MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 141c5270d552e9485db2d1dc1d5f85269c8e0600330ef2221605fdfae08709f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 141c5270d552e9485db2d1dc1d5f85269c8e0600330ef2221605fdfae08709f9
SHA3-384 hash: 2fc2ff05e97edf3a84e6d4325bdb71fe7568e50a1261697dcc314113015e8155a2f4d407c41122f8d18e11e6a9ed5770
SHA1 hash: 79a6445d628194e3f9fd44b9a3a6a288fcfa04a1
MD5 hash: 42a3788bd65adb15621779142372404f
humanhash: aspen-alaska-wolfram-march
File name:menu.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:223'232 bytes
First seen:2022-11-14 06:11:52 UTC
Last seen:2022-11-14 07:47:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c737368c9c218d6e64e05306282bcfe (3 x RedLineStealer, 1 x ErbiumStealer)
ssdeep 3072:WoerDTSjYSIL7sRy7AtVDuR/818V9EpEdMKGfDVq34soeAMBmQ8NWpe6+xDU:WoeXT5SdeAtVabWpffxsVAMBmLP1U
Threatray 1'470 similar samples on MalwareBazaar
TLSH T17024AE1B31609031DCD0C5F919F1C67BCC6EA6659FD9C0CB22AC055F1A3B2A7496A2BB
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13097/50/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
menu.exe
Verdict:
Malicious activity
Analysis date:
2022-11-14 05:43:25 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/16d676ef-6aac-4305-85c9-47c34d30657c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/333575/
Detection(s):
Can't access file ERROR
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6371dc3207c3f5e84a01012d/reports/5e333028-68df-4979-afdd-137536e0aa6a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41036d69-2dc2-4dd3-8827-f445fd4dc209
Result
Threat name:
RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1112618
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745314 Sample: menu.exe Startdate: 14/11/2022 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic 2->77 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 15 other signatures 2->83 10 menu.exe 1 2->10         started        process3 signatures4 89 Contains functionality to inject code into remote processes 10->89 91 Writes to foreign memory regions 10->91 93 Allocates memory in foreign processes 10->93 95 Injects a PE file into a foreign processes 10->95 13 vbc.exe 15 7 10->13         started        18 conhost.exe 10->18         started        process5 dnsIp6 71 79.137.195.171, 29444, 49695 PSKSET-ASRU Russian Federation 13->71 73 filebin.net 185.47.40.36, 443, 49696 REDPILL-LINPRORedpillLinproNO Norway 13->73 75 situla.bitbit.net 87.238.33.8, 443, 49697 REDPILL-LINPRORedpillLinproNO Norway 13->75 63 C:\Users\user\AppData\Local\Temp\autt.exe, PE32 13->63 dropped 107 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->107 109 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->109 111 Tries to harvest and steal browser information (history, passwords, etc) 13->111 113 Tries to steal Crypto Currency Wallets 13->113 20 autt.exe 1 13->20         started        23 conhost.exe 18->23         started        file7 signatures8 process9 signatures10 85 Machine Learning detection for dropped file 20->85 87 Injects a PE file into a foreign processes 20->87 25 autt.exe 14 31 20->25         started        process11 dnsIp12 65 github.com 140.82.121.4, 443, 49698, 49699 GITHUBUS United States 25->65 67 raw.githubusercontent.com 185.199.108.133, 443, 49700, 49701 FASTLYUS Netherlands 25->67 69 192.168.2.1 unknown unknown 25->69 57 C:\ProgramData\Dllhost\svhost.exe, PE32+ 25->57 dropped 59 C:\ProgramData\Dllhost\dllhost.exe, PE32 25->59 dropped 61 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 25->61 dropped 97 Sample is not signed and drops a device driver 25->97 30 cmd.exe 1 25->30         started        33 cmd.exe 25->33         started        35 cmd.exe 1 25->35         started        37 12 other processes 25->37 file13 signatures14 process15 signatures16 99 Encrypted powershell cmdline option found 30->99 101 Uses schtasks.exe or at.exe to add and modify task schedules 30->101 103 Uses powercfg.exe to modify the power settings 30->103 39 powershell.exe 3 30->39         started        41 conhost.exe 30->41         started        105 Modifies power options to not sleep / hibernate 33->105 53 7 other processes 33->53 43 conhost.exe 35->43         started        45 schtasks.exe 35->45         started        47 conhost.exe 37->47         started        49 schtasks.exe 37->49         started        51 conhost.exe 37->51         started        55 21 other processes 37->55 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/141c5270d552e9485db2d1dc1d5f85269c8e0600330ef2221605fdfae08709f9/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 06:12:07 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqofe4gvkluuqxns2hob2x4fe2oi4bqagmhpeiqwax67vyehbh4q._file
Verdict:
malicious
Similar samples:
4b9e47e07dd69c2b5033476f0a833b9a54a181a0eaae4504bb1e99468d092a9d
RedLineStealer
5e00e19994b85f957662417bc8006dc11849f941e2c46e0d2bb806d098e1861c
RedLineStealer
8f4ccb41b24de4d077f55f9f33455424bafa4f7546bc4f55efb77c94f9877170
RedLineStealer
94365d9e2381d5800339362f6bc43fce1136615dc0ac49dae00e094b51e9ff38
RedLineStealer
c1778205c7cfa7157946134f09157cbf1cbef27afa8ded92921fc2ad3be54ab1
RedLineStealer
efc498b7f6def864d578812cfc847e4b2f6d07cf80396bfec29e6cbb179eeb92
RedLineStealer
+ 1'460 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/221114-gx614afc35/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Uses the VBS compiler for execution
RedLine
RedLine payload
Malware Config
C2 Extraction:
79.137.195.171:29444
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c985611-b1e5-42be-937a-e392af04b2fc
Unpacked files
SH256 hash:
a272c307473c4e5f7ff8588f33eebf0f8863975e119468e73b527d5b134d2633
MD5 hash:
8465c1a41dd665eb4876faa5088e7920
SHA1 hash:
04e8e4c7c2d7168d8d0548d2832a7da96697f1ea
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0b33c20a-d309-4973-a5b2-0511cd194d96/
SH256 hash:
141c5270d552e9485db2d1dc1d5f85269c8e0600330ef2221605fdfae08709f9
MD5 hash:
42a3788bd65adb15621779142372404f
SHA1 hash:
79a6445d628194e3f9fd44b9a3a6a288fcfa04a1
Link:
https://www.unpac.me/results/0b33c20a-d309-4973-a5b2-0511cd194d96/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/141c5270d552/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/141c5270d552e9485db2d1dc1d5f85269c8e0600330ef2221605fdfae08709f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 141c5270d552e9485db2d1dc1d5f85269c8e0600330ef2221605fdfae08709f9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/333575/

Comments