MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d4b90a306bea6c000b93106d5d831999a39ff693f608504ad4197c1b720aadd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d4b90a306bea6c000b93106d5d831999a39ff693f608504ad4197c1b720aadd
SHA3-384 hash: 768232edcb52dd290bd9fd25d767e99b0d191f73b149b8caa8ab65eb597b08990d2d057d328cb490047eecf5d3ca4247
SHA1 hash: 8ea560a29d689bbe4c9a25a14ef14c09eeb25e68
MD5 hash: 44455c6a40f63cfcb7f855f15bdfbd91
humanhash: minnesota-comet-venus-harry
File name:44455c6a40f63cfcb7f855f15bdfbd91.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:13'481'041 bytes
First seen:2023-02-20 02:25:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 196608:wRsq5pwrR+j3J3p7CfaohovcWTNOPpSOU4FlK3rjofNx3edZi06H8yQ7D2pe6NHT:mvi4V3p7waoVgO17Ej03gZJH7KpNsS
Threatray 74 similar samples on MalwareBazaar
TLSH T128D6233FF1146B2EC63A8A7709B786202C7B6AA6ED474E0B13F4180EDF615512D3B527
TrID 48.3% (.EXE) Inno Setup installer (109740/4/30)
18.9% (.EXE) InstallShield setup (43053/19/16)
18.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon e88e0f0b0727f8f8 (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.91.122.106:7146

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
44455c6a40f63cfcb7f855f15bdfbd91.exe
Verdict:
Malicious activity
Analysis date:
2023-02-20 02:29:59 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e6bb6e64-8783-439b-8a55-1c86d29211e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71753/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63f2da3ea6ba2f75a978361d/reports/a7e5860c-1091-4745-b4a3-b9c020879f26/overview
Verdict:
Malicious
Labled as:
Generik.MBWQJZD trojan
Link:
https://www.hybrid-analysis.com/sample/2d4b90a306bea6c000b93106d5d831999a39ff693f608504ad4197c1b720aadd
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8a55d5c8-de8d-4f21-b52b-5548300b0454
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/1178909
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811735 Sample: odnZiQfM6Y.exe Startdate: 20/02/2023 Architecture: WINDOWS Score: 70 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 7 other signatures 2->57 9 odnZiQfM6Y.exe 2 2->9         started        process3 file4 31 C:\Users\user\AppData\...\odnZiQfM6Y.tmp, PE32 9->31 dropped 65 Obfuscated command line found 9->65 13 odnZiQfM6Y.tmp 5 16 9->13         started        signatures5 process6 file7 33 C:\StrLocalGate\Setup_win64_86.exe (copy), PE32 13->33 dropped 35 C:\...\idman641build6.exe (copy), PE32 13->35 dropped 37 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->37 dropped 39 2 other files (none is malicious) 13->39 dropped 16 Setup_win64_86.exe 4 13->16         started        19 idman641build6.exe 181 13->19         started        process8 signatures9 43 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->43 45 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->45 47 Encrypted powershell cmdline option found 16->47 49 Injects a PE file into a foreign processes 16->49 21 Setup_win64_86.exe 4 16->21         started        25 powershell.exe 14 16->25         started        27 IDM1.tmp 8 201 19->27         started        process10 dnsIp11 41 77.91.122.106, 49686, 7146 TELEDOM-ASLKTelecomRU Russian Federation 21->41 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 61 Tries to steal Crypto Currency Wallets 21->61 29 conhost.exe 25->29         started        63 Sample is not signed and drops a device driver 27->63 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d4b90a306bea6c000b93106d5d831999a39ff693f608504ad4197c1b720aadd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-16 18:43:50 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvfzbiygx2tmaafzgednlwbrtgndt73jh5qikbfnigl4dnzavloq._file
Verdict:
malicious
Similar samples:
12318e52e2bdf0b05a48eb1d96f2f39a24c64525473c50317f1d9caa36d682bf
RedLineStealer
1d364c185082bf798f4ff21f33b63c84cc1407ca33be17793990190b59d2042c
RedLineStealer
556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
RedLineStealer
6f8c5269ce2ba1e2baa595221a138240040aadf80c8819380563a72a3b7e024b
RedLineStealer
7a2c9b3eec66b62858a6775f00e4c5c76fb0abf01ef2cb8c9a94133faa199db3
RedLineStealer
a83d25f3d81fad7452c41cfd2ae067dc47eeffa04b21d9fd515d0d95a6876eb9
RedLineStealer
bf72cee251615ca0af6b861fd4abf781b007249d3b0bc8612bcb37bac0d427f5
RedLineStealer
c8092ae8e5c2fcb2f4ed5be1dac0723ef951a8b445c45aa68376d093fa3a5623
RedLineStealer
f3da52b9630c266b9c950883aa522dbfc5b5b06a009ce8e21754c886aaf54993
RedLineStealer
+ 64 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:08feb++ discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230220-cwv5zsgg8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
77.91.122.106:7146
Unpacked files
SH256 hash:
785b26ed061edb9e829d4f3f77054aa176a3b9a67423db0f8174f2b2fa2018fe
MD5 hash:
7f2716d2cdb414601712661671cbf5bd
SHA1 hash:
1ea3b860b025370bd6f797d5935d2f8e3ea36278
Link:
https://www.unpac.me/results/fe169de9-366b-497b-bec0-a68467bde079/
SH256 hash:
fb9f905760f4bae39f10159ccb1a0f5804a02ed5920c0f7074a683e721d12ff8
MD5 hash:
d47a1a755ec294d4dbb1200cab5c9443
SHA1 hash:
bf93fce6e261659a5b262785b47026e5ddee8b5e
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/fe169de9-366b-497b-bec0-a68467bde079/
SH256 hash:
0a550d01a486bb293e71536f600d42cf49f51641b92f58780201ad54c24fcc3e
MD5 hash:
c971071f33931bff58661a6875bdc77b
SHA1 hash:
074fb3e44c1f31435c287af0e4e95cd6eededa3c
Link:
https://www.unpac.me/results/fe169de9-366b-497b-bec0-a68467bde079/
SH256 hash:
992a68a5f8b7338d244b3654bc2e21f6bd8c9f1d6ce2d92b218aae655bb6ecfa
MD5 hash:
762414fa4594a94bac15326e2cb9a22b
SHA1 hash:
2c47b74f1d1b1dbf906ea0a365ef1f0ed34abbda
Link:
https://www.unpac.me/results/fe169de9-366b-497b-bec0-a68467bde079/
SH256 hash:
ae748bdc0e82f408dcc3939122bc8d66dfc3ca179c110dd3b2983e9255790453
MD5 hash:
77dba7a635c05e75bf326711c570a90b
SHA1 hash:
5dc2765dc4f26537191a3e074fd7d551595198da
Link:
https://www.unpac.me/results/fe169de9-366b-497b-bec0-a68467bde079/
SH256 hash:
4e1789bbdd1cd70528630b9be0ae9ef1a09d3b4f332feb04221573bf33e977f3
MD5 hash:
9c1f8abce8824cbad3dea9c958f59d0b
SHA1 hash:
594ff6e12809cd523760ef86dd3f1cb103547349
Link:
https://www.unpac.me/results/fe169de9-366b-497b-bec0-a68467bde079/
SH256 hash:
2d4b90a306bea6c000b93106d5d831999a39ff693f608504ad4197c1b720aadd
MD5 hash:
44455c6a40f63cfcb7f855f15bdfbd91
SHA1 hash:
8ea560a29d689bbe4c9a25a14ef14c09eeb25e68
Link:
https://www.unpac.me/results/fe169de9-366b-497b-bec0-a68467bde079/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d4b90a306bea6c000b93106d5d831999a39ff693f608504ad4197c1b720aadd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments