MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
SHA3-384 hash: 95d57212228ef98d07736fe904b508f053cfb01992e07c768e89af9536f77f8d98c0ed575faa01208748dcf6e9fc1342
SHA1 hash: c6381d564909b24e6d44906c87542476c89cbb91
MD5 hash: a9f7d6b41ef9398f5b8fa1ca03d02b04
humanhash: berlin-bravo-december-failed
File name:a9f7d6b41ef9398f5b8fa1ca03d02b04.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:261'240 bytes
First seen:2023-06-20 10:30:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7603d1b17202cdd1d003c27d46c04c1 (4 x RedLineStealer, 1 x LaplasClipper)
ssdeep 6144:WfIZHZETEmZuxEuE6ClwwSxZ7p4RhRyTUVeRl:VYTEmZulEgY2
Threatray 24 similar samples on MalwareBazaar
TLSH T1C9446C1339B08FA8FCD792701D5C9AAF5E79F5A11940A14EA2939DEF87D41A0C53232F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.209.161.189/bot/regex

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
a9f7d6b41ef9398f5b8fa1ca03d02b04.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 10:33:30 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/896add79-0ed6-43b1-96a3-73984354ea3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400956/
Detection(s):
Win.Malware.Pwsx-10004514-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Sending a TCP request to an infection source
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91874/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed redline zusy
Link:
https://www.filescan.io/uploads/64917fe70f5b3414b1c80dca/reports/c59544d9-9217-4d08-ae54-21d69d82e098/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/56507994-339c-4de0-b8e7-38093d498f48
Result
Threat name:
MinerDownloader, Laplas Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258123
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic MinerDownloader
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891139 Sample: KYfx5g4XQs.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 98 Snort IDS alert for network traffic 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 14 other signatures 2->104 10 KYfx5g4XQs.exe 15 8 2->10         started        process3 dnsIp4 80 94.142.138.4, 49695, 80 IHOR-ASRU Russian Federation 10->80 82 api.ip.sb 10->82 84 217.196.96.158, 49697, 49698, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 10->84 58 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 10->58 dropped 60 C:\Users\user\AppData\Local\...\conhost.exe, PE32 10->60 dropped 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->110 112 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->112 114 Tries to harvest and steal browser information (history, passwords, etc) 10->114 116 2 other signatures 10->116 15 conhost.exe 8 10->15         started        19 svchost.exe 1 2 10->19         started        21 conhost.exe 10->21         started        file5 signatures6 process7 file8 72 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 15->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 15->74 dropped 92 Multi AV Scanner detection for dropped file 15->92 94 Contains functionality to register a low level keyboard hook 15->94 23 cmd.exe 2 15->23         started        76 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32+ 19->76 dropped 96 Machine Learning detection for dropped file 19->96 25 ntlhost.exe 19->25         started        signatures9 process10 dnsIp11 28 BuildMiner.exe 14 31 23->28         started        33 7z.exe 2 23->33         started        35 7z.exe 3 23->35         started        37 5 other processes 23->37 78 185.209.161.189, 49710, 49711, 49712 HOSTING-SOLUTIONSUS Netherlands 25->78 process12 dnsIp13 86 github.com 140.82.121.4, 443, 49703, 49704 GITHUBUS United States 28->86 88 raw.githubusercontent.com 185.199.108.133, 443, 49705, 49707 FASTLYUS Netherlands 28->88 90 pastebin.com 172.67.34.170, 443, 49702 CLOUDFLARENETUS United States 28->90 62 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 28->62 dropped 64 C:\ProgramData\Dllhost\dllhost.exe, PE32 28->64 dropped 66 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 28->66 dropped 68 C:\ProgramData\HostData\logs.uce, ASCII 28->68 dropped 118 Sample is not signed and drops a device driver 28->118 39 cmd.exe 28->39         started        42 cmd.exe 28->42         started        44 cmd.exe 28->44         started        70 C:\Users\user\AppData\...\BuildMiner.exe, PE32 33->70 dropped file14 signatures15 process16 signatures17 106 Encrypted powershell cmdline option found 39->106 108 Uses schtasks.exe or at.exe to add and modify task schedules 39->108 46 conhost.exe 39->46         started        48 powershell.exe 39->48         started        50 conhost.exe 42->50         started        52 schtasks.exe 42->52         started        54 conhost.exe 44->54         started        56 schtasks.exe 44->56         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 14:26:36 UTC
File Type:
PE (Exe)
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5t5ieupzcgvq63gqh6p6rfinfedh2k5uuiozjqhkbka4qxs4qma._file
Verdict:
malicious
Similar samples:
13fa525f766a6e919d19d0d501e062a41ab227690d1ec3c566ad0f3b52a0bb56
RedLineStealer
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
RedLineStealer
1d38b7669f2dcddcf429fef7dc3e37f613caffb8794f1b923b753ac6a38e4094
RedLineStealer
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
RedLineStealer
338447d40e099471b745ab89c003011a8e3443fd687845a199b76ed67f462516
RedLineStealer
40aac7a5a709361db31b5189b42650d420548ace3f0da200e42a64fef2d3b923
RedLineStealer
4894fe2f0b87652614e926f8ed796d6f7655108011a8579b7efe3f6f0f886a7d
RedLineStealer
f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70
RedLineStealer
f65152edceb657dc8745194f2b3f0c02ec64b82e4131fe6859afadaf4e39a87f
RedLineStealer
+ 14 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:redline botnet:@bloodyrain12 clipper discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230620-mkc55sbd73/
Behaviour
GoLang User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Laplas Clipper
RedLine
Malware Config
C2 Extraction:
94.142.138.4:80
http://185.209.161.189
Unpacked files
SH256 hash:
7301ad921fde26977d8c0e4e46be9c4ad35e0c1236bfcf0c63e48a77f7d4fd9a
MD5 hash:
1fa7c9694f04ea49da9ed38b8c0bf958
SHA1 hash:
de460b5901a9df5a5de0fae13e1c6dd85b9efa6f
Link:
https://www.unpac.me/results/3325e58b-1e86-4bad-b582-c0c3023a0305/
SH256 hash:
8da2e6c0858ea48c207d8a9689e768215406585202cead4000c69e5c8bef2c3c
MD5 hash:
2de2b962dc04675aab0c6a025ff39955
SHA1 hash:
ad2afc5549368620c068a0f9a0ee73c19e6b9337
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/3325e58b-1e86-4bad-b582-c0c3023a0305/
SH256 hash:
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
MD5 hash:
a9f7d6b41ef9398f5b8fa1ca03d02b04
SHA1 hash:
c6381d564909b24e6d44906c87542476c89cbb91
Link:
https://www.unpac.me/results/3325e58b-1e86-4bad-b582-c0c3023a0305/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2767d4128fc8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400956/

Comments