MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e8a28941c9837d1709600bf43c418d42ce78510e4a2b85f1f57819b1f419967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e8a28941c9837d1709600bf43c418d42ce78510e4a2b85f1f57819b1f419967
SHA3-384 hash: b77b71af33fa6de0a67acc8c87b19d1cfdec62cc5020dfd04090ef57adef63b97097883133d998e910381814b43c16a5
SHA1 hash: d65bd6e22399408f6f5939a4485aac413822f995
MD5 hash: 63dd05218fede88ea18fe090124804d4
humanhash: lion-batman-zulu-west
File name:2E8A28941C9837D1709600BF43C418D42CE78510E4A2B.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'539'215 bytes
First seen:2022-10-24 19:45:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:FCUsW6GdyvYBY19MXIjeMBnxlZJAYf5fUMsqDDDaCuImcIUZLoNewbTRSQl3RuQC:FXBdXwZAXCuIm/UZGHbVSQl3i
TLSH T10BC509136A8B0E75DDC23BB461CB633AA734ED30CA3A9B7BF609C53559532C46C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
2E8A28941C9837D1709600BF43C418D42CE78510E4A2B.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 19:51:49 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/2c1e7a0c-1962-42c7-8dbd-a813761dce43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323629/
Detection(s):
Win.Spyware.Redlinestealer-9965193-0
Create hunting rule

Win.Packed.Fragtor-9965244-0
Create hunting rule

Win.Packed.Fragtor-9965245-0
Create hunting rule

Win.Spyware.Redlinestealer-9965259-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45132/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Certishell
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71cb5397-1605-413c-9df6-34ab472c92d4
Result
Threat name:
RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096946
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729586 Sample: 2E8A28941C9837D1709600BF43C... Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 102 goback.delivery 2->102 124 Snort IDS alert for network traffic 2->124 126 Multi AV Scanner detection for domain / URL 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 12 other signatures 2->130 11 2E8A28941C9837D1709600BF43C418D42CE78510E4A2B.exe 1 2->11         started        14 svcupdater.exe 2->14         started        17 chrome.exe 2->17         started        19 chrome.exe 2->19         started        signatures3 process4 dnsIp5 158 Contains functionality to inject code into remote processes 11->158 160 Writes to foreign memory regions 11->160 162 Allocates memory in foreign processes 11->162 164 Injects a PE file into a foreign processes 11->164 21 AppLaunch.exe 15 12 11->21         started        26 conhost.exe 11->26         started        122 clipper.guru 14->122 166 Multi AV Scanner detection for dropped file 14->166 168 Machine Learning detection for dropped file 14->168 signatures6 process7 dnsIp8 106 62.204.41.141, 24758, 49712 TNNET-ASTNNetOyMainnetworkFI United Kingdom 21->106 108 dl.uploadgram.me 176.9.247.226, 443, 49718, 49719 HETZNER-ASDE Germany 21->108 110 3 other IPs or domains 21->110 84 C:\Users\user\AppData\Local\Temp\start.exe, PE32+ 21->84 dropped 86 C:\Users\user\AppData\Local\Temp\777.exe, PE32 21->86 dropped 88 C:\Users\user\AppData\Local\...\test.exe, PE32 21->88 dropped 90 3 other malicious files 21->90 dropped 132 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->132 134 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->134 136 Tries to harvest and steal browser information (history, passwords, etc) 21->136 138 Tries to steal Crypto Currency Wallets 21->138 28 chrome.exe 21->28         started        32 test.exe 1 21->32         started        34 ofg.exe 5 21->34         started        36 3 other processes 21->36 file9 signatures10 process11 dnsIp12 92 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 28->92 dropped 170 Multi AV Scanner detection for dropped file 28->170 172 Detected unpacking (changes PE section rights) 28->172 174 Machine Learning detection for dropped file 28->174 186 2 other signatures 28->186 39 GoogleUpdate.exe 28->39         started        42 GoogleUpdate.exe 28->42         started        54 3 other processes 28->54 176 Writes to foreign memory regions 32->176 178 Allocates memory in foreign processes 32->178 180 Injects a PE file into a foreign processes 32->180 45 vbc.exe 32->45         started        56 3 other processes 32->56 94 C:\Users\user\AppData\...\svcupdater.exe, PE32 34->94 dropped 48 cmd.exe 1 34->48         started        104 www.google.com 142.250.185.228, 443, 49720 GOOGLEUS United States 36->104 96 C:\Users\user\AppData\Local\Temp\17FA.tmp, PE32+ 36->96 dropped 98 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 36->98 dropped 182 Antivirus detection for dropped file 36->182 184 Adds a directory exclusion to Windows Defender 36->184 50 cmd.exe 36->50         started        52 cmd.exe 36->52         started        58 2 other processes 36->58 file13 signatures14 process15 dnsIp16 140 Uses netsh to modify the Windows network and firewall settings 39->140 142 Modifies the windows firewall 39->142 112 141.95.93.178, 443, 49723, 49724 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 42->112 114 api.peer2profit.com 172.66.40.196, 443, 49721, 49725 CLOUDFLARENETUS United States 42->114 116 192.168.2.1 unknown unknown 42->116 60 netsh.exe 42->60         started        62 netsh.exe 42->62         started        64 netsh.exe 42->64         started        118 t.me 149.154.167.99, 443, 49722 TELEGRAMRU United Kingdom 45->118 120 78.47.204.168, 49727, 80 HETZNER-ASDE Germany 45->120 100 C:\ProgramData\sqlite3.dll, PE32 45->100 dropped 144 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->144 146 Tries to harvest and steal browser information (history, passwords, etc) 45->146 148 DLL side loading technique detected 45->148 150 Tries to steal Crypto Currency Wallets 45->150 152 Uses schtasks.exe or at.exe to add and modify task schedules 48->152 154 Uses powercfg.exe to modify the power settings 48->154 156 Modifies power options to not sleep / hibernate 48->156 66 conhost.exe 48->66         started        68 schtasks.exe 1 48->68         started        70 5 other processes 50->70 72 4 other processes 52->72 74 3 other processes 54->74 76 2 other processes 58->76 file17 signatures18 process19 process20 78 conhost.exe 60->78         started        80 conhost.exe 62->80         started        82 conhost.exe 64->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e8a28941c9837d1709600bf43c418d42ce78510e4a2b85f1f57819b1f419967/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-02 00:42:05 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2fcrfa4ta35c4ewac7uhray2qwopbiq4srlqxy7k6azwh2btftq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/221024-ygzeraachp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
62.204.41.141:24758
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
19f7ad00b4bd873245d812dccb7b2c3e63c4f5e30abc456de081ccdb84347059
MD5 hash:
aaf2e1ab5d581c6dfaf709c831973dea
SHA1 hash:
f45087af3ecf5524c7d32742eb9bfc7b0309227c
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/72c28dbd-22e6-4837-81d1-0897e36e1e00/
SH256 hash:
2e8a28941c9837d1709600bf43c418d42ce78510e4a2b85f1f57819b1f419967
MD5 hash:
63dd05218fede88ea18fe090124804d4
SHA1 hash:
d65bd6e22399408f6f5939a4485aac413822f995
Link:
https://www.unpac.me/results/72c28dbd-22e6-4837-81d1-0897e36e1e00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e8a28941c9837d1709600bf43c418d42ce78510e4a2b85f1f57819b1f419967

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323629/

Comments