MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
SHA3-384 hash: 97e52bd7cc8d4bbcb2610d9b2da0e1daa84447caf23e67e6d0c39cc305c0f17a66a8a144af7a955a1cca281f3514caf4
SHA1 hash: 75c8cffac87a1a14ff3d372e070e5afa7cc47980
MD5 hash: a6301e3117c7a82c941bf8b96ca2b998
humanhash: tennis-minnesota-uniform-summer
File name:3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:360'840 bytes
First seen:2021-06-30 06:00:11 UTC
Last seen:2021-06-30 06:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 6144:4ldk1cWQRNTBUrGmHQFdEh82D4azVihe8fMevAVY8S5uInvGQ4SkTlhHsrhMTaR:4cv0NTSqq6VczViffMNK18IvsSkZhMq+
Threatray 64 similar samples on MalwareBazaar
TLSH BF740246F3E142F7E9E50A3110A5B62FEB756A248B10ECD7C71C3C426942BD55A783F8
Reporter JAMESWT_WT
Tags:Amcert LLC exe RedLineStealer signed

Code Signing Certificate

Organisation:Amcert LLC
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-06-14T00:00:00Z
Valid to:2022-06-14T23:59:59Z
Serial number: a758504e7971869d0aec2775fffa03d5
Intelligence: 10 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: b7d258f776cdd12498fe9c4418b8b9c346b52e50c2e4292fa3e09bf2e228fb6e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
Verdict:
Malicious activity
Analysis date:
2021-06-30 06:02:15 UTC
Tags:
trojan rat redline evasion stealer
Link:
https://app.any.run/tasks/f89d4294-18ca-4185-8422-6f0dcf7141b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168883/
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72b0cc77-dc7e-46b4-8e9c-d80366adaf35
Result
Threat name:
DCRat RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809771
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 442182 Sample: Kn6mR6I7Jm Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 80 ipinfo.io 2->80 88 Found malware configuration 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 10 other signatures 2->94 13 Kn6mR6I7Jm.exe 9 2->13         started        17 wininit.exe 2->17         started        19 JxQFyEDKRt.exe 2->19         started        21 wininit.exe 2->21         started        signatures3 process4 file5 78 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 13->78 dropped 116 Detected unpacking (overwrites its own PE header) 13->116 23 cmd.exe 3 13->23         started        118 Multi AV Scanner detection for dropped file 17->118 120 Machine Learning detection for dropped file 17->120 122 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->122 signatures6 process7 process8 25 2.exe 3 6 23->25         started        29 123123.exe 15 31 23->29         started        32 extd.exe 2 23->32         started        34 4 other processes 23->34 dnsIp9 72 C:\...\savesperfMonitornetCommoncrtsvc.exe, PE32 25->72 dropped 104 Multi AV Scanner detection for dropped file 25->104 106 Machine Learning detection for dropped file 25->106 36 wscript.exe 1 25->36         started        82 198.98.49.129, 23948, 49749, 49753 PONYNETUS United States 29->82 84 api.ip.sb 29->84 108 Antivirus detection for dropped file 29->108 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->110 112 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->112 114 2 other signatures 29->114 86 cdn.discordapp.com 162.159.134.233, 443, 49732, 49736 CLOUDFLARENETUS United States 32->86 74 C:\Users\user\AppData\Local\...\123123.exe, PE32 32->74 dropped 76 C:\Users\user\AppData\Local\Temp\...\2.exe, PE32 34->76 dropped file10 signatures11 process12 process13 38 cmd.exe 36->38         started        process14 40 savesperfMonitornetCommoncrtsvc.exe 38->40         started        44 conhost.exe 38->44         started        file15 64 C:\Windows\en-US\JxQFyEDKRt.exe, PE32 40->64 dropped 66 C:\Windows\System32\...\RuntimeBroker.exe, PE32 40->66 dropped 68 C:\Users\Default\wininit.exe, PE32 40->68 dropped 70 2 other malicious files 40->70 dropped 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 40->96 98 Drops PE files to the user root directory 40->98 100 Drops executables to the windows directory (C:\Windows) and starts them 40->100 102 3 other signatures 40->102 46 schtasks.exe 40->46         started        48 schtasks.exe 40->48         started        50 schtasks.exe 40->50         started        52 3 other processes 40->52 signatures16 process17 process18 54 conhost.exe 46->54         started        56 conhost.exe 48->56         started        58 conhost.exe 50->58         started        60 conhost.exe 52->60         started        62 conhost.exe 52->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa/
Threat name:
Win32.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 00:59:36 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
25 of 46 (54.35%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
RedLineStealer
23373334a8179c86c6873e56c035ba848ea8023e2d717fc449b7f29ac2455657
RedLineStealer
72b38e37d119820ef038c7051360d5c7e1e1507bb98a7be19eea089379d0d793
RedLineStealer
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
RedLineStealer
95f5464f22e6bbe285c912f7afd00836c7253babdf6b608cbbb5a063bb1f868f
RedLineStealer
9ada53ed3ea8e1da6d93298c945e71179235f53baf6f363a37de83f1a977e148
RedLineStealer
aebfeecd15596e7b6b4a739157229d3a0e1ea320e9352e4e725663b5a4f367b1
RedLineStealer
b7700c66e40ddd73a718794c1f295d1a56251aa0cdb89b215120a09bb5e61e9e
RedLineStealer
c73fd1810d771974cff5f436a14f76cb3cbeb442baf97f3553ba99cf118bc337
RedLineStealer
faabfe5dfc64dc288ba532a14ad6416afc8c81418ccbf2411760bf25f91d6939
RedLineStealer
+ 54 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:redline botnet:chipdale discovery infostealer rat spyware stealer upx
Link:
https://tria.ge/reports/210630-gghfcwllhe/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
DCRat Payload
DcRat
RedLine
RedLine Payload
Malware Config
C2 Extraction:
198.98.49.129:23948
Unpacked files
SH256 hash:
aa150533f4afc18975ca7f0f719edbb405877b0e8aff0e380c699221ee9b70fa
MD5 hash:
ec82cd791eaef24a02abd2b40a161f21
SHA1 hash:
d8307d56584d8a3f80c5ba8c78ddf1789f484033
Link:
https://www.unpac.me/results/e591d9c2-ff2b-434c-a10b-e3642f3d6952/
SH256 hash:
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
MD5 hash:
a6301e3117c7a82c941bf8b96ca2b998
SHA1 hash:
75c8cffac87a1a14ff3d372e070e5afa7cc47980
Link:
https://www.unpac.me/results/e591d9c2-ff2b-434c-a10b-e3642f3d6952/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168883/

Comments