MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22f6150a22017768dc6c1dca6e473aefc6a1d4fa70f7fac51421017d4fcdb9f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22f6150a22017768dc6c1dca6e473aefc6a1d4fa70f7fac51421017d4fcdb9f6
SHA3-384 hash: 3b31314794a9f9a0f651058d8b77eeb3c60659d4373296b10a48fd48ab7a5367d82ff256a63e27d17ca061f7f6aa04bd
SHA1 hash: c476b18a3d629d9e812ad48c159b6dee0bfdc498
MD5 hash: 23f12f24d622a174b2c02ba70b07a1a9
humanhash: winter-nine-washington-mars
File name:22f6150a22017768dc6c1dca6e473aefc6a1d4fa70f7f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:773'512 bytes
First seen:2021-12-19 14:15:13 UTC
Last seen:2021-12-19 15:27:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:UfpjLFYtuMX/gj+V6rQg7LqqgmBSlA3U0P0TZalE2ymZzguDEW+pjng1HJRZgokK:UYXEyEQWLJ+HfmNQ3jngMokmtXg
Threatray 3'375 similar samples on MalwareBazaar
TLSH T103F4C91FFDC28E54E942477746E3AB384BA556DB332703CF93A4A5E24AC806DDB0096D
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.147.196.146:6213

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.147.196.146:6213 https://threatfox.abuse.ch/ioc/277406/

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215263/
Detection(s):
SecuriteInfo.com.W32.MSIL_Troj.BUC.genEldorado.7348.1965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Query of malicious DNS domain
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/61bf3ea6ec6c6c14a9e2aa19/reports/74392b3d-e31b-4eff-908a-ec9d1e655598/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e6121fe-8e03-456d-b1f2-63200cc1a30a
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909813
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 542291 Sample: 22f6150a22017768dc6c1dca6e4... Startdate: 19/12/2021 Architecture: WINDOWS Score: 100 101 raw.githubusercontent.com 2->101 103 github.com 2->103 131 Antivirus detection for dropped file 2->131 133 Multi AV Scanner detection for dropped file 2->133 135 Multi AV Scanner detection for submitted file 2->135 137 7 other signatures 2->137 10 22f6150a22017768dc6c1dca6e473aefc6a1d4fa70f7f.exe 3 2->10         started        14 RegHost.exe 1 16 2->14         started        17 RegHost.exe 2->17         started        19 RegHost.exe 2->19         started        signatures3 process4 dnsIp5 87 22f6150a22017768dc...a1d4fa70f7f.exe.log, ASCII 10->87 dropped 149 Writes to foreign memory regions 10->149 151 Injects a PE file into a foreign processes 10->151 21 RegAsm.exe 15 7 10->21         started        117 raw.githubusercontent.com 14->117 119 github.com 14->119 153 Detected unpacking (changes PE section rights) 14->153 155 Detected unpacking (overwrites its own PE header) 14->155 157 Machine Learning detection for dropped file 14->157 159 Allocates memory in foreign processes 14->159 26 bfsvc.exe 14->26         started        28 cmd.exe 14->28         started        30 cmd.exe 14->30         started        38 2 other processes 14->38 121 raw.githubusercontent.com 17->121 123 github.com 17->123 161 Modifies the context of a thread in another process (thread injection) 17->161 163 Hides threads from debuggers 17->163 40 2 other processes 17->40 125 140.82.121.3, 443, 49811, 49812 GITHUBUS United States 19->125 127 185.199.108.133, 443, 49813, 49816 FASTLYUS Netherlands 19->127 129 2 other IPs or domains 19->129 32 cmd.exe 19->32         started        34 cmd.exe 19->34         started        36 conhost.exe 19->36         started        file6 signatures7 process8 dnsIp9 105 185.215.113.57, 49755, 50723 WHOLESALECONNECTIONSNL Portugal 21->105 107 cdn.discordapp.com 162.159.129.233, 443, 49771 CLOUDFLARENETUS United States 21->107 85 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 21->85 dropped 139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->139 141 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->141 143 Tries to harvest and steal browser information (history, passwords, etc) 21->143 145 Tries to steal Crypto Currency Wallets 21->145 42 fl.exe 1 22 21->42         started        147 Hides threads from debuggers 26->147 47 conhost.exe 26->47         started        49 7z.exe 28->49         started        51 conhost.exe 28->51         started        53 7z.exe 30->53         started        55 conhost.exe 30->55         started        57 2 other processes 32->57 59 2 other processes 34->59 61 2 other processes 40->61 file10 signatures11 process12 dnsIp13 113 github.com 140.82.121.4, 443, 49776, 49778 GITHUBUS United States 42->113 115 raw.githubusercontent.com 185.199.110.133, 443, 49780, 49786 FASTLYUS Netherlands 42->115 89 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 42->89 dropped 91 C:\Users\user\AppData\Roaming\...\7z.exe, PE32+ 42->91 dropped 93 C:\Users\user\AppData\Roaming\...\7z.dll, PE32+ 42->93 dropped 99 2 other files (none is malicious) 42->99 dropped 165 Detected unpacking (overwrites its own PE header) 42->165 167 Machine Learning detection for dropped file 42->167 169 Hides threads from debuggers 42->169 63 cmd.exe 1 42->63         started        65 cmd.exe 1 42->65         started        67 cmd.exe 42->67         started        69 2 other processes 42->69 95 C:\Users\user\AppData\...\RegHost_Temp.exe, PE32+ 49->95 dropped 97 C:\Users\user\AppData\...\RegData_Temp.exe, PE32+ 53->97 dropped file14 signatures15 process16 dnsIp17 72 curl.exe 1 63->72         started        75 conhost.exe 63->75         started        77 conhost.exe 65->77         started        79 7z.exe 65->79         started        81 conhost.exe 67->81         started        83 7z.exe 67->83         started        109 192.168.2.1 unknown unknown 69->109 process18 dnsIp19 111 api.telegram.org 149.154.167.220, 443, 49774 TELEGRAMRU United Kingdom 72->111
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22f6150a22017768dc6c1dca6e473aefc6a1d4fa70f7fac51421017d4fcdb9f6/
Threat name:
ByteCode-MSIL.Trojan.StealerPacker
Create hunting rule
Status:
Malicious
First seen:
2021-12-19 12:26:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=el3bkcrcaf3wrxdmdxfg4rz257dkdvh2od37vriueeax2t6nxh3a._file
Verdict:
malicious
Similar samples:
10c6ef8f363434324321d3e6ed08e0caef5ebb518cf8ed6acca126588c6680e1
RedLineStealer
1bdfcfa2faaa7f70ad6b29dc77711dde848a9ffc5c63da8502ea2b1b9dc2aa06
RedLineStealer
c14c17020a470e53754dc2654847e9fbc6fa6f0326e515d10c6a581ad2c8825f
RedLineStealer
e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0
RedLineStealer
ed9d17ee70ce16c077354f25f3c0161d52bf91ae83d48118a7902a48d88926d3
RedLineStealer
+ 3'365 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cheat discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211219-rk5bvahcen/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.215.113.57:50723
45.147.196.146:6213
Unpacked files
SH256 hash:
46c627489fb8fe96e3b024f249026853909bb5859e0103bc710ce078617d34ef
MD5 hash:
2b787d89cd032d3d8e36999c6440f3e9
SHA1 hash:
f8c8950663cf754bb99247701a8b85d00ee4ee92
Link:
https://www.unpac.me/results/47126455-06c8-47e0-b818-9b40053e652b/
SH256 hash:
22f6150a22017768dc6c1dca6e473aefc6a1d4fa70f7fac51421017d4fcdb9f6
MD5 hash:
23f12f24d622a174b2c02ba70b07a1a9
SHA1 hash:
c476b18a3d629d9e812ad48c159b6dee0bfdc498
Link:
https://www.unpac.me/results/47126455-06c8-47e0-b818-9b40053e652b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/22f6150a2201/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/22f6150a22017768dc6c1dca6e473aefc6a1d4fa70f7fac51421017d4fcdb9f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/215263/

Comments