MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14754f307601049ba389cf7b9536db2049193b31f05330c7b6d4cb5cd8fa081f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14754f307601049ba389cf7b9536db2049193b31f05330c7b6d4cb5cd8fa081f
SHA3-384 hash: d1b609483b046b4191410a47d94f46f2f649b6f49d335adcda056f7da4febeed78d7c0d6a0b918e42cc3eafc138b9b3d
SHA1 hash: f374b9f2e2109c721f61bdbd62b6580803a7fd2e
MD5 hash: 57f367e007e1d4ac008b2cb2b9acf69d
humanhash: winner-single-autumn-saturn
File name:Setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'098'989 bytes
First seen:2021-07-14 10:49:14 UTC
Last seen:2021-07-14 11:57:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:HPQ9jxNqxUIj9nULSI0nQkn1u2HeEE3pGiWcGsySDfyw6YHCcFPwSvdiLY:HW3mSyQMM2+EE3pGgkS2gZ4gMLY
Threatray 473 similar samples on MalwareBazaar
TLSH T1B6163319419E8EABE1D8DC3DA0A1D73FB9886F55037D4154E3E63327CAFE6640927B20
Reporter Anonymous
Tags:exe Redline RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 10:52:48 UTC
Tags:
trojan rat redline evasion stealer loader
Link:
https://app.any.run/tasks/73d3073b-3927-419d-96e6-61efa14a93e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171631/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.22792.12893.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b852900-2e02-4fe6-a213-52d5b38da58f
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816157
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448568 Sample: Setup.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Found malware configuration 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 10 other signatures 2->91 9 Setup.exe 15 35 2->9         started        14 MicrosoftApi.exe 2->14         started        process3 dnsIp4 63 api.ip.sb 9->63 65 185.252.144.65, 4545, 49744, 49749 FIRST-SERVER-EU-ASRU Russian Federation 9->65 67 oligarph.club 104.21.54.29, 49751, 80 CLOUDFLARENETUS United States 9->67 55 C:\Users\user\AppData\Roaming\DriverApi.exe, PE32+ 9->55 dropped 57 C:\Users\user\AppData\Local\...\Setup.exe.log, ASCII 9->57 dropped 93 Detected unpacking (changes PE section rights) 9->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->95 97 Query firmware table information (likely to detect VMs) 9->97 103 3 other signatures 9->103 16 DriverApi.exe 2 5 9->16         started        69 45.12.214.40, 49761, 49762, 49763 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 14->69 71 192.168.2.1 unknown unknown 14->71 59 C:\Users\user\AppData\...\ScreanDriver.exe, PE32+ 14->59 dropped 99 Hides threads from debuggers 14->99 101 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->101 20 ScreanDriver.exe 14->20         started        22 ScreanDriver.exe 14->22         started        24 ScreanDriver.exe 14->24         started        26 ScreanDriver.exe 14->26         started        file5 signatures6 process7 file8 49 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 16->49 dropped 51 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 16->51 dropped 77 Multi AV Scanner detection for dropped file 16->77 79 Detected unpacking (changes PE section rights) 16->79 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->81 83 3 other signatures 16->83 28 MicrosoftApi.exe 1 5 16->28         started        53 C:\Users\user\...\ScreanDriver.exe.log, ASCII 20->53 dropped signatures9 process10 file11 61 C:\Users\user\AppData\...\tmpC75.tmp.cmd, DOS 28->61 dropped 105 Multi AV Scanner detection for dropped file 28->105 107 Detected unpacking (changes PE section rights) 28->107 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->109 111 4 other signatures 28->111 32 cmd.exe 1 28->32         started        35 cmd.exe 1 28->35         started        signatures12 process13 signatures14 73 Uses schtasks.exe or at.exe to add and modify task schedules 32->73 75 Adds a directory exclusion to Windows Defender 32->75 37 powershell.exe 24 32->37         started        39 conhost.exe 32->39         started        41 timeout.exe 1 32->41         started        43 conhost.exe 35->43         started        45 timeout.exe 1 35->45         started        47 schtasks.exe 35->47         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14754f307601049ba389cf7b9536db2049193b31f05330c7b6d4cb5cd8fa081f/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 10:50:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
RedLineStealer
55d33f116ca5cbd1e8bbf9151c2f457f7f045c8b00b7980cada01d20e9bd29c6
RedLineStealer
6ba57cb21a12212bb988ccfc64bfadb07bc25b332905f3db1b84665c3a5ca5ce
RedLineStealer
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
RedLineStealer
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
RedLineStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
RedLineStealer
9fefa41ed2d1032a787fbe2c1d8f1f4d3d93c717b4ab7aef6de94d50012b113c
RedLineStealer
a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193
RedLineStealer
c4702d094a59e34bc751b502a0e6f72c8689016e102b06b146306460e78e54a5
RedLineStealer
+ 463 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210714-4xmrkpz77n/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/1a7a4b5a-9dd1-473d-88a6-723e1073a932/
SH256 hash:
14754f307601049ba389cf7b9536db2049193b31f05330c7b6d4cb5cd8fa081f
MD5 hash:
57f367e007e1d4ac008b2cb2b9acf69d
SHA1 hash:
f374b9f2e2109c721f61bdbd62b6580803a7fd2e
Link:
https://www.unpac.me/results/1a7a4b5a-9dd1-473d-88a6-723e1073a932/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/14754f307601049ba389cf7b9536db2049193b31f05330c7b6d4cb5cd8fa081f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171631/

Comments