 Multi AV Scanner detection for dropped file 20->115 117 Machine Learning detection for dropped file 20->117 119 Writes to foreign memory regions 20->119 121 Sample uses process hollowing technique 20->121 39 AppLaunch.exe 1 20->39         started        42 AppLaunch.exe 20->42         started        44 WerFault.exe 24 9 20->44         started        46 conhost.exe 20->46         started        123 Allocates memory in foreign processes 23->123 125 Injects a PE file into a foreign processes 23->125 48 AppLaunch.exe 23->48         started        51 conhost.exe 23->51         started        53 WerFault.exe 23->53         started        process8 dnsIp9 127 Injects a PE file into a foreign processes 39->127 55 AppLaunch.exe 15 31 39->55         started        60 conhost.exe 39->60         started        129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->129 131 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->131 133 Contains functionality to inject code into remote processes 42->133 93 91.193.43.63, 49712, 81 ITFPL Belgium 48->93 95 api.ip.sb 48->95 135 Tries to harvest and steal browser information (history, passwords, etc) 48->135 137 Tries to steal Crypto Currency Wallets 48->137 signatures10 process11 dnsIp12 101 github.com 140.82.121.3, 443, 49705, 49706 GITHUBUS United States 55->101 103 raw.githubusercontent.com 185.199.108.133, 443, 49708, 49709 FASTLYUS Netherlands 55->103 105 pastebin.com 104.20.67.143, 443, 49703 CLOUDFLARENETUS United States 55->105 81 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 55->81 dropped 83 C:\ProgramData\Dllhost\dllhost.exe, PE32 55->83 dropped 85 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 55->85 dropped 87 C:\ProgramData\HostData\logs.uce, ASCII 55->87 dropped 139 Sample is not signed and drops a device driver 55->139 62 cmd.exe 1 55->62         started        65 cmd.exe 55->65         started        67 cmd.exe 55->67         started        file13 signatures14 process15 signatures16 141 Encrypted powershell cmdline option found 62->141 143 Uses schtasks.exe or at.exe to add and modify task schedules 62->143 69 conhost.exe 62->69         started        71 powershell.exe 62->71         started        73 conhost.exe 65->73         started        75 schtasks.exe 65->75         started        77 conhost.exe 67->77         started        79 schtasks.exe 67->79         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-04-03 01:24:27 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gruufggtyoccuuyac556s45p42x2mif4qnm7mfkzinz2iqsfcjq._file
Verdict:
malicious
Similar samples:
6df58f4dde905b78e0ce80d0bb41792004f9ac39efec4acbfb4f54c342ac6dcb
RedLineStealer
6f17df45dd876aaedc0551c4acd7f22d26195fecff94c86aa38f68a823e4ed1b
RedLineStealer
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:fff infostealer spyware
Link:
https://tria.ge/reports/230403-kw669afb8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
91.193.43.63:81
Unpacked files
SH256 hash:
955c6f970cc69f2c52436d163a5f78045d9ad351e33ea37bb7fc66246b3edaa8
MD5 hash:
058707214e525ba1b4a8e200b935e283
SHA1 hash:
9484bbb6933e2e46e237f72252a094a2d095cf80
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/9f8f024c-5e62-433e-85c1-d38d7c3bf29a/
Parent samples :
6df58f4dde905b78e0ce80d0bb41792004f9ac39efec4acbfb4f54c342ac6dcb
f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
SH256 hash:
f1677faf7b74eaa2a1623de8ae41acba12a2c036e3b759fc80251a47bfe3f004
MD5 hash:
a2c255df11846bf7978d7e21e21d20ea
SHA1 hash:
d71b5cad6cf24384ece7b1d992bfb3b8e19a4998
Link:
https://www.unpac.me/results/9f8f024c-5e62-433e-85c1-d38d7c3bf29a/
SH256 hash:
600a38e8586f9017ec2b90ccb28c22e75a1d717dc60d4eea2091c52936561fb7
MD5 hash:
6cf2c4f33664516c2bf54ee48a7bf704
SHA1 hash:
30a9592bc10ef66e36be28694303f9685a2ca0da
Link:
https://www.unpac.me/results/9f8f024c-5e62-433e-85c1-d38d7c3bf29a/
SH256 hash:
f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
MD5 hash:
4a6039bfdda3a74030d78acb4ff14829
SHA1 hash:
02c677386d03c4eeb4cfa0d93eef58952f197876
Link:
https://www.unpac.me/results/9f8f024c-5e62-433e-85c1-d38d7c3bf29a/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9a34a14c69e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379538/

Comments