MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad
SHA3-384 hash: bd4229a378777136a878746cb1f36cfd2a707d03061831784b7b765324b17354a850d78ba3958af14ed550818dd4fddd
SHA1 hash: 3815baf35f8020fda410ac3cf7ed3d2bc531f676
MD5 hash: be65fda215b4ae51930028a743042998
humanhash: oklahoma-mountain-lima-black
File name:be65fda215b4ae51930028a743042998.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:588'800 bytes
First seen:2023-06-20 18:35:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2fe73b1edf18bd6736d0f71d5f78f29c (1 x LaplasClipper, 1 x RedLineStealer)
ssdeep 6144:ibov37S4OHn8MDEYeCpf/bgIvect0t9cNeC7KTI:iUv37SybCpfdJ0t99iKT
Threatray 26 similar samples on MalwareBazaar
TLSH T1F1C417553480806BE976DBB324507BF7494AE4616B4D0AB73E44C7F189E0DAFFA9083B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.209.161.189/bot/regex

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
be65fda215b4ae51930028a743042998.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 18:37:40 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/eac14bd2-c790-4212-a362-172fff944371

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401170/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67575263.26130.26410.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91949/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6491f19273cb23e4dbf7ef37/reports/5f019721-a5dc-45bc-adf9-58954773137c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de15e3c1-9539-4379-aa50-1c76fc003c52
Result
Threat name:
MinerDownloader, Laplas Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258566
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
DNS related to crypt mining pools
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 891588 Sample: x5GIQUF5hi.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 102 xmr-eu1.nanopool.org 2->102 120 Snort IDS alert for network traffic 2->120 122 Found malware configuration 2->122 124 Malicious sample detected (through community Yara rule) 2->124 126 15 other signatures 2->126 13 x5GIQUF5hi.exe 1 2->13         started        16 cmd.exe 2->16         started        18 cmd.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 signatures5 144 Contains functionality to inject code into remote processes 13->144 146 Writes to foreign memory regions 13->146 148 Allocates memory in foreign processes 13->148 150 Injects a PE file into a foreign processes 13->150 22 AppLaunch.exe 15 7 13->22         started        27 WerFault.exe 20 9 13->27         started        29 conhost.exe 13->29         started        31 conhost.exe 16->31         started        33 chcp.com 16->33         started        35 conhost.exe 18->35         started        process6 dnsIp7 104 94.142.138.4, 49688, 80 IHOR-ASRU Russian Federation 22->104 106 217.196.96.158, 49690, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 22->106 108 2 other IPs or domains 22->108 96 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 22->96 dropped 98 C:\Users\user\AppData\Local\...\conhost.exe, PE32 22->98 dropped 132 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->132 134 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->134 136 Tries to harvest and steal browser information (history, passwords, etc) 22->136 138 2 other signatures 22->138 37 conhost.exe 8 22->37         started        41 svchost.exe 1 2 22->41         started        100 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->100 dropped file8 signatures9 process10 file11 90 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 37->90 dropped 92 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 37->92 dropped 128 Multi AV Scanner detection for dropped file 37->128 43 cmd.exe 2 37->43         started        94 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32+ 41->94 dropped 130 Machine Learning detection for dropped file 41->130 45 ntlhost.exe 41->45         started        signatures12 process13 process14 47 BuildMiner.exe 43->47         started        52 7z.exe 2 43->52         started        54 7z.exe 3 43->54         started        56 5 other processes 43->56 dnsIp15 110 github.com 140.82.121.3, 443, 49692, 49693 GITHUBUS United States 47->110 112 raw.githubusercontent.com 185.199.111.133, 443, 49695, 49696 FASTLYUS Netherlands 47->112 114 pastebin.com 104.20.67.143, 443, 49691 CLOUDFLARENETUS United States 47->114 80 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 47->80 dropped 82 C:\ProgramData\Dllhost\dllhost.exe, PE32 47->82 dropped 84 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 47->84 dropped 86 C:\ProgramData\HostData\logs.uce, ASCII 47->86 dropped 116 Sample is not signed and drops a device driver 47->116 58 cmd.exe 47->58         started        61 cmd.exe 47->61         started        63 cmd.exe 47->63         started        88 C:\Users\user\AppData\...\BuildMiner.exe, PE32 52->88 dropped file16 signatures17 process18 signatures19 140 Encrypted powershell cmdline option found 58->140 142 Uses schtasks.exe or at.exe to add and modify task schedules 58->142 65 powershell.exe 58->65         started        68 conhost.exe 58->68         started        70 conhost.exe 61->70         started        72 schtasks.exe 61->72         started        74 conhost.exe 63->74         started        76 schtasks.exe 63->76         started        process20 signatures21 118 Query firmware table information (likely to detect VMs) 65->118 78 wermgr.exe 65->78         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-17 06:31:00 UTC
File Type:
PE (Exe)
AV detection:
25 of 37 (67.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cr4c26q5etvex7mxsuk2kukoytx4k7oimcm4nwjgszidspasjswq._file
Verdict:
malicious
Similar samples:
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
RedLineStealer
1d38b7669f2dcddcf429fef7dc3e37f613caffb8794f1b923b753ac6a38e4094
RedLineStealer
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
RedLineStealer
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
RedLineStealer
338447d40e099471b745ab89c003011a8e3443fd687845a199b76ed67f462516
RedLineStealer
40aac7a5a709361db31b5189b42650d420548ace3f0da200e42a64fef2d3b923
RedLineStealer
4894fe2f0b87652614e926f8ed796d6f7655108011a8579b7efe3f6f0f886a7d
RedLineStealer
f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70
RedLineStealer
f65152edceb657dc8745194f2b3f0c02ec64b82e4131fe6859afadaf4e39a87f
RedLineStealer
+ 16 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@mamont0w infostealer spyware
Link:
https://tria.ge/reports/230620-w8wf3aeh6z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
94.142.138.4:80
Unpacked files
SH256 hash:
ef84d4a14f5d127b0437d009f3206471b99622249c18cbf719698337d6df8195
MD5 hash:
6213f16c3b5be7cd93bae7dbdabc906e
SHA1 hash:
661f5c6e52372043fb704288fc01862c354e5581
Link:
https://www.unpac.me/results/d6d74be4-82b6-4b54-98da-d5628c1581f3/
SH256 hash:
703b8737c13a8ec2614fcbc0c524a7bb38addf55445ae1eb2f06f68cf95b184d
MD5 hash:
8908d110f883816911f7effae61f6d38
SHA1 hash:
fd9ba2b1126f8fdc6a152192fb38103e34419776
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/d6d74be4-82b6-4b54-98da-d5628c1581f3/
SH256 hash:
14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad
MD5 hash:
be65fda215b4ae51930028a743042998
SHA1 hash:
3815baf35f8020fda410ac3cf7ed3d2bc531f676
Link:
https://www.unpac.me/results/d6d74be4-82b6-4b54-98da-d5628c1581f3/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/14782d7a1d24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14782d7a1d24ea4bfd979515a5514ec4efc57dc86099c6d9269650393c124cad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401170/

Comments