MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2738373f0b008beb61553747e56cb623befa5e44a43b322cc4b74e7508ec24cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2738373f0b008beb61553747e56cb623befa5e44a43b322cc4b74e7508ec24cb
SHA3-384 hash: 87882113143e60d471a87dcc9fa5ad240bfbf44f39e35c039ae90ede2a8cffa646c5732b193dff46cdf249f610aed331
SHA1 hash: b729577d98a5f41218639e5f2406f6f54a09a083
MD5 hash: 1b831d6762d505bdb1d3588965767e5e
humanhash: london-hamper-three-fifteen
File name:1B831D6762D505BDB1D3588965767E5E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'398'241 bytes
First seen:2021-06-10 20:25:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:T5+hFcMtmeBse0i0+wMHohjENLfayUmOH0K7893u2ecWraUE7ndI/fM1:T5aFc1eBsI0QIhi2UF9+GOaV7q/01
Threatray 207 similar samples on MalwareBazaar
TLSH 21B533016AC1437FD6973F7152D96C43B4F2FB290B070ACBA3D5070B686ABD0E53A669
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.246.145.4:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.246.145.4:80 https://threatfox.abuse.ch/ioc/85644/

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1B831D6762D505BDB1D3588965767E5E.exe
Verdict:
No threats detected
Analysis date:
2021-06-10 20:26:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/48cb2f88-5b23-4df1-ad90-f058a60a3e42

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165964/
Detection(s):
Win.Trojan.Coinminer-9835184-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Enabling the 'hidden' option for files in the %temp% directory
Sending a UDP request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800505
Signature
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432901 Sample: mABjln5TWY.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Antivirus detection for dropped file 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 3 other signatures 2->54 9 mABjln5TWY.exe 7 2->9         started        process3 file4 32 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 9->32 dropped 34 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 9->34 dropped 56 Contains functionality to register a low level keyboard hook 9->56 13 cmd.exe 2 9->13         started        signatures5 process6 process7 15 @verhsa.exe 15 25 13->15         started        19 7z.exe 2 13->19         started        22 7z.exe 2 13->22         started        24 5 other processes 13->24 dnsIp8 36 xiplisineld.xyz 77.246.145.4, 49730, 49737, 49738 THEFIRST-ASRU Russian Federation 15->36 38 api.ip.sb 15->38 40 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->40 42 Performs DNS queries to domains with low reputation 15->42 44 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->44 46 2 other signatures 15->46 30 C:\Users\user\AppData\Local\...\@verhsa.exe, PE32 19->30 dropped 26 MpCmdRun.exe 1 22->26         started        file9 signatures10 process11 process12 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2738373f0b008beb61553747e56cb623befa5e44a43b322cc4b74e7508ec24cb/
Threat name:
Win32.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 01:10:00 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e44dopylacf6wykvg5d6k3fweo7puxseuq5telgew5hhkchmetfq._file
Verdict:
malicious
Similar samples:
06607b04da0cd27e4a7abff3df7ee0be86df8226e81a5706351526a3101d2aa2
RedLineStealer
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
RedLineStealer
3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c169c9fb4adb317f1d571f
RedLineStealer
41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
RedLineStealer
5d5c572bd9c5a93783e2fbd7c551b54570ab531df2b7d1b93758453c4124db03
RedLineStealer
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
RedLineStealer
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
RedLineStealer
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
RedLineStealer
+ 197 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@verhsa discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210610-pg8gel4hba/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
xiplisineld.xyz:80
Unpacked files
SH256 hash:
f75624b9f913934cd97b05b1bc3d6f7c39c42f9912ff0ccea7bbf4e1be0a19d8
MD5 hash:
de8b67e8048bff9ee2d313ff9d0fb3d2
SHA1 hash:
6851013656250a8860bcae4a6b6cecfeeb3ba580
Link:
https://www.unpac.me/results/62ff8a79-9f34-44d3-a3c1-a8bd44efe17e/
SH256 hash:
2738373f0b008beb61553747e56cb623befa5e44a43b322cc4b74e7508ec24cb
MD5 hash:
1b831d6762d505bdb1d3588965767e5e
SHA1 hash:
b729577d98a5f41218639e5f2406f6f54a09a083
Link:
https://www.unpac.me/results/62ff8a79-9f34-44d3-a3c1-a8bd44efe17e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2738373f0b008beb61553747e56cb623befa5e44a43b322cc4b74e7508ec24cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165964/

Comments