MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 187b5a3489b7f7467b659ee9c980080ac2badcd8ebb8d78f5b49779d6f701c25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 187b5a3489b7f7467b659ee9c980080ac2badcd8ebb8d78f5b49779d6f701c25
SHA3-384 hash: ef2070a86d7bab1c4ee269a57dc5622cbfaf8d138c80e42dee194cc6670a863cc2cfc37972766fa218b1b92f5f4347fb
SHA1 hash: 81cdff424f607d6ecbbb17221c4fd4bd8f9c5d58
MD5 hash: af160e77d8ff8c7a2474ae120f79fb40
humanhash: mango-carpet-lemon-thirteen
File name:af160e77d8ff8c7a2474ae120f79fb40.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:595'968 bytes
First seen:2022-10-20 16:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 62fa6140919ca43688c707cc0e676ecc (3 x RedLineStealer)
ssdeep 12288:n5V3XZwqZn0CXWzqyE84K4SOd3WqVXXtMu1Lw9rE0IqLTGkERlre4:nxnZmSGeHGCUrdQkERlr
Threatray 561 similar samples on MalwareBazaar
TLSH T19EC4BE6C738288B5DBB315328DEC42B786293DEF03591BE723E4172D6B246D19B3058E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
af160e77d8ff8c7a2474ae120f79fb40.exe
Verdict:
Malicious activity
Analysis date:
2022-10-20 16:29:49 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/a10d8be4-c956-45a4-a23d-065f6624d9ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322081/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.24993.2889.30609.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63517660a67b0a5ed57a880f/reports/782cd21c-1aa1-4f52-acc0-b67b71bcd3c8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1193c7d3-cbad-47b9-83db-9db3779ee20c
Result
Threat name:
RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094333
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 726974 Sample: jM4M5ZINEZ.exe Startdate: 20/10/2022 Architecture: WINDOWS Score: 100 121 Snort IDS alert for network traffic 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for URL or domain 2->125 127 10 other signatures 2->127 11 jM4M5ZINEZ.exe 2->11         started        14 updater.exe 2->14         started        17 punpun.exe 2 2->17         started        19 4 other processes 2->19 process3 file4 143 Writes to foreign memory regions 11->143 145 Allocates memory in foreign processes 11->145 147 Injects a PE file into a foreign processes 11->147 21 RegSvcs.exe 1 17 11->21         started        101 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 14->101 dropped 103 C:\Users\user\AppData\Local\Temp\627E.tmp, PE32+ 14->103 dropped 105 C:\Users\user\AppData\Local\Temp\5280.tmp, PE32+ 14->105 dropped 149 Multi AV Scanner detection for dropped file 14->149 151 Protects its processes via BreakOnTermination flag 14->151 153 Modifies the context of a thread in another process (thread injection) 14->153 155 4 other signatures 14->155 25 cmd.exe 14->25         started        28 powershell.exe 14->28         started        30 powershell.exe 14->30         started        32 conhost.exe 17->32         started        34 conhost.exe 19->34         started        signatures5 process6 dnsIp7 113 79.137.196.121, 1488, 49709 PSKSET-ASRU Russian Federation 21->113 115 nanoplow.space 31.31.196.159, 443, 49710 AS-REGRU Russian Federation 21->115 91 C:\Users\user\AppData\Roaming\...\punpun.exe, PE32 21->91 dropped 93 C:\Users\user\AppData\...\InfoPacPac.exe, PE32 21->93 dropped 95 C:\Users\user\AppData\Local\...\zxc[1].exe, PE32 21->95 dropped 36 InfoPacPac.exe 1 21->36         started        141 Uses cmd line tools excessively to alter registry or file data 25->141 39 conhost.exe 25->39         started        41 sc.exe 25->41         started        43 sc.exe 25->43         started        49 6 other processes 25->49 45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        file8 signatures9 process10 signatures11 129 Writes to foreign memory regions 36->129 131 Injects a PE file into a foreign processes 36->131 51 vbc.exe 15 40 36->51         started        56 conhost.exe 36->56         started        process12 dnsIp13 107 79.137.192.6, 49711, 49713, 49715 PSKSET-ASRU Russian Federation 51->107 109 api.ip.sb 51->109 111 mamamiya137.ru 79.137.192.10, 443, 49714 PSKSET-ASRU Russian Federation 51->111 89 C:\Users\user\AppData\Local\...89ETSvc12.exe, PE32+ 51->89 dropped 133 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->133 135 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 51->135 137 Tries to harvest and steal browser information (history, passwords, etc) 51->137 139 Tries to steal Crypto Currency Wallets 51->139 58 NETSvc12.exe 51->58         started        62 conhost.exe 51->62         started        file14 signatures15 process16 file17 97 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 58->97 dropped 99 C:\Windows\System32\drivers\etc\hosts, Non-ISO 58->99 dropped 157 Multi AV Scanner detection for dropped file 58->157 159 Modifies the hosts file 58->159 161 Adds a directory exclusion to Windows Defender 58->161 64 cmd.exe 58->64         started        67 powershell.exe 58->67         started        69 powershell.exe 58->69         started        71 powershell.exe 58->71         started        signatures18 process19 signatures20 117 Uses cmd line tools excessively to alter registry or file data 64->117 73 conhost.exe 64->73         started        75 sc.exe 64->75         started        77 sc.exe 64->77         started        87 8 other processes 64->87 119 Uses schtasks.exe or at.exe to add and modify task schedules 67->119 79 conhost.exe 67->79         started        81 conhost.exe 69->81         started        83 schtasks.exe 69->83         started        85 conhost.exe 71->85         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/187b5a3489b7f7467b659ee9c980080ac2badcd8ebb8d78f5b49779d6f701c25/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-19 20:33:17 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=db5vunejw73um63ft3u4taaiblblvxgy5o4npd23jf3z233qdqsq._file
Verdict:
malicious
Similar samples:
3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a
RedLineStealer
a6071a55f52e33afc85e2a6c018f32c34d9462d6952692c3abbbb1419da714c4
RedLineStealer
bfb370ec7c9814fef28e29192840d156e47df10483a5f8f6fa12d2d9b31aee82
RedLineStealer
d1020d62fc78a0788873d31b905fbfd037f58a1f9b538999c7212fe34c7019f2
RedLineStealer
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
RedLineStealer
f6e0ba510c7aa4cea2f2cbd444993d6158fd0a948f2b8ef94042b96529089586
RedLineStealer
+ 551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221020-twx31sddf7/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/83debdff-c467-4fa9-9fbf-02f4137ac289
Unpacked files
SH256 hash:
187b5a3489b7f7467b659ee9c980080ac2badcd8ebb8d78f5b49779d6f701c25
MD5 hash:
af160e77d8ff8c7a2474ae120f79fb40
SHA1 hash:
81cdff424f607d6ecbbb17221c4fd4bd8f9c5d58
Link:
https://www.unpac.me/results/d0dc5d98-9578-48c6-bfb0-deb6945cae41/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/187b5a3489b7f7467b659ee9c980080ac2badcd8ebb8d78f5b49779d6f701c25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 187b5a3489b7f7467b659ee9c980080ac2badcd8ebb8d78f5b49779d6f701c25

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/322081/
  
URLhaus
https://urlhaus.abuse.ch/url/2375666/
  
Delivery method
Distributed via web download

Comments