MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8
SHA3-384 hash: 696b8dda2b2fd8dff752a17c67b214f068831bb5bdd26c4c0f1020994cdc22801d596aa6a6778ab1f0d57d92c7967fa7
SHA1 hash: 849ffc490e0366c9e12bae162e0de0fa677003bf
MD5 hash: 805d5aabe2eda8c63adbe040adb92b44
humanhash: wyoming-virginia-diet-violet
File name:softwareinstaller.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:225'458 bytes
First seen:2022-12-05 05:42:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d1347f36e9b27f5470825188b98453f (1 x DCRat, 1 x RedLineStealer)
ssdeep 6144:mLxc5JmQi0XhkXwhhgOi/0kbpKnDJw/oQ:mLm5JmaxVhOsapKnlax
TLSH T1B424AE6BDF7488C0C864937C9F9BD261ABFCF1C18BCA2B4A746D68B065622C574DC087
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
softwareinstaller.exe
Verdict:
Malicious activity
Analysis date:
2022-12-05 05:36:24 UTC
Tags:
redline trojan rat
Link:
https://app.any.run/tasks/0d7de6ea-090f-4469-88d1-81c296611ee9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/342725/
Detection(s):
Win.Packed.Generic-9980243-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Creating a window
Connecting to a non-recommended domain
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm overlay packed redline spyeye
Link:
https://www.filescan.io/uploads/638d84e7e2c1ea9defe98166/reports/d3bd9241-46ce-4546-99dc-515ac91b2048/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d31c908-02ae-4f52-a9c2-68c05907c8a0
Result
Threat name:
Laplas Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127722
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 760446 Sample: softwareinstaller.exe Startdate: 05/12/2022 Architecture: WINDOWS Score: 100 114 Snort IDS alert for network traffic 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for URL or domain 2->118 120 10 other signatures 2->120 10 softwareinstaller.exe 1 2->10         started        13 conchsvt.exe 1 2->13         started        15 ofg.exe 2->15         started        17 chrome.exe 2->17         started        process3 signatures4 130 Contains functionality to inject code into remote processes 10->130 132 Writes to foreign memory regions 10->132 134 Allocates memory in foreign processes 10->134 136 Injects a PE file into a foreign processes 10->136 19 vbc.exe 15 12 10->19         started        24 conhost.exe 10->24         started        26 cmd.exe 1 13->26         started        28 schtasks.exe 15->28         started        process5 dnsIp6 104 45.15.156.155, 49694, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 19->104 106 www.idpminic.org 19->106 108 3 other IPs or domains 19->108 90 C:\Users\user\AppData\Local\...\svchost.exe, PE32 19->90 dropped 92 C:\Users\user\AppData\Local\...\conhost.exe, PE32 19->92 dropped 94 C:\Users\user\AppData\Local\...\conchsvt.exe, PE32 19->94 dropped 96 3 other malicious files 19->96 dropped 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->122 124 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->124 126 Tries to harvest and steal browser information (history, passwords, etc) 19->126 128 3 other signatures 19->128 30 chrome.exe 19->30         started        34 brave.exe 2 19->34         started        36 conchsvt.exe 2 19->36         started        44 2 other processes 19->44 38 conhost.exe 26->38         started        40 schtasks.exe 26->40         started        42 conhost.exe 28->42         started        file7 signatures8 process9 file10 98 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 30->98 dropped 138 Antivirus detection for dropped file 30->138 140 Multi AV Scanner detection for dropped file 30->140 142 Machine Learning detection for dropped file 30->142 152 5 other signatures 30->152 46 GoogleUpdate.exe 30->46         started        50 powershell.exe 30->50         started        64 3 other processes 30->64 100 C:\Users\user\AppData\Local\Temp\66BC.tmp, PE32+ 34->100 dropped 102 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 34->102 dropped 144 Writes to foreign memory regions 34->144 146 Modifies the context of a thread in another process (thread injection) 34->146 148 Found hidden mapped module (file has been removed from disk) 34->148 154 2 other signatures 34->154 52 cmd.exe 34->52         started        54 cmd.exe 34->54         started        56 powershell.exe 17 34->56         started        58 powershell.exe 34->58         started        60 cmd.exe 1 36->60         started        150 Tries to detect virtualization through RDTSC time measurements 44->150 62 schtasks.exe 44->62         started        signatures11 process12 dnsIp13 110 api.peer2profit.com 172.66.43.60 CLOUDFLARENETUS United States 46->110 112 51.195.77.248 OVHFR France 46->112 156 Detected unpacking (changes PE section rights) 46->156 158 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 46->158 160 Uses netsh to modify the Windows network and firewall settings 46->160 170 2 other signatures 46->170 74 3 other processes 46->74 66 conhost.exe 50->66         started        76 10 other processes 52->76 162 Modifies power options to not sleep / hibernate 54->162 78 5 other processes 54->78 68 conhost.exe 56->68         started        70 conhost.exe 58->70         started        164 Uses cmd line tools excessively to alter registry or file data 60->164 166 Uses schtasks.exe or at.exe to add and modify task schedules 60->166 168 Uses powercfg.exe to modify the power settings 60->168 80 2 other processes 60->80 72 conhost.exe 62->72         started        82 3 other processes 64->82 signatures14 process15 process16 84 conhost.exe 74->84         started        86 conhost.exe 74->86         started        88 conhost.exe 74->88         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 05:43:07 UTC
File Type:
PE (Exe)
AV detection:
13 of 41 (31.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ein47lmtkiegrlwhs4usj2rmywbh3pz5uolf4jmzxftiam5mp3ea._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@werige evasion infostealer persistence spyware
Link:
https://tria.ge/reports/221205-gekp5sah44/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
Stops running service(s)
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
45.15.156.155:80
Unpacked files
SH256 hash:
e0a0b5c82b6f3a5dad1687f36e838c025b8e4ee764721ff403536a4bf5692fbe
MD5 hash:
02063ad78c095d12dfc0b969ca4355cc
SHA1 hash:
7d766dc6f2fd5f1dd37a17e2856e2445e04c2067
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/0e67fbb9-5e00-4b5a-84d9-e4bb2c81c518/
SH256 hash:
221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8
MD5 hash:
805d5aabe2eda8c63adbe040adb92b44
SHA1 hash:
849ffc490e0366c9e12bae162e0de0fa677003bf
Link:
https://www.unpac.me/results/0e67fbb9-5e00-4b5a-84d9-e4bb2c81c518/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/221bcfad9352/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/342725/

Comments