MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36
SHA3-384 hash: c22ae3ea7487bf92c9c1e5d4fa7da8605a68a454f90a4497e94feb049f9b80b026ad58a7014251a76346da51ce6c8fb8
SHA1 hash: f2d41df1d55178b5f7de0512912159f2663296cd
MD5 hash: 618ea7b0e2a26f3c6db0a8664c63fc6f
humanhash: burger-robin-seven-west
File name:build.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'818'112 bytes
First seen:2021-11-22 21:40:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (267 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:HAThssooIzoGVgz+GymgXdAa/9uZvvij0b/U:hbTrGymgNAaIv5/U
Threatray 1 similar samples on MalwareBazaar
TLSH T1E98533DB12A90573D95BD1BC16AF14BC0708D5684B0CCEA5C799E76FA0BB10EBF92312
Reporter FirehaK
Tags:boba botnet exe RedLineStealer UPX

Intelligence

File Origin
# of uploads :
1
# of downloads :
512
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
build.exe
Verdict:
No threats detected
Analysis date:
2021-11-22 21:42:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/501b14c2-18dd-443e-889f-6c6cb960a52f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/619c0e7094a88037d2ff27ab/reports/eb8eb967-592f-47c3-b222-64d4defcb812/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5968cf01-3840-47a7-bed3-8e4605191639
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/894219
Signature
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526705 Sample: build.exe Startdate: 22/11/2021 Architecture: WINDOWS Score: 72 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: Powershell Defender Exclusion 2->56 58 Sigma detected: Copying Sensitive Files with Credential Data 2->58 60 Sigma detected: Suspicious Script Execution From Temp Folder 2->60 7 build.exe 7 2->7         started        11 Registry.exe 2->11         started        13 Registry.exe 2->13         started        process3 dnsIp4 52 95.181.152.184, 49749, 49773, 49774 MSKHOSTRU Russian Federation 7->52 62 Adds a directory exclusion to Windows Defender 7->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->64 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 7->20         started        28 2 other processes 7->28 22 cmd.exe 11->22         started        24 cmd.exe 11->24         started        26 cmd.exe 11->26         started        30 2 other processes 11->30 32 5 other processes 13->32 signatures5 process6 signatures7 66 Uses cmd line tools excessively to alter registry or file data 15->66 68 Adds a directory exclusion to Windows Defender 15->68 34 2 other processes 15->34 36 2 other processes 18->36 38 2 other processes 20->38 40 2 other processes 22->40 42 2 other processes 24->42 44 2 other processes 26->44 46 3 other processes 28->46 48 5 other processes 30->48 50 7 other processes 32->50 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36/
Threat name:
Win64.Trojan.WinGGo
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 21:41:15 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
66626e96234ecf2d900ee0fb9d1e74922d80e4438437c7424df04e0eb25a9e53
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline agilenet discovery evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/211122-1jrh2acad5/
Behaviour
GoLang User-Agent
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
RedLine
RedLine Payload
Malware Config
C2 Extraction:
135.181.245.89:24368
Unpacked files
SH256 hash:
3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36
MD5 hash:
618ea7b0e2a26f3c6db0a8664c63fc6f
SHA1 hash:
f2d41df1d55178b5f7de0512912159f2663296cd
Link:
https://www.unpac.me/results/4df02dfc-7bd9-4f68-9e4f-c17561105d55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Geoirb_TCP
Create hunting rule
Author:@_FirehaK
Description:Detects the message library created for the Boba botnet.
Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208445/

Comments


Avatar
Stephan (@FirehaK@infosec.exchange) commented on 2021-11-23 13:49:06 UTC

This is the Boba botnet, but so far the operator(s) have only pushed Redline stealer.