MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31229d7391d34dc38efe44e330d224d5a92727f8a1b0a1b723a0365e76aa22c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31229d7391d34dc38efe44e330d224d5a92727f8a1b0a1b723a0365e76aa22c6
SHA3-384 hash: f670880c4e453a107ebfe274bd4e26d6cb3c4793433b73e32ccd890fb16bb9525efb3450c6ca9d48c5d266c08257f960
SHA1 hash: d7048e12581be100129bdbdc5ba303bc912f6a35
MD5 hash: 9fb8fe0ee354dc87769b1e288e389f25
humanhash: delaware-shade-green-stairway
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:817'664 bytes
First seen:2023-10-11 12:15:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:UyakomH6hLkwt1+JEgGscUfP/40mipZVUxP:jAf9EvGscUfYli/
Threatray 564 similar samples on MalwareBazaar
TLSH T194052301ABDA8137E8707BB078F603930A3A3CA19A7C975B2791695F4973540AD3277F
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.249/navi/kur90.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-11 12:17:18 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/dae190e5-a1b4-4189-abd3-70ff8beee7ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/453222/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
DNS request
Creating a file
Modifying a system executable file
Delayed writing of the file
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Disabling the operating system update service
Forced shutdown of a system process
Infecting executable files
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
TR/ATRAPS.Generic
Link:
https://www.hybrid-analysis.com/sample/31229d7391d34dc38efe44e330d224d5a92727f8a1b0a1b723a0365e76aa22c6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de71a158-f8b5-47c9-8170-93c792d2e4b3
Result
Threat name:
Babadeda, Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1323683
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1323683 Sample: file.exe Startdate: 11/10/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 7 other signatures 2->72 9 file.exe 1 4 2->9         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 file4 54 C:\Users\user\AppData\Local\...\oW6Xp47.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\...\5Mw8jy3.exe, PE32 9->56 dropped 16 oW6Xp47.exe 1 4 9->16         started        process5 file6 46 C:\Users\user\AppData\Local\...\Vu1Tg56.exe, PE32 16->46 dropped 48 C:\Users\user\AppData\Local\...\4IV307DV.exe, PE32 16->48 dropped 62 Antivirus detection for dropped file 16->62 64 Machine Learning detection for dropped file 16->64 20 Vu1Tg56.exe 1 4 16->20         started        24 4IV307DV.exe 1 16->24         started        signatures7 process8 file9 50 C:\Users\user\AppData\Local\...\2db5116.exe, PE32 20->50 dropped 52 C:\Users\user\AppData\Local\...\1mb38hc5.exe, PE32 20->52 dropped 74 Antivirus detection for dropped file 20->74 76 Machine Learning detection for dropped file 20->76 26 2db5116.exe 1 20->26         started        29 1mb38hc5.exe 9 1 20->29         started        78 Writes to foreign memory regions 24->78 80 Allocates memory in foreign processes 24->80 82 Injects a PE file into a foreign processes 24->82 31 AppLaunch.exe 4 24->31         started        34 WerFault.exe 21 16 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 dnsIp12 88 Antivirus detection for dropped file 26->88 90 Machine Learning detection for dropped file 26->90 92 Contains functionality to inject code into remote processes 26->92 104 3 other signatures 26->104 38 AppLaunch.exe 12 26->38         started        42 WerFault.exe 22 16 26->42         started        44 conhost.exe 26->44         started        94 Multi AV Scanner detection for dropped file 29->94 96 Modifies windows update settings 29->96 98 Disable Windows Defender notifications (registry) 29->98 100 Disable Windows Defender real time protection (registry) 29->100 60 77.91.124.55, 19071, 49713 ECOTEL-ASRU Russian Federation 31->60 102 Tries to harvest and steal browser information (history, passwords, etc) 31->102 signatures13 process14 dnsIp15 58 5.42.92.211, 49708, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 38->58 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->86 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31229d7391d34dc38efe44e330d224d5a92727f8a1b0a1b723a0365e76aa22c6/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-11 13:04:28 UTC
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gerj244r2ng4hdx6itrtbure2wusoj7yugykdnzdua3f45vkelda._file
Verdict:
malicious
Similar samples:
0486513745242721cdf676e334e204a890f4235b58d66402c43e2f90666b6181
RedLineStealer
04edc8669856f78c88c9fd9697fb5f8ba5250054da2f133fbf67c3ac15b806ce
RedLineStealer
09302d71c49df65ef6de4c17276033d0eeff8820b97eb7e7899f3873767f4c5e
RedLineStealer
38ca03f3e5bf9c4b45789d786b4ace3bb805df322b821f66bea8132c92fc1eea
RedLineStealer
3be66e25a5015f26365c28290d97feadd4748be5391297100617c1ad11c8f204
RedLineStealer
4fee0bca77540a7d1dc2143464f076777950baaeeba6c07f3e3a679bf3e3094e
RedLineStealer
beecfa67960928cbd5b0b6520982d13289f4ea2d703773d21aba01fe015703f6
RedLineStealer
dad8c08535425b16d5d4ad67145f09170cfb08f5b8fefff4a4769c529c33d4bd
RedLineStealer
f49343bfc25ecd817401e6c9c4773a9861f6eda31766f99a599d18b1539f5875
RedLineStealer
f510b27eb8023094855d35dec346d3b78409919bda9c7fca0157a92169d7f76e
RedLineStealer
+ 554 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:breha evasion infostealer persistence trojan
Link:
https://tria.ge/reports/231011-pffrksef8w/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Malware Config
C2 Extraction:
77.91.124.55:19071
Unpacked files
SH256 hash:
1293d50b7f652dac9c871a22edbb00592b327e8b55fc98c6bebb5c681436c469
MD5 hash:
c9b6749b108027eccfd99a5c32462428
SHA1 hash:
55be6c256e50160137962a721917ff71716d791a
Link:
https://www.unpac.me/results/2261ebd1-d8a2-4430-b9e9-c7f8d529159a/
SH256 hash:
53790d415eaa2f56e4a854d8ed82b369e17f4289470cbd1c52e2c63215c5b75f
MD5 hash:
b8a52919f6d96cc19c555d080ab7b768
SHA1 hash:
b52d14e6e3f5be1a018f7e9a5cb6b2085b891c39
Link:
https://www.unpac.me/results/2261ebd1-d8a2-4430-b9e9-c7f8d529159a/
SH256 hash:
6013cc87b2ee2e8d687c4d6456b8ec8cf82a11bdf9ed2d2437b918f63feb8000
MD5 hash:
1afc2951ef561b1a4e2d0fe79e145341
SHA1 hash:
9c891f5a3cda54759b9a808d0145a5b35e551146
Link:
https://www.unpac.me/results/2261ebd1-d8a2-4430-b9e9-c7f8d529159a/
SH256 hash:
a483a82d45ca0336fc2889184473086c42b00eb5a308790e8689958846dce89e
MD5 hash:
efa0105cab9987d37bd382d59d9d7f84
SHA1 hash:
6e68c3067d27432bd97017136f936d448247e01c
Link:
https://www.unpac.me/results/2261ebd1-d8a2-4430-b9e9-c7f8d529159a/
SH256 hash:
31229d7391d34dc38efe44e330d224d5a92727f8a1b0a1b723a0365e76aa22c6
MD5 hash:
9fb8fe0ee354dc87769b1e288e389f25
SHA1 hash:
d7048e12581be100129bdbdc5ba303bc912f6a35
Link:
https://www.unpac.me/results/2261ebd1-d8a2-4430-b9e9-c7f8d529159a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31229d7391d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2715539/
Cape
Cape
https://www.capesandbox.com/analysis/453222/

Comments