MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb
SHA3-384 hash: c2f14c76187335c95740d06ab17f13294b70518662635bac32ac7f5eb936bbaadf687c55a123dbb2125216d199d940a8
SHA1 hash: 6a1a5d06a351a23571d436c5f480fc6c0bf2267b
MD5 hash: 17cdde0e896e4a1bf5d8b376346c4d40
humanhash: stairway-mango-robin-march
File name:injector.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:475'544 bytes
First seen:2021-07-15 12:06:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:htzww69TgETDUMnw4vcldVtYlcddsnx7eEbOr:/wNTgE09TFtYlc7snxTe
Threatray 75 similar samples on MalwareBazaar
TLSH T14BA4E067B2E04195EBF281F6E4910306EB3070761B21A3EF977466B71B1A9C58F7C3A4
Reporter Anonymous
Tags:DCRat exe Redline RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
injector.exe
Verdict:
No threats detected
Analysis date:
2021-07-15 12:09:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4eb781b-1003-4853-bc31-42cfbfc69e9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171971/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34588367.15193.4194.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc607563-464e-4fc4-85b9-859e6bc2ed28
Result
Threat name:
DCRat RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816876
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449287 Sample: injector.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 94 Found malware configuration 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 10 other signatures 2->100 10 injector.exe 9 2->10         started        13 spoolsv.exe 2->13         started        17 System.exe 2->17         started        process3 dnsIp4 76 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 10->76 dropped 19 cmd.exe 3 10->19         started        92 62.109.6.34, 80 THEFIRST-ASRU Russian Federation 13->92 126 Multi AV Scanner detection for dropped file 13->126 128 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->128 file5 signatures6 process7 signatures8 102 Uses ping.exe to sleep 19->102 104 Uses ping.exe to check the status of other devices and networks 19->104 22 cmd.exe 3 6 19->22         started        26 design_stalkar.exe 15 29 19->26         started        29 conhost.exe 19->29         started        31 4 other processes 19->31 process9 dnsIp10 68 C:\...\SavesRefruntimemonitordllsavesnet.exe, PE32 22->68 dropped 110 Multi AV Scanner detection for dropped file 22->110 112 Machine Learning detection for dropped file 22->112 33 wscript.exe 1 22->33         started        86 185.186.142.83, 29867, 49727, 49734 ASKONTELRU Russian Federation 26->86 88 api.ip.sb 26->88 70 C:\Users\user\...\design_stalkar.exe.log, ASCII 26->70 dropped 114 Antivirus detection for dropped file 26->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->116 118 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->118 124 2 other signatures 26->124 120 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 29->120 122 Uses schtasks.exe or at.exe to add and modify task schedules 29->122 35 cmd.exe 29->35         started        38 schtasks.exe 29->38         started        40 schtasks.exe 29->40         started        42 2 other processes 29->42 90 cdn.discordapp.com 162.159.134.233, 443, 49710, 49715 CLOUDFLARENETUS United States 31->90 72 C:\Users\user\AppData\...\design_stalkar.exe, PE32 31->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\cmd.exe, PE32 31->74 dropped file11 signatures12 process13 signatures14 44 cmd.exe 33->44         started        106 Uses ping.exe to sleep 35->106 108 Drops executables to the windows directory (C:\Windows) and starts them 35->108 46 conhost.exe 35->46         started        48 chcp.com 35->48         started        50 PING.EXE 35->50         started        52 spoolsv.exe 35->52         started        54 conhost.exe 38->54         started        56 conhost.exe 40->56         started        58 conhost.exe 42->58         started        60 conhost.exe 42->60         started        process15 process16 62 SavesRefruntimemonitordllsavesnet.exe 44->62         started        66 conhost.exe 44->66         started        file17 78 C:\Windows\System32\dpapimig\spoolsv.exe, PE32 62->78 dropped 80 C:\ProgramData\Microsoft Help\smss.exe, PE32 62->80 dropped 82 C:\Program Files\MSBuild\System.exe, PE32 62->82 dropped 84 C:\PerfLogs\RuntimeBroker.exe, PE32 62->84 dropped 130 Multi AV Scanner detection for dropped file 62->130 132 Machine Learning detection for dropped file 62->132 134 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 62->134 136 2 other signatures 62->136 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 12:07:06 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gm2yneiuj7iesq5q3z3umq52m42ernwx4ylnjav6wuqa2cpzx3vq._file
Verdict:
malicious
Similar samples:
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
RedLineStealer
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
RedLineStealer
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
RedLineStealer
4b734afbb65c47d96c53ddc24250cacf96e62bbc56e0c64eca978d3255bbc745
RedLineStealer
4cba3cb0188c4a064f6dd99ead74f76156d73019e15eec1a3653b28c8ac7a112
RedLineStealer
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
RedLineStealer
b7700c66e40ddd73a718794c1f295d1a56251aa0cdb89b215120a09bb5e61e9e
RedLineStealer
bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
RedLineStealer
ff1cf221e44187ccf5382ba91b26991722b97d2dd0ef25ae0b5fda12425a4a93
RedLineStealer
+ 65 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:redline botnet:@design_stalkar discovery infostealer rat spyware stealer upx
Link:
https://tria.ge/reports/210715-djssmpfpxs/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
DCRat Payload
DcRat
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.186.142.83:29867
Unpacked files
SH256 hash:
33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb
MD5 hash:
17cdde0e896e4a1bf5d8b376346c4d40
SHA1 hash:
6a1a5d06a351a23571d436c5f480fc6c0bf2267b
Link:
https://www.unpac.me/results/bc6e4333-e92b-4b29-b0e0-1565599a743a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/33358691144fd04943b0de774643ba673448b6d7e616d482beb5200d09f9beeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171971/

Comments