MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 200b64a2d1d30811d3feae4a361bd652104ecc7ac98c7c4804f0bbf2bb47028e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 200b64a2d1d30811d3feae4a361bd652104ecc7ac98c7c4804f0bbf2bb47028e
SHA3-384 hash: 14b807737b88da15e1551c4f6b0793bdae9f7345b7c12cbd763e380669fa6b12fd43cbe771a969a6dda0e7da06f8252e
SHA1 hash: 3a394b794188405145b5dc9fb429d21fb825cf96
MD5 hash: 1da626c5f74615504f81a634de8cfa23
humanhash: winner-hydrogen-network-sodium
File name:3a394b794188405145b5dc9fb429d21fb825cf96.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:27'160 bytes
First seen:2021-06-23 20:16:23 UTC
Last seen:2021-06-23 20:34:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 384:I0Us8sa2fBFLciBNt1MT5qLaEXNdm+v5R/L0GftpBjBTRFtAHRN7el1YbOA:I0UsK2f/DukLaEaniq84OA
Threatray 15 similar samples on MalwareBazaar
TLSH 1BC26BA18BAC9943DDA349B0A3A8D5C33E3CB7DB1D10E66A19D6E1D51DC37C05B04A3D
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.93.201.110:60104

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.93.201.110:60104 https://threatfox.abuse.ch/ioc/152905/

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3a394b794188405145b5dc9fb429d21fb825cf96.exe
Verdict:
Malicious activity
Analysis date:
2021-06-23 20:21:35 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/79071995-4067-4d0d-8ef2-28affaae02ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30624.13270.11905.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cde043ba-61e8-4f20-82ec-ee4eb68a232d
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806867
Signature
Contains functionality to hide a thread from the debugger
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439278 Sample: 8Nrl1bUmnu.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 7 8Nrl1bUmnu.exe 15 8 2->7         started        process3 dnsIp4 31 apdocroto.gq 104.21.14.60, 49714, 80 CLOUDFLARENETUS United States 7->31 29 C:\Users\user\AppData\...\npdu5q4v.newcfg, XML 7->29 dropped 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->49 51 Hides threads from debuggers 7->51 53 2 other signatures 7->53 12 8Nrl1bUmnu.exe 30 7->12         started        16 WerFault.exe 23 9 7->16         started        19 cmd.exe 1 7->19         started        21 WerFault.exe 7->21         started        file5 signatures6 process7 dnsIp8 33 45.93.201.110, 49726, 49733, 60104 ASBAXETNRU Russian Federation 12->33 35 api.ip.sb 12->35 37 192.168.2.1 unknown unknown 12->37 55 Tries to harvest and steal browser information (history, passwords, etc) 12->55 57 Tries to steal Crypto Currency Wallets 12->57 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->27 dropped 59 Tries to evade analysis by execution special instruction which cause usermode exception 16->59 23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/200b64a2d1d30811d3feae4a361bd652104ecc7ac98c7c4804f0bbf2bb47028e/
Threat name:
ByteCode-MSIL.Trojan.Tenga
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 08:14:27 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eafwjiwr2mebdu76vzfdmg6wkiie5td2zgghysae6c57fo2hakha._file
Verdict:
malicious
Similar samples:
1c0eb090ad769cdd943476e9300d57e553ad24f099408334b8c0370ee9bb7648
RedLineStealer
47f55d901f3a0fcc649afa6e44bd4307fffd877ac92a33fde21992a93e54b27d
RedLineStealer
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
RedLineStealer
79afc9b39ba7fe7dd6ed282d39eb915bb47271d552177f62c6606b99901f9cd2
RedLineStealer
916df1aaac228a40f1981b539742aee6d0009fdce746f14eb646a7c70fa2cc4d
RedLineStealer
9a693191c99ec28e49e610cd89af5137fb077ad8b4d7452828dbabd055e65384
RedLineStealer
9dd91a17703dba0d4582e24431c17eac4fdca602ea8d14f4f43afcc2657b3bbc
RedLineStealer
ceb9cf440fc521f09a503e90889acb7f51b4c39ce8a8c4d37dd8304fca2db4ce
RedLineStealer
d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad
RedLineStealer
f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92
RedLineStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210623-ar6yb9akp6/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
200b64a2d1d30811d3feae4a361bd652104ecc7ac98c7c4804f0bbf2bb47028e
MD5 hash:
1da626c5f74615504f81a634de8cfa23
SHA1 hash:
3a394b794188405145b5dc9fb429d21fb825cf96
Link:
https://www.unpac.me/results/a48ebec9-9c2f-42bf-a0a3-2d5898b8455a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.11
Link:
https://yomi.yoroi.company/submissions/200b64a2d1d30811d3feae4a361bd652104ecc7ac98c7c4804f0bbf2bb47028e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments