MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05271d858a38fedd7b6bab5badedbe292010dfc1802aa09fb80b4cf301615bb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05271d858a38fedd7b6bab5badedbe292010dfc1802aa09fb80b4cf301615bb8
SHA3-384 hash: 5ae86767e52e2b873ebe789c0e72f789eb81a7a8494b7f79298bbad14ed123f7882c0c2b554f7e72b3b01b62d808a7f1
SHA1 hash: 79d2f34c3ba793b708ad6e7e53a487fcf47cc36b
MD5 hash: b304a31244e99cc5ef05b19ee446e5c1
humanhash: comet-earth-robin-mobile
File name:b304a312_by_Libranalysis
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'030'225 bytes
First seen:2021-04-28 16:11:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:pAI+ktQowyQ+0HAIHbjStAl+wZ1Bpg1pljq+ahfs16pZWLt5Qly6O:pAI+kby9JjStAl+wZ1B0ljNI063WLt5/
Threatray 770 similar samples on MalwareBazaar
TLSH 1E952336A1C10176D4622E71495A8636F47BBA400A7891DFFEDD0E1CDF333185B3A3AA
Reporter Libranalysis
Tags:RedLineStealer


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/145056/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Creating a file in the Program Files directory
DNS request
Sending an HTTP GET request
Launching a process
Reading critical registry keys
Sending a custom TCP request
Sending a UDP request
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Replacing files
Creating a file in the %AppData% subdirectories
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Forced shutdown of a system process
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/700927
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 399384 Sample: b304a312_by_Libranalysis Startdate: 28/04/2021 Architecture: WINDOWS Score: 100 128 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->128 130 Multi AV Scanner detection for domain / URL 2->130 132 Antivirus detection for dropped file 2->132 134 9 other signatures 2->134 9 b304a312_by_Libranalysis.exe 14 12 2->9         started        12 haleng.exe 2->12         started        process3 dnsIp4 78 C:\Program Files (x86)\...\md8_8eus.exe, PE32 9->78 dropped 80 C:\Program Files (x86)\Company\...\liuhao.exe, PE32 9->80 dropped 82 C:\Program Files (x86)\...\ifhvvyy.exe, PE32 9->82 dropped 86 3 other files (2 malicious) 9->86 dropped 16 liuhao.exe 9->16         started        19 KiffApp2.exe 15 6 9->19         started        22 md8_8eus.exe 17 9->22         started        25 ifhvvyy.exe 3 2 9->25         started        112 185.60.216.35 FACEBOOKUS Ireland 12->112 84 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 12->84 dropped 138 Antivirus detection for dropped file 12->138 140 Machine Learning detection for dropped file 12->140 27 jfiag3g_gg.exe 12->27         started        29 jfiag3g_gg.exe 12->29         started        31 jfiag3g_gg.exe 12->31         started        file5 signatures6 process7 dnsIp8 68 C:\Program Files\nvsmartmax.dll, PE32 16->68 dropped 70 C:\Program Files\install.dll, PE32 16->70 dropped 33 rundll32.exe 16->33         started        92 awesomeexe.xyz 185.154.14.180, 443, 49715 ITLDC-NLUA Ukraine 19->92 94 noteach.tech 212.86.114.14, 443, 49713 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 19->94 72 C:\Users\user\AppData\...behaviorgraphveMnyUS2.exe, PE32 19->72 dropped 36 GveMnyUS2.exe 19->36         started        96 101.36.107.74, 49710, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 22->96 98 iplogger.org 88.99.66.31, 443, 49711 HETZNER-ASDE Germany 22->98 74 C:\Users\user\Documents\...\md8_8eus.exe, PE32 22->74 dropped 136 Tries to harvest and steal browser information (history, passwords, etc) 22->136 100 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 25->100 104 3 other IPs or domains 25->104 76 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 25->76 dropped 39 jfiag3g_gg.exe 25->39         started        41 jfiag3g_gg.exe 25->41         started        43 jfiag3g_gg.exe 25->43         started        45 jfiag3g_gg.exe 25->45         started        102 192.168.2.1 unknown unknown 27->102 file9 signatures10 process11 dnsIp12 118 Writes to foreign memory regions 33->118 120 Allocates memory in foreign processes 33->120 122 Creates a thread in another existing process (thread injection) 33->122 47 svchost.exe 33->47 injected 50 svchost.exe 33->50 injected 52 svchost.exe 33->52 injected 59 6 other processes 33->59 106 217.107.34.191 RTCOMM-ASRU Russian Federation 36->106 124 Sample uses process hollowing technique 36->124 126 Injects a PE file into a foreign processes 36->126 54 AddInProcess32.exe 36->54         started        57 AddInProcess32.exe 36->57         started        signatures13 process14 dnsIp15 142 System process connects to network (likely due to code injection or exploit) 47->142 144 Sets debug register (to hijack the execution of another thread) 47->144 146 Modifies the context of a thread in another process (thread injection) 47->146 61 svchost.exe 47->61         started        66 svchost.exe 47->66         started        108 195.123.208.194 ITL-LV Bulgaria 54->108 110 104.26.12.31 CLOUDFLARENETUS United States 54->110 signatures16 process17 dnsIp18 114 104.18.9.171 CLOUDFLARENETUS United States 61->114 88 C:\Users\user\AppData\...\Login Data.tmp, SQLite 61->88 dropped 90 C:\Users\user\AppData\Local\...\Cookies.tmp, SQLite 61->90 dropped 148 Query firmware table information (likely to detect VMs) 61->148 150 Tries to harvest and steal browser information (history, passwords, etc) 61->150 116 facebook.websmails.com 167.179.89.78 AS-CHOOPAUS United States 66->116 file19 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05271d858a38fedd7b6bab5badedbe292010dfc1802aa09fb80b4cf301615bb8/
Threat name:
Win32.Downloader.FakeWave
Create hunting rule
Status:
Malicious
First seen:
2021-04-27 09:14:26 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
RedLineStealer
4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202
RedLineStealer
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
RedLineStealer
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
RedLineStealer
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
RedLineStealer
cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95
RedLineStealer
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
RedLineStealer
eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9
RedLineStealer
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
RedLineStealer
fab31b9c336ced2fe83d81198d3ccfa325ca4d4cab2464b72dcda37f34e2dd68
RedLineStealer
+ 760 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210428-akg425jcna/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
0d1236f9cd6b6890346e62c41de42f8ccb3e9bf353a1af134f44c4bd2c31092d
MD5 hash:
b50e58ee0198fac50dadae0e1f3551fe
SHA1 hash:
975d30978068f39df4a2d6f5210d19c5438866f7
Link:
https://www.unpac.me/results/d0369fce-93ee-44f1-b2df-36a1ac4ab013/
SH256 hash:
6ae4bd10f8bc7f3e5856c7f3571d165787f48d23f95ccfa823a5dab74f7fd554
MD5 hash:
c6a2e4e23319dec9d56f8029ef834e83
SHA1 hash:
299e80473cbe56b596a2d4d38aea0aab46826167
Link:
https://www.unpac.me/results/d0369fce-93ee-44f1-b2df-36a1ac4ab013/
SH256 hash:
709631ea03453deae6dcf39a163fee74b89a14d068c90bf7265034b99c16b8de
MD5 hash:
5c90f33d9d34f41d27bd2cdb85c0c457
SHA1 hash:
f76f8e4f17dc4da5c26f7bd9a48d8c0b60333b72
Link:
https://www.unpac.me/results/d0369fce-93ee-44f1-b2df-36a1ac4ab013/
SH256 hash:
ecf1a28ef1fb3c59a8c281913ba36ae5932f99cbb2ae973b98f341d0c6e0c7b6
MD5 hash:
be66d4d6403ba6154fa9f8e8db80589f
SHA1 hash:
6060d01e96c1e40db0f61c4ac1bde1c5aa45b9b8
Link:
https://www.unpac.me/results/d0369fce-93ee-44f1-b2df-36a1ac4ab013/
SH256 hash:
097769d7f31324d52756e907b2828ec6524fe21c40eb9aaa35803491b3473917
MD5 hash:
f411eedba3e1b1ec07656e782b45c90a
SHA1 hash:
30204caa2136f6e0f33ad566b754b758ca2729c3
Link:
https://www.unpac.me/results/d0369fce-93ee-44f1-b2df-36a1ac4ab013/
SH256 hash:
05271d858a38fedd7b6bab5badedbe292010dfc1802aa09fb80b4cf301615bb8
MD5 hash:
b304a31244e99cc5ef05b19ee446e5c1
SHA1 hash:
79d2f34c3ba793b708ad6e7e53a487fcf47cc36b
Link:
https://www.unpac.me/results/d0369fce-93ee-44f1-b2df-36a1ac4ab013/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/145056/

Comments