MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34667ec337d12991e243afa9c3f3a61b84042de7b429b25f2f889dc0938f69d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 7 File information Comments

SHA256 hash:	34667ec337d12991e243afa9c3f3a61b84042de7b429b25f2f889dc0938f69d3
SHA3-384 hash:	2679fddbdece5b568c0cb5afd4c687a93efa5346eb5b8c48a020e15e7393fb6452e1c2e22a0976961b49e8e0f8c5d91d
SHA1 hash:	814714fcaa7d0d1b0c8d499973cf14e7663cbc0c
MD5 hash:	189ab8a50ad6c519aadd95f96a7233df
humanhash:	pluto-colorado-edward-helium
File name:	814714fcaa7d0d1b0c8d499973cf14e7663cbc0c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	858'624 bytes
First seen:	2021-11-13 22:21:40 UTC
Last seen:	2021-11-14 00:17:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	77baa691e6143dcc53adb7b2c5e44e0e (5 x RedLineStealer)
ssdeep	12288:0o8Wh0Dh/0tc+aSGpvVK11hp3zLpoVaoCbT2x1kL0keOaSSogV8Y53F:0o8pDrLvyfpDdnqGcSSzV8Y7
TLSH	T1EA052AC6F1B3608ED7A3B0790F0155924A471C7A6B119AF9AF35E92B11F36A1CAD7303
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.144.31.118:31905

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.144.31.118:31905	https://threatfox.abuse.ch/ioc/248027/

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/205557/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.38325.14456.23102.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Reading critical registry keys

Deleting a recently created file

Using the Windows Management Instrumentation requests

Creating a window

Sending a UDP request

Sending an HTTP GET request

Creating a process from a recently created file

Launching a process

Creating a process with a hidden window

Creating a file

Stealing user critical data

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

anti-debug packed trickbot

Link:

https://www.filescan.io/uploads/61903a8fdec3347825a3dc3d/reports/436ff001-a6c8-4daa-af86-3a83c3ce939f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bb1eced6-9f39-4195-a650-d3f95a373b20

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/888681

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34667ec337d12991e243afa9c3f3a61b84042de7b429b25f2f889dc0938f69d3/

Threat name:

Win32.Spyware.TrickBot

Status:

Malicious

First seen:

2021-11-11 01:18:36 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=grth5qzx2euzdysdv6u4h45gdocailphwqu3exzprco4be4pnhjq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@qwertkbb discovery infostealer persistence spyware stealer

Link:

https://tria.ge/reports/211113-1986rscegl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.144.31.118:31905

Unpacked files

SH256 hash:

111eb97b8ec00715be68939c685d730aeef17100cc8351d7b5b34a7004ca4a5d

MD5 hash:

b71f6dac6ed90da288738c460d8c2ff7

SHA1 hash:

7ceeca5518dfc6878682b145ab96586679f91bb4

Link:

https://www.unpac.me/results/33c20823-bca2-4168-a828-46738a1efedb/

SH256 hash:

734130b6cd2c2ac616b15466658158800280dfd0dd39dece626637e9451fe086

MD5 hash:

f1f5ad0f16e47b5e4b76fa714942a34d

SHA1 hash:

29b1cd97e63646516671d5daadf778c7f058fd7b

Link:

https://www.unpac.me/results/33c20823-bca2-4168-a828-46738a1efedb/

SH256 hash:

34667ec337d12991e243afa9c3f3a61b84042de7b429b25f2f889dc0938f69d3

MD5 hash:

189ab8a50ad6c519aadd95f96a7233df

SHA1 hash:

814714fcaa7d0d1b0c8d499973cf14e7663cbc0c

Link:

https://www.unpac.me/results/33c20823-bca2-4168-a828-46738a1efedb/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/205557/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample