MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c
SHA3-384 hash:	447b99bc18cc93a794f2c42ef6944d4a306f9dd1898f38a865da96714421570bbbf8ed6ed045d1f50a0b2a4725d92212
SHA1 hash:	08e9365dc59124e24c193f636b11ae8fc27c28c5
MD5 hash:	47e59166e719f7e4641e5462be5fdc80
humanhash:	bravo-twelve-emma-south
File name:	5yyNVbMOOjT1pLcNXc3B1EPt.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	403'968 bytes
First seen:	2021-10-16 02:55:14 UTC
Last seen:	2021-10-16 04:16:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8d9ee1d37ce0771b137ef02c8f52b4c6 (2 x RedLineStealer, 1 x CryptBot, 1 x DanaBot)
ssdeep	12288:Lh8fQgjf5hisJp1uIScRxQbGHu9DOk+y:Lh5Ef51JjzS8HV
Threatray	29 similar samples on MalwareBazaar
TLSH	T1EA84AE10B7A0C034F1F756F44AB69378B93E7AA0AB2854CF22D526ED5A746E1EC30357
File icon (PE):
dhash icon	8cd4f8c4c4ecf0c8 (1 x RedLineStealer)
Reporter	StopMalvertisin
Tags:	ETLabsKim exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

305

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Click_here (20211016).zip

Verdict:

Malicious activity

Analysis date:

2021-10-16 00:11:00 UTC

Tags:

evasion trojan loader opendir stealer vidar rat redline

Link:

https://app.any.run/tasks/fd750afb-3a39-431c-bacb-77bcec1971b2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/197833/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.1437.3391.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Gathering data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/449f03e9-4f4e-47ed-b9b1-1e9f31cf9c87

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/871440

Signature

Antivirus detection for URL or domain

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c/

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2021-10-16 02:40:59 UTC

AV detection:

22 of 45 (48.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7zrcysabon663yai37wpfphuqmlpblplxqea2j5cmzhornqgifoa._file

Verdict:

malicious

RedLineStealer

84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995

RedLineStealer

8d53be201d501a00295678466c9fe32c1a972faa705cd6b24636f789a349bb73

RedLineStealer

8e58fc8da8ccaf2d46f5592cb0842894007b9c0cafaac82a87b140f9de8914b9

RedLineStealer

ca77cc344a3c2f6ab1cbee4e6da2ba30f3a14b824bdc00a0da73271e8c365e14

RedLineStealer

cd8076d813038ef3a2a527e4d1a126da089b11eb61da11636cb67fc110e42baf

RedLineStealer

e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4

RedLineStealer

e390ebfd3537c9b4210916f4e7762e4c12b5fc8825c93e65e3f01fc9f44ac16b

RedLineStealer

+ 19 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:arkei family:cryptbot family:redline botnet:default botnet:mix16.10 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211016-de2f4sbfe2/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Arkei Stealer Payload

Arkei

CryptBot

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://game2030.link/ggate.php
cemvua52.top
morcih05.top
185.215.113.15:57055

Unpacked files

SH256 hash:

630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54

MD5 hash:

cbbdd5a549a37602019203e20a21866a

SHA1 hash:

50c80b98548b24565decfa94c034b43b753a197a

Link:

https://www.unpac.me/results/b3ac7c5f-b302-4c99-b595-b863c6491b3c/

SH256 hash:

fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c

MD5 hash:

47e59166e719f7e4641e5462be5fdc80

SHA1 hash:

08e9365dc59124e24c193f636b11ae8fc27c28c5

Link:

https://www.unpac.me/results/b3ac7c5f-b302-4c99-b595-b863c6491b3c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/197833/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample