MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71
SHA3-384 hash: 30a2b894b20e313ff9aa7f97c916fa4263a9672a21b8cc137fd56fa633087a04ea13bc2e1849db6aaa6ab522e78280d0
SHA1 hash: 22ab9cc3bdce1e177f5fac0e745229dacde1d07a
MD5 hash: cf31bb1b26f00448ed2f1359d403fa59
humanhash: ten-river-stairway-three
File name:Install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:324'608 bytes
First seen:2021-08-11 12:04:37 UTC
Last seen:2021-08-11 12:55:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d3a683e5c9bc8c05c0c2f946c056969b (2 x RaccoonStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:QJ5m8CQqj8bx5yoZQPg7nju+dEd7DhTd+IJN00nm7knGyHM:QJ5s8VkoZmg7fdEd7VhxZmI
Threatray 256 similar samples on MalwareBazaar
TLSH T1AF64E012BEB8D9B2D49705314826C7E41A7FBD11BE24514B77AA3FAFFE703D1162120A
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178233/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.23230.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP POST request
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a window
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SpyEye
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/658fca8b-2126-4cea-bdd4-bab91a78d685
Result
Threat name:
Clipboard Hijacker RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830963
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 463398 Sample: Install.exe Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 11 other signatures 2->59 8 Install.exe 15 41 2->8         started        process3 dnsIp4 47 45.14.49.109, 49727, 49732, 49733 ITGLOBAL-NL Netherlands 8->47 49 45.137.190.197, 49734, 49735, 80 BITWEB-ASRU Russian Federation 8->49 51 api.ip.sb 8->51 35 C:\Users\user\AppData\Local\Temp\mine.exe, PE32+ 8->35 dropped 37 C:\Users\user\AppData\Local\Temp\clip.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\...\Install.exe.log, ASCII 8->39 dropped 61 Detected unpacking (overwrites its own PE header) 8->61 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->63 65 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->65 67 2 other signatures 8->67 13 mine.exe 2 2 8->13         started        17 clip.exe 6 8->17         started        19 conhost.exe 8->19         started        file5 signatures6 process7 file8 41 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 13->41 dropped 69 Multi AV Scanner detection for dropped file 13->69 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->71 73 Query firmware table information (likely to detect VMs) 13->73 79 3 other signatures 13->79 21 WerFault.exe 20 9 13->21         started        43 C:\Users\user\AppData\Roaming\bogftd.exe, PE32 17->43 dropped 45 C:\Users\user\AppData\Local\...\tmp6762.tmp, XML 17->45 dropped 75 Uses schtasks.exe or at.exe to add and modify task schedules 17->75 77 Injects a PE file into a foreign processes 17->77 23 clip.exe 1 17->23         started        25 schtasks.exe 1 17->25         started        27 clip.exe 17->27         started        signatures9 process10 process11 29 clip.exe 23->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 12:05:09 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=duzcvvwcswyo5csvf2lkyiy4jwjfsfa4t3jc64yzy7ywt2xm5zyq._file
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
RedLineStealer
3a6c6ec5b5e168e0452009714a8d37581459b8d386c26ef69c98a6802d5e65d6
RedLineStealer
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
RedLineStealer
9169cc1093e14262e9d08db10152ee815f88ed87d12bc7b934c3645d23f347ea
RedLineStealer
97c558bcbdaf21258e91098900d19e1ba944379a779a6a7c57aec46ea3de5438
RedLineStealer
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
RedLineStealer
d7854719c33f72a1afa0c562bdf44a8941b4017fbe90a215636aad91d1bf4f10
RedLineStealer
+ 246 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:asap discovery evasion infostealer spyware stealer suricata themida trojan upx
Link:
https://tria.ge/reports/210811-cnmm3wtj32/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
Malware Config
C2 Extraction:
45.14.49.109:54819
Unpacked files
SH256 hash:
6f505247c40b604cbde466f5cb3a1a0961ea583b217c96011a62c53a710c92cc
MD5 hash:
4345f0dae74cce4e8846284e2e5e6254
SHA1 hash:
4f2e862897cf090b70f62d13dd6d26a87178c27e
Link:
https://www.unpac.me/results/399ba331-00a5-4ba1-ad01-9dba95f61b55/
SH256 hash:
d1c56ed6b7f30377c8eb5ad217e4c3f4812c745931196d90808f9e80e9065e64
MD5 hash:
557c2f517e03eb60488c7e996cf9b50e
SHA1 hash:
1b8c0839b880cda6b371786df4f0b840a7b0aad0
Link:
https://www.unpac.me/results/399ba331-00a5-4ba1-ad01-9dba95f61b55/
SH256 hash:
69e3c879660ecfa8a5a705a052d8296b6f9f0e592c91e0fa41dcb8fc4deb42f9
MD5 hash:
c435fefb477e238dcd16e6118b07c47d
SHA1 hash:
182689fbdebe3a70681f6793c3d58b944c87ebf2
Link:
https://www.unpac.me/results/399ba331-00a5-4ba1-ad01-9dba95f61b55/
SH256 hash:
1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71
MD5 hash:
cf31bb1b26f00448ed2f1359d403fa59
SHA1 hash:
22ab9cc3bdce1e177f5fac0e745229dacde1d07a
Link:
https://www.unpac.me/results/399ba331-00a5-4ba1-ad01-9dba95f61b55/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1d322ad6c295/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178233/

Comments