MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1426166eb30765329bb46be071696568787fc2498174aaa45ecbedc0044b044d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1426166eb30765329bb46be071696568787fc2498174aaa45ecbedc0044b044d
SHA3-384 hash: 31537fafb6a61820e82e4039b23f4176d021f2297483c988d2872930ed29d27995e9493b600bb0cd01c250548d51abeb
SHA1 hash: 51407a2ed99ab0eadf3b081ab04da2ecaafef9ce
MD5 hash: 4848fbf65dc2c8b07f6fa5d7fd6dc6b3
humanhash: oven-pluto-lemon-sad
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'117'184 bytes
First seen:2023-08-20 00:23:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8bb0a9f526037647791bfdddebd58c7d (1 x RedLineStealer)
ssdeep 12288:ZfoVvpQL/mNwGbvgFAvHRVJNUPKW4nP0N/3E8MPIYvRL9umpkDm6exft:Z04/mNwGbvgFAvs4nPi9i1R6O
Threatray 1 similar samples on MalwareBazaar
TLSH T162358D21F8804079EFF310B643ECF625AA7DD4B4072855CF5AD816EFDB609D1AA3274A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc647736509_665824089?hash=eHd6DldOOzlgvJiWtzMEuOln58zZ9ZZ8qkz7IOkb4g4&dl=FNavT0lbvitAQuj1XFbX7FZkwFySDl2owbWITgcW0cX&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-08-20 00:24:14 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/2031aca2-c5d8-4b77-9987-c47ef40bd27d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443720/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6455.19116.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Ser.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/1426166eb30765329bb46be071696568787fc2498174aaa45ecbedc0044b044d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2db6a495-9063-48f9-8b19-04f8de098d0e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1293921
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule binary from dotnet directory
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1293921 Sample: file.exe Startdate: 20/08/2023 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 7 other signatures 2->92 11 file.exe 2->11         started        14 CasPol.exe 2->14         started        16 MTA1.exe 2->16         started        18 2 other processes 2->18 process3 signatures4 120 Writes to foreign memory regions 11->120 122 Allocates memory in foreign processes 11->122 124 Injects a PE file into a foreign processes 11->124 20 CasPol.exe 15 8 11->20         started        25 CasPol.exe 11->25         started        27 WerFault.exe 21 9 11->27         started        29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        process5 dnsIp6 74 149.202.0.242, 31728, 49722 OVHFR France 20->74 76 transfer.sh 144.76.136.153, 443, 49725 HETZNER-ASDE Germany 20->76 70 C:\Users\user\AppData\Local\Temp\cli.exe, PE32 20->70 dropped 102 Tries to harvest and steal browser information (history, passwords, etc) 20->102 104 Tries to steal Crypto Currency Wallets 20->104 37 cli.exe 1 20->37         started        106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->106 108 Suspicious powershell command line found 25->108 110 May check the online IP address of the machine 25->110 112 3 other signatures 25->112 file7 signatures8 process9 signatures10 94 Multi AV Scanner detection for dropped file 37->94 96 Writes to foreign memory regions 37->96 98 Allocates memory in foreign processes 37->98 100 Injects a PE file into a foreign processes 37->100 40 CasPol.exe 2 26 37->40         started        45 WerFault.exe 19 9 37->45         started        47 conhost.exe 37->47         started        process11 dnsIp12 78 46.29.235.84, 49743, 80 EUROTELECOM-ASRU Russian Federation 40->78 80 ip-api.com 208.95.112.1, 49733, 80 TUT-ASUS United States 40->80 82 5 other IPs or domains 40->82 72 C:\ProgramData\...\MTA1.exe, PE32 40->72 dropped 114 Suspicious powershell command line found 40->114 116 Creates an autostart registry key pointing to binary in C:\Windows 40->116 118 Adds a directory exclusion to Windows Defender 40->118 49 powershell.exe 12 40->49         started        52 powershell.exe 40->52         started        54 schtasks.exe 1 40->54         started        56 schtasks.exe 40->56         started        file13 signatures14 process15 signatures16 84 Adds a directory exclusion to Windows Defender 49->84 58 powershell.exe 49->58         started        60 conhost.exe 49->60         started        62 conhost.exe 52->62         started        64 conhost.exe 54->64         started        66 conhost.exe 56->66         started        process17 process18 68 conhost.exe 58->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1426166eb30765329bb46be071696568787fc2498174aaa45ecbedc0044b044d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-20 00:24:05 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqtbm3vta5stfg5unpqhc2lfnb4h7qsjqf2kvjc6zpw4abclargq._file
Verdict:
malicious
Similar samples:
2450a79857b2d97653db25698bc2a902d58087d4bd25b1ebd743fc13b84f8a5f
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) infostealer persistence spyware stealer themida
Link:
https://tria.ge/reports/230820-ap2m3sed2v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
149.202.0.242:31728
Unpacked files
SH256 hash:
d893362b22f69429e75061c60d225c1339c10ed0dfd41a190da4a43844b1485f
MD5 hash:
f60da95bea69efd2b1a5827c2fe29ab7
SHA1 hash:
07fe27895145940619e7843880561835d63d665e
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/903ea021-f4c6-45df-b32e-db78edb6ab6f/
Parent samples :
2450a79857b2d97653db25698bc2a902d58087d4bd25b1ebd743fc13b84f8a5f
1426166eb30765329bb46be071696568787fc2498174aaa45ecbedc0044b044d
b154c3d8a7d71c3fd64fb2a3c41e72ad9289dc9b7c905512dc928893a31086b2
SH256 hash:
1426166eb30765329bb46be071696568787fc2498174aaa45ecbedc0044b044d
MD5 hash:
4848fbf65dc2c8b07f6fa5d7fd6dc6b3
SHA1 hash:
51407a2ed99ab0eadf3b081ab04da2ecaafef9ce
Link:
https://www.unpac.me/results/903ea021-f4c6-45df-b32e-db78edb6ab6f/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1426166eb307/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1426166eb30765329bb46be071696568787fc2498174aaa45ecbedc0044b044d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/443720/

Comments