MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 137d32de86757d5183f6f69e4bfee65fbc895aae6d04de199de4ffdf6bd1a339. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 137d32de86757d5183f6f69e4bfee65fbc895aae6d04de199de4ffdf6bd1a339
SHA3-384 hash: 5e6664c6754d7a559bd150e7cdd26f199d21027fc303915ed87774510aad7a6f7a7e69b509d5cb51ac5b2c26c84d627a
SHA1 hash: 67c2a6b4ad8b549cf9fe4a8903897199b68718d5
MD5 hash: e9d525216bcce5f1a59981311f8f2419
humanhash: high-bakerloo-kansas-lima
File name:Setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'278'343 bytes
First seen:2022-05-30 01:38:47 UTC
Last seen:2022-05-30 01:38:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0629c55152d38b4029f7de8a08e08d5c (7 x RedLineStealer)
ssdeep 24576:/j7gC9oFwDk3YdvM8C3iBx4kV4/2yv+p6Ns4uQ5p3h3cz:fR9ogTul/2H
Threatray 3'161 similar samples on MalwareBazaar
TLSH T148B50A039A8B4E75DDC23BB461CB633A9734FE30CA269F7FE609C53599532C4681A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter milannshrestga
Tags:crypto exe Redline RedLineStealer spyware


Avatar
milannshrestga
Youtube Link: https://www.youtube.com/channel/UCJL9Uhuhf6fQufwZGR75MRQ
Bio:
Experience the future of reality at Star Atlas: https://bit [.] ly/3avmTJJ
Archive Password: 7591

Intelligence

File Origin
# of uploads :
2
# of downloads :
459
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-05-30 01:36:43 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/b87c5a64-6278-4d61-8967-c8b8d8d7e6dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275281/
Detection(s):
Win.Packed.Crypterx-9940465-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/20455/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye vidar wacatac
Link:
https://www.filescan.io/uploads/6294205465e33815993d88b6/reports/054294ca-99bf-4e97-849f-96a0c84dbd41/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f024b24-0958-488c-849a-b622fcf94c3c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003336
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635832 Sample: Setup.exe Startdate: 30/05/2022 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 3 other signatures 2->38 7 Setup.exe 1 2->7         started        process3 signatures4 46 Contains functionality to inject code into remote processes 7->46 48 Writes to foreign memory regions 7->48 50 Allocates memory in foreign processes 7->50 52 Injects a PE file into a foreign processes 7->52 10 AppLaunch.exe 15 7 7->10         started        15 WerFault.exe 23 9 7->15         started        17 conhost.exe 7->17         started        process5 dnsIp6 26 185.215.113.25, 27757, 49742 WHOLESALECONNECTIONSNL Portugal 10->26 28 ftl.deekshith.eu.org 188.114.97.3, 443, 49747 CLOUDFLARENETUS European Union 10->28 30 fsblink4.herokuapp.com 54.243.129.215, 443, 49748 AMAZON-AESUS United States 10->30 22 C:\Users\user\AppData\Local\Temp\System.exe, PE32 10->22 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->56 58 Tries to harvest and steal browser information (history, passwords, etc) 10->58 60 Tries to steal Crypto Currency Wallets 10->60 19 System.exe 2 10->19         started        24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->24 dropped file7 signatures8 process9 signatures10 40 Antivirus detection for dropped file 19->40 42 Multi AV Scanner detection for dropped file 19->42 44 Machine Learning detection for dropped file 19->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/137d32de86757d5183f6f69e4bfee65fbc895aae6d04de199de4ffdf6bd1a339/
Threat name:
Win32.Trojan.SpyStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-30 01:39:10 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cn6tfxugov6vda7w62pex7xgl66iswvonucn4gm54t75626rum4q._file
Verdict:
malicious
Similar samples:
20579be1049258522233c39acfae3076c8af1c64aadcd2ec2f68e00c683fe229
RedLineStealer
2dde8c2841248eedeec0a51cde97d147760c02e2d60d6f4d4f48758c0f3b6ea7
RedLineStealer
4b51bfdfb096e034e057e4cf48abcdb2f8f3301d3493f286053bf66f9b74f175
RedLineStealer
9f97fdeaa2c81fac2afb2a94616144c0773b5bec316ebc114c8d134eccd84cdc
RedLineStealer
f8458174c4abdd56f7fb6e07a3c16d95d908fa5461ebd5a8425c60480b8c3b57
RedLineStealer
fb63e82f9803b9cab3f7e4bda5a570baff699393565d5f0e4ca13bd2bec8a925
RedLineStealer
+ 3'151 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220530-b2ymmadddr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.25:27757
Unpacked files
SH256 hash:
7682577dce5c9ed94595bed41e6a3a7ee7f0bf471fc7324f8401eebfc98b0310
MD5 hash:
0e6c2422d17fc4299cec3e83faa9f854
SHA1 hash:
efaead52b8a1f2d7fe3f4d161114a2781702b9eb
Link:
https://www.unpac.me/results/e0618871-72c3-424a-9727-43663a7b80e2/
SH256 hash:
137d32de86757d5183f6f69e4bfee65fbc895aae6d04de199de4ffdf6bd1a339
MD5 hash:
e9d525216bcce5f1a59981311f8f2419
SHA1 hash:
67c2a6b4ad8b549cf9fe4a8903897199b68718d5
Link:
https://www.unpac.me/results/e0618871-72c3-424a-9727-43663a7b80e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/137d32de86757d5183f6f69e4bfee65fbc895aae6d04de199de4ffdf6bd1a339

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/b87c5a64-6278-4d61-8967-c8b8d8d7e6dc
  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/275281/

Comments