MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f296b56bfd637fd96dd195bcd8e8d119ebaf9bbda1e7c992fcb2cf550008735. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f296b56bfd637fd96dd195bcd8e8d119ebaf9bbda1e7c992fcb2cf550008735
SHA3-384 hash: ae8c97bf6ea463a8b96d974ef722c6606a4c08e77b5eab2104497e717d6d958ac25a31b2e811090d5e7b0c2745129543
SHA1 hash: 7735a3d7036561e47189551f9e11fcf79d3c636d
MD5 hash: dd6efc4362195d83e60e6e98eadbc964
humanhash: neptune-summer-five-three
File name:dd6efc4362195d83e60e6e98eadbc964.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'521'152 bytes
First seen:2021-12-04 06:44:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7dd6fa75115d9909f747434e40fff68 (173 x RedLineStealer, 10 x DCRat, 1 x CoinMiner.XMRig)
ssdeep 24576:dIPYE17CPg2pp7yqKbXFOFTAQvgUysiIEFLoctjCqawo9XS+7+HYt3BgvkEaHNYo:dIPYE1cg2pRq6Tx8IEFLRtujx9XS+aHi
Threatray 11'003 similar samples on MalwareBazaar
TLSH T14C653396B5457D8CC14B0734AEEBBE590B8AE50FDF906DCEF71A1A4A30344C1ADF8684
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://shrinke.me/AdobePP2022
Verdict:
Malicious activity
Analysis date:
2021-12-04 04:21:39 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar raccoon
Link:
https://app.any.run/tasks/998e1f96-84f7-4371-a045-c6c27d4730ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211208/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Stealing user critical data
Blocking the Windows Defender launch
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/739/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed wacatac
Link:
https://www.filescan.io/uploads/61ab0e7147ed217c0130c7d0/reports/cf70ac7e-3fb4-464b-a8cf-324de7116547/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e9ce9af-f8fa-4660-bbaf-b67048065ea7
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901328
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533804 Sample: Ei6GlYwDPF.exe Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 117 raw.githubusercontent.com 2->117 119 github.com 2->119 147 Antivirus detection for URL or domain 2->147 149 Antivirus detection for dropped file 2->149 151 Multi AV Scanner detection for dropped file 2->151 153 7 other signatures 2->153 11 Ei6GlYwDPF.exe 15 8 2->11         started        16 RegHost.exe 2->16         started        18 RegHost.exe 13 2->18         started        signatures3 process4 dnsIp5 133 185.223.92.157, 44160, 49746 DDOS-GUARDRU Netherlands 11->133 135 cdn.discordapp.com 162.159.129.233, 443, 49768 CLOUDFLARENETUS United States 11->135 137 162.159.134.233, 443, 49775 CLOUDFLARENETUS United States 11->137 109 C:\Users\user\AppData\Local\Temp\3.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\Local\Temp\2.exe, PE32+ 11->111 dropped 113 C:\Users\user\AppData\...i6GlYwDPF.exe.log, ASCII 11->113 dropped 177 Detected unpacking (changes PE section rights) 11->177 179 Detected unpacking (overwrites its own PE header) 11->179 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->181 195 5 other signatures 11->195 20 2.exe 1 22 11->20         started        25 3.exe 15 11->25         started        145 2 other IPs or domains 16->145 183 Writes to foreign memory regions 16->183 185 Allocates memory in foreign processes 16->185 187 Modifies the context of a thread in another process (thread injection) 16->187 189 Injects a PE file into a foreign processes 16->189 27 bfsvc.exe 16->27         started        29 cmd.exe 16->29         started        31 cmd.exe 16->31         started        37 2 other processes 16->37 139 185.199.108.133, 443, 49795, 49798 FASTLYUS Netherlands 18->139 141 raw.githubusercontent.com 18->141 143 github.com 18->143 191 Multi AV Scanner detection for dropped file 18->191 193 Machine Learning detection for dropped file 18->193 33 cmd.exe 18->33         started        35 conhost.exe 18->35         started        file6 signatures7 process8 dnsIp9 121 github.com 140.82.121.3, 443, 49779, 49782 GITHUBUS United States 20->121 123 raw.githubusercontent.com 185.199.111.133, 443, 49783, 49786 FASTLYUS Netherlands 20->123 101 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 20->101 dropped 103 C:\Users\user\AppData\Roaming\...\7z.exe, PE32+ 20->103 dropped 105 C:\Users\user\AppData\Roaming\...\7z.dll, PE32+ 20->105 dropped 107 2 other files (none is malicious) 20->107 dropped 155 Multi AV Scanner detection for dropped file 20->155 157 Machine Learning detection for dropped file 20->157 159 Injects code into the Windows Explorer (explorer.exe) 20->159 165 5 other signatures 20->165 39 explorer.exe 20->39         started        41 bfsvc.exe 20->41         started        44 cmd.exe 20->44         started        50 3 other processes 20->50 125 ccf9ba3695b15b4f0787e6290e0f63allcomejroo839jxi13.xyz 207.244.237.176, 49778, 80 CONTABOUS United States 25->125 161 Performs DNS queries to domains with low reputation 25->161 46 conhost.exe 25->46         started        163 Hides threads from debuggers 27->163 48 conhost.exe 27->48         started        52 2 other processes 29->52 54 2 other processes 31->54 56 2 other processes 33->56 file10 signatures11 process12 signatures13 58 RegHost.exe 39->58         started        167 Hides threads from debuggers 41->167 62 conhost.exe 41->62         started        64 7z.exe 44->64         started        67 conhost.exe 44->67         started        69 7z.exe 50->69         started        71 curl.exe 1 50->71         started        73 conhost.exe 50->73         started        75 conhost.exe 50->75         started        process14 dnsIp15 127 raw.githubusercontent.com 58->127 129 github.com 58->129 169 Injects code into the Windows Explorer (explorer.exe) 58->169 171 Writes to foreign memory regions 58->171 173 Allocates memory in foreign processes 58->173 175 2 other signatures 58->175 77 bfsvc.exe 58->77         started        81 cmd.exe 58->81         started        83 cmd.exe 58->83         started        85 2 other processes 58->85 97 C:\Users\user\AppData\...\RegHost_Temp.exe, PE32+ 64->97 dropped 99 C:\Users\user\AppData\...\RegData_Temp.exe, PE32+ 69->99 dropped 131 api.telegram.org 149.154.167.220, 443, 49777 TELEGRAMRU United Kingdom 71->131 file16 signatures17 process18 file19 115 \Device\ConDrv, ASCII 77->115 dropped 197 Hides threads from debuggers 77->197 87 conhost.exe 77->87         started        89 conhost.exe 81->89         started        91 7z.exe 81->91         started        93 conhost.exe 83->93         started        95 7z.exe 83->95         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f296b56bfd637fd96dd195bcd8e8d119ebaf9bbda1e7c992fcb2cf550008735/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 18:41:44 UTC
AV detection:
22 of 44 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4uwwvv72y373fw5dfn43duncgplv6n33iphzgjpzmwpkuaaq42q._file
Verdict:
malicious
Similar samples:
57fb9f191f910890da8143e222ed68a876620f84444a5679fbbed4eecec1cc7e
RedLineStealer
6cc037e6cfc78eecd49983911b948548c87af9c2c4525977249e78464aadba06
RedLineStealer
7ca09295652584ac4c0faa24f99df42823474f189e18a8449e6989d14d0cd8f4
RedLineStealer
8649bf155fb76f11ccb64ada34b2bef81949839df4ed543c306c3d28e655b2bf
RedLineStealer
a03f927003cc418724452aa9b8ef35101034ce5c2b0b88cc1b6f2162937573a1
RedLineStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RedLineStealer
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248
RedLineStealer
eb492e7ed795dad887f187c81dd2ab8f8b8d9d08a8b179e9bfd442dff436eaeb
RedLineStealer
f5cd226f5a80952c21b7f5be3ea27139f00d4e7f3f21dd2bda213fab4a66fd98
RedLineStealer
+ 10'993 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211204-hh37bsaecp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/ba876339-bb25-4b64-9006-8ed1eb3b82b1/
SH256 hash:
2f296b56bfd637fd96dd195bcd8e8d119ebaf9bbda1e7c992fcb2cf550008735
MD5 hash:
dd6efc4362195d83e60e6e98eadbc964
SHA1 hash:
7735a3d7036561e47189551f9e11fcf79d3c636d
Link:
https://www.unpac.me/results/ba876339-bb25-4b64-9006-8ed1eb3b82b1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2f296b56bfd6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f296b56bfd637fd96dd195bcd8e8d119ebaf9bbda1e7c992fcb2cf550008735

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211208/

Comments