MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6
SHA3-384 hash: db263719017351487a1dbf4e8dd7aa0e4e707bd06410d0bd199ee84922930ad708a2684ba70ff103e3e48a19df3fd799
SHA1 hash: ef9e9b7942cb5f3e1cf5e71fb5ee1901119baa8b
MD5 hash: 2b92b8f8a30cc8e1c1f89f84720aecbf
humanhash: mirror-coffee-moon-coffee
File name:file.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'140'251 bytes
First seen:2023-04-08 08:05:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:2TbBv5rUyXVM8K14meUWEq+HcReK4FVdsl+By5JPltkJBW8/Qu:IBJ/9Z+eedOw0JQJoS
Threatray 11 similar samples on MalwareBazaar
TLSH T149351203BEC298B2D46219361A796B10653DBD205F79CEDFA3D42A5DDE315C0CB31BA2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-04-08 08:08:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28fd8e87-f303-4e3f-853f-24763bffd082

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380843/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76955/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm bobik greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll zusy
Link:
https://www.filescan.io/uploads/6431206bda5bf6666c9d25f2/reports/aaa22bb5-214f-4744-b8d6-b3a5e85845e2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d2629d7-8789-4edc-bcf9-786fd86ee648
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1210516
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
DNS related to crypt mining pools
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 843432 Sample: file.exe Startdate: 08/04/2023 Architecture: WINDOWS Score: 100 95 xmr-eu1.nanopool.org 2->95 97 pastebin.com 2->97 105 Snort IDS alert for network traffic 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for dropped file 2->109 111 14 other signatures 2->111 11 file.exe 10 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 87 C:\Users\user\AppData\...\rlpe0ih34rsq.exe, PE32 11->87 dropped 89 C:\Users\user\AppData\Local\...\akfuan2.exe, PE32 11->89 dropped 20 rlpe0ih34rsq.exe 11->20         started        23 akfuan2.exe 11->23         started        25 winlogson.exe 14->25         started        27 conhost.exe 14->27         started        29 chcp.com 14->29         started        31 conhost.exe 16->31         started        33 chcp.com 16->33         started        35 conhost.exe 18->35         started        37 conhost.exe 18->37         started        process6 signatures7 113 Multi AV Scanner detection for dropped file 20->113 115 Machine Learning detection for dropped file 20->115 117 Writes to foreign memory regions 20->117 119 Sample uses process hollowing technique 20->119 39 RegSvcs.exe 1 20->39         started        42 RegSvcs.exe 20->42         started        44 WerFault.exe 24 9 20->44         started        46 RegSvcs.exe 20->46         started        121 Allocates memory in foreign processes 23->121 123 Injects a PE file into a foreign processes 23->123 48 RegSvcs.exe 23->48         started        51 WerFault.exe 23->51         started        125 Antivirus detection for dropped file 25->125 process8 dnsIp9 127 Writes to foreign memory regions 39->127 129 Injects a PE file into a foreign processes 39->129 53 AppLaunch.exe 15 31 39->53         started        58 conhost.exe 39->58         started        131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->131 133 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->133 135 Contains functionality to inject code into remote processes 42->135 91 77.91.85.137, 49712, 81 METREX-ASRU Russian Federation 48->91 93 api.ip.sb 48->93 137 Tries to harvest and steal browser information (history, passwords, etc) 48->137 139 Tries to steal Crypto Currency Wallets 48->139 signatures10 process11 dnsIp12 99 github.com 140.82.121.4, 443, 49702, 49703 GITHUBUS United States 53->99 101 raw.githubusercontent.com 185.199.111.133, 443, 49705, 49708 FASTLYUS Netherlands 53->101 103 2 other IPs or domains 53->103 79 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 53->79 dropped 81 C:\ProgramData\Dllhost\dllhost.exe, PE32 53->81 dropped 83 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 53->83 dropped 85 C:\ProgramData\HostData\logs.uce, ASCII 53->85 dropped 141 Sample is not signed and drops a device driver 53->141 60 cmd.exe 1 53->60         started        63 cmd.exe 53->63         started        65 cmd.exe 53->65         started        file13 signatures14 process15 signatures16 143 Encrypted powershell cmdline option found 60->143 145 Uses schtasks.exe or at.exe to add and modify task schedules 60->145 67 powershell.exe 16 60->67         started        69 conhost.exe 60->69         started        71 conhost.exe 63->71         started        73 schtasks.exe 63->73         started        75 conhost.exe 65->75         started        77 schtasks.exe 65->77         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2023-04-08 07:57:01 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
18 of 37 (48.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5g72pz76dnddszbmmkhva5z7irly45sohyv6e7a3dca5vvlp3la._file
Verdict:
malicious
Similar samples:
4a595205329af35588da8df7dda235efb43db5bfc3e77fa107af5dc536fecbd2
RedLineStealer
6df58f4dde905b78e0ce80d0bb41792004f9ac39efec4acbfb4f54c342ac6dcb
RedLineStealer
6f17df45dd876aaedc0551c4acd7f22d26195fecff94c86aa38f68a823e4ed1b
RedLineStealer
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
RedLineStealer
945c3de92d17734a54c703d1220ce05fee9318f4d26b7ec24ad1dd14e20ef2b7
RedLineStealer
b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3
RedLineStealer
bc01202df6fc9a64936da157f1c020da3f5bd3ef9e33cec3f84309e2963c5202
RedLineStealer
f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
RedLineStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:test infostealer spyware
Link:
https://tria.ge/reports/230408-jzeezacd48/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
77.91.85.137:81
Unpacked files
SH256 hash:
f250446739250770dc65f2bd607cf16b50761fb24084e38e24c878cd3d5c4d7b
MD5 hash:
d3fd584dd71724f59bd965952f82057a
SHA1 hash:
283a647e6ac6def93aeb13c6b6c11caeaa3a53aa
Link:
https://www.unpac.me/results/e99eb134-874e-465a-bc39-cd74f99f6f5d/
SH256 hash:
586a0e4e3ea0770a2ab417de243f9254be6b07f18a6547cbce93d75e7d0436cb
MD5 hash:
360185dfe3bf6292f72542f120d61a97
SHA1 hash:
5aed187f349784adcb84531e1b7b65290c6db253
Link:
https://www.unpac.me/results/e99eb134-874e-465a-bc39-cd74f99f6f5d/
SH256 hash:
f220fde91c8a4ae34a1e3e9c65bd2b9744af206ae123b6ba86621b7fe6e90063
MD5 hash:
322c83c085d114c3999ddf36e5adb8b6
SHA1 hash:
54ae6228a118ba2e5a66833f2af75c53e4e51d36
Link:
https://www.unpac.me/results/e99eb134-874e-465a-bc39-cd74f99f6f5d/
SH256 hash:
4c8783b51f524af525fee210f96c12b13ad427d541cd0c3aa61498b6d060ea5f
MD5 hash:
f92bdbd2d4cc054dc179daad9629a4e4
SHA1 hash:
b67f99504e356af0d96bdfc17962eda775bca295
Link:
https://www.unpac.me/results/e99eb134-874e-465a-bc39-cd74f99f6f5d/
SH256 hash:
274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6
MD5 hash:
2b92b8f8a30cc8e1c1f89f84720aecbf
SHA1 hash:
ef9e9b7942cb5f3e1cf5e71fb5ee1901119baa8b
Link:
https://www.unpac.me/results/e99eb134-874e-465a-bc39-cd74f99f6f5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380843/

Comments