MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2beba1a84ca6a357ff2e8fb49b014523c855b73195e04829db7ee94afe87ecd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2beba1a84ca6a357ff2e8fb49b014523c855b73195e04829db7ee94afe87ecd8
SHA3-384 hash: 3961d8d4921e743de56beeee89eee57ea0623168413cc5d0df64750f9e92fff2cfae679ebbf89bc8c5a85bb99923a113
SHA1 hash: b1e7b1a232e971c70a168c918cf6fe506663f707
MD5 hash: 585368207fab5116640f854d6e6f742a
humanhash: sweet-black-avocado-football
File name:585368207fab5116640f854d6e6f742a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:165'888 bytes
First seen:2021-06-25 08:30:16 UTC
Last seen:2021-06-25 10:45:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:aK5znbrYKj+sGyxUOnPGxG7MJU3gch+YL:aKFbr0uehU3gcd
Threatray 333 similar samples on MalwareBazaar
TLSH 95F3906623A3D476C1C42230D462CB3B2668CD2707707357B0CAAE67BD6B19D8DBC6E4
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
585368207fab5116640f854d6e6f742a
Verdict:
Malicious activity
Analysis date:
2021-06-25 08:33:13 UTC
Tags:
evasion trojan rat redline
Link:
https://app.any.run/tasks/be316d3c-9436-4ef7-9b9b-a3b574ac260d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168278/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.15718.1471.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07980667-13bd-412c-bfba-a0f784252ceb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808002
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440413 Sample: nKxGiM5OIQ Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 58 qitoshalan.xyz 2->58 76 Found malware configuration 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Yara detected RedLine Stealer 2->80 82 5 other signatures 2->82 8 nKxGiM5OIQ.exe 15 8 2->8         started        13 WinHoster.exe 2->13         started        15 WinHoster.exe 2->15         started        signatures3 process4 dnsIp5 64 videoconvert-download38.xyz 172.67.201.250, 443, 49730 CLOUDFLARENETUS United States 8->64 66 iplogger.org 88.99.66.31, 443, 49732, 49733 HETZNER-ASDE Germany 8->66 48 C:\Users\user\AppData\Roaming\4554481.exe, PE32 8->48 dropped 50 C:\Users\user\AppData\Roaming\3551492.exe, PE32 8->50 dropped 52 C:\Users\user\AppData\Roaming\3298350.exe, PE32 8->52 dropped 54 2 other malicious files 8->54 dropped 84 May check the online IP address of the machine 8->84 86 Performs DNS queries to domains with low reputation 8->86 17 3298350.exe 1 4 8->17         started        21 3045209.exe 15 11 8->21         started        24 3551492.exe 4 8->24         started        26 4554481.exe 14 2 8->26         started        file6 signatures7 process8 dnsIp9 38 C:\Users\user\AppData\...\WinHoster.exe, PE32 17->38 dropped 68 Antivirus detection for dropped file 17->68 70 Multi AV Scanner detection for dropped file 17->70 72 Machine Learning detection for dropped file 17->72 28 WinHoster.exe 17->28         started        60 videoconvert-download12.xyz 104.21.76.97, 443, 49734 CLOUDFLARENETUS United States 21->60 40 C:\ProgramData\76\vcruntime140.dll, PE32 21->40 dropped 42 C:\ProgramData\76\sqlite3.dll, PE32 21->42 dropped 44 C:\ProgramData\76\softokn3.dll, PE32 21->44 dropped 46 4 other files (none is malicious) 21->46 dropped 74 Performs DNS queries to domains with low reputation 21->74 31 WerFault.exe 21->31         started        33 3551492.exe 14 2 24->33         started        36 conhost.exe 24->36         started        62 kanagannne.xyz 85.192.56.35, 49748, 80 DINET-ASRU Russian Federation 26->62 file10 signatures11 process12 dnsIp13 88 Antivirus detection for dropped file 28->88 90 Machine Learning detection for dropped file 28->90 92 Tries to evade analysis by execution special instruction which cause usermode exception 31->92 56 qitoshalan.xyz 33->56 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2beba1a84ca6a357ff2e8fb49b014523c855b73195e04829db7ee94afe87ecd8/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-25 08:30:25 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpv2dkcmu2rvp7zor62jwakfepeflnzrsxqeqko3p3uuv7uh5tma._file
Verdict:
malicious
Similar samples:
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
RedLineStealer
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
RedLineStealer
5677b9d1528c45370a17cd4b68fc443862d4304ef1bca005c369c8c1d9158a62
RedLineStealer
8b7e447356ade4824db0565f713751a6c0b37cc560269ced9cc6176e1d1fdd24
RedLineStealer
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
RedLineStealer
cdbbb152fd25c5729e4fb1c07bbfed10561f6d1df6e86576bbc299c1dd622200
RedLineStealer
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
RedLineStealer
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
RedLineStealer
e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808
RedLineStealer
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
RedLineStealer
+ 323 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:18_6_bl_84s7 discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210625-rnv2evz26a/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
qitoshalan.xyz:80
Unpacked files
SH256 hash:
08bd311189ca9d1be286847ad13d92edd22c8ff4b706d51a63b1942d415198b3
MD5 hash:
f2f898bd5e765467815b172ca440eea3
SHA1 hash:
109d5a30fdb96850abdb94ab9a72c7636a2a8a9c
Link:
https://www.unpac.me/results/207e417a-3ef5-4045-83d5-d949f6e1c45d/
SH256 hash:
2beba1a84ca6a357ff2e8fb49b014523c855b73195e04829db7ee94afe87ecd8
MD5 hash:
585368207fab5116640f854d6e6f742a
SHA1 hash:
b1e7b1a232e971c70a168c918cf6fe506663f707
Link:
https://www.unpac.me/results/207e417a-3ef5-4045-83d5-d949f6e1c45d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2beba1a84ca6a357ff2e8fb49b014523c855b73195e04829db7ee94afe87ecd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2beba1a84ca6a357ff2e8fb49b014523c855b73195e04829db7ee94afe87ecd8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168278/
  
URLhaus
https://urlhaus.abuse.ch/url/1396958/

Comments