MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60
SHA3-384 hash: 9d8ba099abfa303369670484527c86b739a7c7f7931a1b173833c0d57d8455245761660225d805da20c3653a30f35a13
SHA1 hash: d23ab137f8b5654ff1f36f7ff8959739fa8e5e01
MD5 hash: ae2331eaded52fd561b9aad229952f3e
humanhash: juliet-texas-iowa-salami
File name:AE2331EADED52FD561B9AAD229952F3E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'241'600 bytes
First seen:2021-11-17 04:41:22 UTC
Last seen:2021-11-17 06:59:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 43801be8f5954e7259ebb6bc7f6dfe40 (3 x CoinMiner, 2 x RedLineStealer, 1 x njrat)
ssdeep 24576:tlzANdTiXTcW9iOUCqdq8h9/OqYDeSsd30EQcRw2eObp01Acojb9INauMB5aK4:bcdTiXw7dd3/M5sd315IkpXjb9rB0
Threatray 1'668 similar samples on MalwareBazaar
TLSH T13F45CF92214C4611D04F853F89C2EFF49E6CEE820F466A116AF17EC731FDAF5819726A
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
92.205.28.105:5321

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.205.28.105:5321 https://threatfox.abuse.ch/ioc/249985/

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AutoClaimer.rar
Verdict:
Malicious activity
Analysis date:
2021-11-13 18:26:02 UTC
Tags:
trojan rat asyncrat redline stealer
Link:
https://app.any.run/tasks/bfe88506-5474-491f-a28b-9de1248ddf61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206694/
Detection(s):
SecuriteInfo.com.BackDoor.AsyncRATNET.2.26465.14606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Moving a recently created file
Searching for the window
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Sending an HTTP GET request
Sending a UDP request
Sending a custom TCP request
Creating a process with a hidden window
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nitol packed powershell tiny
Link:
https://www.filescan.io/uploads/6194881c2695a62af9f1d49c/reports/dc5785a8-540c-4c88-84e2-da86a2318ab7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6263e40d-36ad-46a6-8970-338281dc92e0
Result
Threat name:
AsyncRAT RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890943
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contains functionality to detect sleep reduction / modifications
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected AsyncRAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 523412 Sample: ESorkG57EK.exe Startdate: 17/11/2021 Architecture: WINDOWS Score: 100 98 api.ip.sb 2->98 100 xred.mooo.com 2->100 102 2 other IPs or domains 2->102 118 Found malware configuration 2->118 120 Antivirus detection for dropped file 2->120 122 Antivirus / Scanner detection for submitted sample 2->122 124 15 other signatures 2->124 13 ESorkG57EK.exe 2 2->13         started        17 EXCEL.EXE 2->17         started        19 Synaptics.exe 2->19         started        signatures3 process4 file5 84 C:\Users\user\AppData\Local\...\LUFFY-F16.exe, PE32 13->84 dropped 86 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 13->86 dropped 142 Antivirus detection for dropped file 13->142 144 Machine Learning detection for dropped file 13->144 146 Adds a directory exclusion to Windows Defender 13->146 21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 cmd.exe 1 13->25         started        signatures6 process7 signatures8 28 Client.exe 1 5 21->28         started        32 conhost.exe 21->32         started        34 LUFFY-F16.exe 15 3 23->34         started        37 conhost.exe 23->37         started        128 Adds a directory exclusion to Windows Defender 25->128 39 powershell.exe 25 25->39         started        41 conhost.exe 25->41         started        43 powershell.exe 25->43         started        process9 dnsIp10 76 C:\Users\user\Desktop\._cache_Client.exe, PE32 28->76 dropped 78 C:\ProgramData\Synaptics\Synaptics.exe, PE32 28->78 dropped 80 C:\ProgramData\Synaptics\RCX6A90.tmp, PE32 28->80 dropped 130 Antivirus detection for dropped file 28->130 132 Multi AV Scanner detection for dropped file 28->132 134 Machine Learning detection for dropped file 28->134 136 Contains functionality to detect sleep reduction / modifications 28->136 45 Synaptics.exe 28->45         started        50 ._cache_Client.exe 28->50         started        104 accounts.google.com 172.217.18.109, 443, 49807 GOOGLEUS United States 34->104 106 z-p42-instagram.c10r.instagram.com 157.240.17.174, 443, 49800 FACEBOOKUS United States 34->106 108 3 other IPs or domains 34->108 file11 signatures12 process13 dnsIp14 112 freedns.afraid.org 150.238.42.13, 49750, 80 SOFTLAYERUS United States 45->112 114 docs.google.com 142.250.186.174, 443, 49747, 49748 GOOGLEUS United States 45->114 116 2 other IPs or domains 45->116 88 C:\Users\user\Documents\~$cache1, PE32 45->88 dropped 90 C:\Users\user\DesktopSorkG57EK.exe, PE32 45->90 dropped 92 C:\Users\user\AppData\Local\...\RCX77B0.tmp, PE32 45->92 dropped 96 2 other malicious files 45->96 dropped 148 Antivirus detection for dropped file 45->148 150 Multi AV Scanner detection for dropped file 45->150 152 Drops PE files to the document folder of the user 45->152 154 Contains functionality to detect sleep reduction / modifications 45->154 52 WerFault.exe 45->52         started        94 C:\Users\user\AppData\...\Java Updater.exe, PE32 50->94 dropped 156 Machine Learning detection for dropped file 50->156 54 cmd.exe 50->54         started        56 cmd.exe 50->56         started        file15 signatures16 process17 signatures18 59 Java Updater.exe 54->59         started        64 conhost.exe 54->64         started        66 timeout.exe 54->66         started        126 Uses schtasks.exe or at.exe to add and modify task schedules 56->126 68 conhost.exe 56->68         started        70 schtasks.exe 56->70         started        process19 dnsIp20 110 72.167.43.198, 49896, 50559, 50564 AS-26496-GO-DADDY-COM-LLCUS United States 59->110 82 C:\Users\user\AppData\Local\...\build.exe.exe, PE32 59->82 dropped 138 Very long command line found 59->138 140 Encrypted powershell cmdline option found 59->140 72 powershell.exe 59->72         started        file21 signatures22 process23 process24 74 conhost.exe 72->74         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60/
Threat name:
Win32.Trojan.APost
Create hunting rule
Status:
Malicious
First seen:
2021-11-14 01:41:14 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kpd5aucc5lhpyn7sjrwdx3kuycrbjv2ru6yqv6zzhgykdmxdvqa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0fbdb66d81f97c74640af563b58b4d93872ed48a0397754b5c51a5c76d32900c
RedLineStealer
277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2
RedLineStealer
3ecb471f2c1a3d3f33dbe47bc9457adfb09206948ec16c2d3f9c9a29f5b44508
RedLineStealer
41b5691a9272ab9dcb87a5f3f106da073fc3d2c4aea1abd78ac7b3af4cbbffdd
RedLineStealer
4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6
RedLineStealer
5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7
RedLineStealer
9a9f7ea8a021b5c4e7984076bfe6f0ab42bddb7b50fa18ef0da17c12e8ef95e1
RedLineStealer
b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
RedLineStealer
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
RedLineStealer
ff97bd0b382bcd07b0e71fd6249426a1d1246c52b07edd238eaa64136db737df
RedLineStealer
+ 1'658 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline botnet:cheat botnet:default discovery infostealer macro persistence rat spyware stealer
Link:
https://tria.ge/reports/211117-fbn3qahce7/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious Office macro
Async RAT payload
AsyncRat
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
72.167.43.198:5321
92.205.28.105:5321
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/94caa2ba-45bc-4ce7-8b3e-eba4a5f0d9b1/
SH256 hash:
6b1dc6947c29ca0fa1a5add9f6c9de9d3a4c6a7e663b9cc9df312134872e9368
MD5 hash:
5b0d0447ed749bc518820f344f537039
SHA1 hash:
b5384fccf26ac1dbbca2ec3eda63a534b4cb304f
Link:
https://www.unpac.me/results/94caa2ba-45bc-4ce7-8b3e-eba4a5f0d9b1/
SH256 hash:
99f207ca85d6380beb9cc1749114d9551bedf0b610325b4c01a503a31c74f96e
MD5 hash:
aac5614f6ae8ea6d0563d66967030591
SHA1 hash:
4f75f7c68e8fce1f36c88bacf9c9c08e0733e69a
Link:
https://www.unpac.me/results/94caa2ba-45bc-4ce7-8b3e-eba4a5f0d9b1/
SH256 hash:
ea0fe33e02b5f95e8f4100c8de5a13ac1d8f03d4225152641c43f9228d5286be
MD5 hash:
ff27c1e7c79d585407b1b450fb1ef388
SHA1 hash:
28f0edb525dbb9907e4fc801c5230a6cc54266cd
Link:
https://www.unpac.me/results/94caa2ba-45bc-4ce7-8b3e-eba4a5f0d9b1/
SH256 hash:
fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60
MD5 hash:
ae2331eaded52fd561b9aad229952f3e
SHA1 hash:
d23ab137f8b5654ff1f36f7ff8959739fa8e5e01
Link:
https://www.unpac.me/results/94caa2ba-45bc-4ce7-8b3e-eba4a5f0d9b1/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fa9e3e828217/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/206694/
  
URLhaus
https://urlhaus.abuse.ch/url/1797440/
  
Delivery method
Distributed via web download

Comments