MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 032bcb319cbd29d5c32d8a7657578ffa823745940bd8e6152b1e5bc7efc776f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 7 File information Comments 1

SHA256 hash:	032bcb319cbd29d5c32d8a7657578ffa823745940bd8e6152b1e5bc7efc776f2
SHA3-384 hash:	a70cfa36db32434c0f0bfb2d6ec06c32ead9e5073adf3bd32298131e03efafef9f7cd5f9e6101f6e6cffcfac22186e14
SHA1 hash:	2449c6f733a2251e3817e92f034d16af81c1c33a
MD5 hash:	8dd1688ff1a34005b84825d894347a6a
humanhash:	avocado-island-fillet-angel
File name:	8dd1688ff1a34005b84825d894347a6a
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	99'328 bytes
First seen:	2022-07-19 10:09:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:bCbw/UyiR/6dIbgHRG6jejoigI19hguJlZLMaNhDf73embacxvuh4XyLed1NtWQF:+ccjo6gHRYDhg8ZAabT/ZuhIyydiE
Threatray	2'572 similar samples on MalwareBazaar
TLSH	T146A34C3067AC9F19EABD167674B2012543F0E08BD081EF4E8EC5A4EA2F63B915517EF1
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
94.23.190.57:25565	https://threatfox.abuse.ch/ioc/838638/

Intelligence

File Origin

# of uploads :

# of downloads :

340

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/291832/

Detection(s):

Win.Malware.Bulz-9880537-0

Win.Packed.Bulz-9883367-0

Win.Packed.Generickdz-9885340-0

Win.Packed.Bulz-9891195-0

Win.Trojan.Redline-9938775-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP POST request

Creating a window

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Reading critical registry keys

DNS request

Connecting to a non-recommended domain

Sending an HTTP GET request

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm fingerprint hacktool packed stealer

Link:

https://www.filescan.io/uploads/62d68302f56fa6e45df6c4f2/reports/e2b2d6ff-ce1b-47bc-be11-37772ac068e3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/58b0a6f0-56a9-4156-a6a0-a97569b320b1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1036424

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/032bcb319cbd29d5c32d8a7657578ffa823745940bd8e6152b1e5bc7efc776f2/

Threat name:

ByteCode-MSIL.Infostealer.RedLine

Status:

Malicious

First seen:

2022-07-18 20:15:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=amv4wmm4xuu5lqznrj3fov4p7kbdormubpmomfjldzn4p36ho3za._file

Verdict:

malicious

RedLineStealer

23c30d4d176ded055abf529bf8c75bc1e0f7656072f6a2a4ac8ad7d9f889fedc

RedLineStealer

28432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158

RedLineStealer

3477350a178f4abfbebe739f97ecd499345d62abcc1702fa516a61fa060f9cd5

RedLineStealer

45a04b7f0b2daf0793cd2eb4d8664a7a824a8c353ffb57bb6d0ada7ce39b8910

RedLineStealer

4b51bfdfb096e034e057e4cf48abcdb2f8f3301d3493f286053bf66f9b74f175

RedLineStealer

5f45f47d879bf54f44ab26b4eaafbc80cd276dd72acc648220e95cac385b6ede

RedLineStealer

833cd1ac5362600d62cbd298f5924de853d798e9217da0ae18054800f74ca86b

RedLineStealer

a24c2f0775f834d56102bc71dcab3681573128c66cd33d82967a49fe9fe16b13

RedLineStealer

ee987d5d4e5f25b0f245376444d7e89d5ab5da49f26a80809271348623ea3536

RedLineStealer

+ 2'562 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:redline family:xmrig botnet:1501412092 discovery infostealer miner spyware stealer

Link:

https://tria.ge/reports/220719-l7c8zsbdb8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

XMRig Miner payload

RedLine

RedLine payload

xmrig

Malware Config

C2 Extraction:

94.23.190.57:25565

Unpacked files

SH256 hash:

032bcb319cbd29d5c32d8a7657578ffa823745940bd8e6152b1e5bc7efc776f2

MD5 hash:

8dd1688ff1a34005b84825d894347a6a

SHA1 hash:

2449c6f733a2251e3817e92f034d16af81c1c33a

Link:

https://www.unpac.me/results/4c6726fe-cbbe-4522-b75b-edaf1e04b80a/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/032bcb319cbd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/032bcb319cbd29d5c32d8a7657578ffa823745940bd8e6152b1e5bc7efc776f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ArechClient Create hunting rule
Author:	@bartblaze
Description:	Identifies ArechClient, infostealer.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)