MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d
SHA3-384 hash: 86ce45a1c5099364da4bcb329d91e218e934ee460ea899f2ef743b302d097ddc5574e694da1e0672309e95c51acfddbb
SHA1 hash: 2b6c8da71f8df5aa3e318891e61c7b51f334b35c
MD5 hash: 7200ac3e60f2e71087da34356bb65e4d
humanhash: chicken-bravo-maryland-chicken
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'176'152 bytes
First seen:2022-12-21 02:46:45 UTC
Last seen:2022-12-21 13:44:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8556c522621bf551eddbfefc45061d4e (2 x ArkeiStealer, 1 x Amadey, 1 x RedLineStealer)
ssdeep 24576:rBKHoLLMY7LDKXs9dZBK3/udxkRCNChfyl:rioLV7KEY3/FCchKl
Threatray 246 similar samples on MalwareBazaar
TLSH T1C045CF91C0AE0F86D44215B4C1565DD0F04F2A31F2277906A7622EBE7FD35A2DCB1AAF
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5345296763707036 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:*.logical.net
Issuer:Sectigo RSA Domain Validation Secure Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-22T00:00:00Z
Valid to:2023-04-21T23:59:59Z
Serial number: 77f770b563773846be8ca9bebcf35c29
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 16487a2e076d08e4141161fce4b368f40f389d314be821746c0496e649ad77a5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc16081047_653428514?hash=SPUCE5XhWRcKvnwWUzCE3fbZBedlnmSpMmgmPDhsemz&dl=GE3DAOBRGA2DO:1671565331:aMiJK4CHsYLnbX8XWxuSe6ESelLDeuJJ58PPTTVnlXL&api=1&no_preview=1#2u300

Intelligence

File Origin
# of uploads :
32
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-12-21 02:47:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/53b1be99-1683-4335-9005-fc86ba48b52e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/348590/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64366564.21042.21900.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Reading critical registry keys
Detecting VM
Stealing user critical data
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
40%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63a273a6d6459c0de11edddc/reports/ab8fd747-f14b-47e2-b568-fac1445bafef/overview
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c58748e-b391-4482-8cb8-f121b0314cbb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1138373
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 771103 Sample: file.exe Startdate: 21/12/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 9 other signatures 2->52 8 file.exe 19 2->8         started        process3 dnsIp4 34 bitbucket.org 104.192.141.1, 443, 49699, 49701 AMAZON-02US United States 8->34 36 s3-w.us-east-1.amazonaws.com 52.217.107.100, 443, 49700, 49702 AMAZON-02US United States 8->36 38 3 other IPs or domains 8->38 30 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 8->30 dropped 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Injects a PE file into a foreign processes 8->66 13 fontview.exe 1 8->13         started        18 ngentask.exe 4 8->18         started        20 ngentask.exe 8->20         started        22 ngentask.exe 8->22         started        file5 signatures6 process7 dnsIp8 42 44software.org 80.76.51.101, 49705, 49706, 80 CLOUDCOMPUTINGDE Bulgaria 13->42 32 C:\Users\user\AppData\...\nsis_uns189627b.dll, PE32+ 13->32 dropped 68 Query firmware table information (likely to detect VMs) 13->68 70 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->72 82 3 other signatures 13->82 24 rundll32.exe 13->24         started        44 167.235.53.255, 4917, 49704 ALBERTSONSUS United States 18->44 74 Tries to harvest and steal browser information (history, passwords, etc) 18->74 76 Tries to steal Crypto Currency Wallets 18->76 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->78 80 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->80 file9 signatures10 process11 dnsIp12 40 44software.org 24->40 54 System process connects to network (likely due to code injection or exploit) 24->54 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->56 58 Tries to steal Mail credentials (via file / registry access) 24->58 60 2 other signatures 24->60 28 WerFault.exe 24->28         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d/
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2022-12-18 16:37:14 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5nnzuq3k232okw23nz2puu6vekyugyqz4bl4yspmd2buoy7zygq._file
Verdict:
malicious
Similar samples:
154ca9b65ed10747abd833a0ea2a7b5135742ea3fdad1f53f006216fc7950ebf
RedLineStealer
590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052
RedLineStealer
616812fc478db8cb2f4be4aae6094fb9e93ca2449c9b0841beeb9f7960914437
RedLineStealer
6b955c6b75fd243f374ffffc38466f94889e3a5ccb3947babf4e79e8358db6fe
RedLineStealer
9decea735b00c1885b133ce7b7350ae65ec33a1c9663ec22d34216e425b18168
RedLineStealer
9f29109994932960f368925877a9beed7cd6e687686cc8131937e7bbe58384f4
RedLineStealer
c0178dc0e1f125da7b6bab419edc783fdff63a376019140e086e6bc10ec588bd
RedLineStealer
ca23870a45d3be35420a930a5eece560dbc792734fe32df17430a3f8820abd68
RedLineStealer
e3ac933f39d5fa387a5f844d1d29379d88c4421aa72ac4e9b50d8bc1d5b40fa4
RedLineStealer
e9d2fc84653ded9e3b6a95d30ac8c86cd7dae65319238c9810277bee34c4d5d6
RedLineStealer
+ 236 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221221-c9v25sbe54/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Unpacked files
SH256 hash:
4291e938c856c3ece1205752f614d2bf7d615b43cbe267c36fe3d2dd7d52e3f7
MD5 hash:
6c96f6827548ae1953633042e751e3b1
SHA1 hash:
3094368b3221a3ce548ab5340daabb3be94db15a
Link:
https://www.unpac.me/results/791c5160-70a9-4b0a-83a3-20068f78673e/
SH256 hash:
2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d
MD5 hash:
7200ac3e60f2e71087da34356bb65e4d
SHA1 hash:
2b6c8da71f8df5aa3e318891e61c7b51f334b35c
Link:
https://www.unpac.me/results/791c5160-70a9-4b0a-83a3-20068f78673e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f5adcd21b56/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/348590/

Comments