MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36318442bbfa58a7dfa39620245f9e0fa3c672c0c9e63c267150c03fed4bb550. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36318442bbfa58a7dfa39620245f9e0fa3c672c0c9e63c267150c03fed4bb550
SHA3-384 hash: 1a5835365f023445e9901313b0fc8712e9a632f9886798ce2dd67b61ccd19dc03525ab49f2010d1cac39cd026bec5391
SHA1 hash: 018991065f32529ed158047dffc75ea9779c7d8b
MD5 hash: 8f92c3e6d8ac8def613b09c2c293aadd
humanhash: magazine-cardinal-twelve-nitrogen
File name:8f92c3e6d8ac8def613b09c2c293aadd.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:593'834 bytes
First seen:2021-11-28 17:41:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:8zxzTDWikLSb4NS7ET+tG1XD+KOpoZoDZU4xGxFQBcb9n9T:6DWHSb4NhxdOv9se09
Threatray 321 similar samples on MalwareBazaar
TLSH T1A3C4F102F9D199B2C5210D36165AAB61243CBD301F258FEBE3D46E6DE9341D0BB34BA7
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
46.3.199.41:53924

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.3.199.41:53924 https://threatfox.abuse.ch/ioc/255859/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8f92c3e6d8ac8def613b09c2c293aadd.exe
Verdict:
Malicious activity
Analysis date:
2021-11-28 17:42:49 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/feef6409-a516-46c4-8a02-a601160a358a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61a3bf6dbbfd2af97cb7e151/reports/3860e057-ba37-4be4-9f30-3e8098f9a3c9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/50d52d3a-10da-443a-992c-5d12f3dddf85
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897469
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529947 Sample: kJ29WfDhWX.exe Startdate: 28/11/2021 Architecture: WINDOWS Score: 100 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected BitCoin Miner 2->82 84 Yara detected RedLine Stealer 2->84 86 7 other signatures 2->86 13 kJ29WfDhWX.exe 8 2->13         started        16 services32.exe 2->16         started        process3 file4 62 C:\Users\user\AppData\Local\Temp\cs.exe, PE32 13->62 dropped 19 cs.exe 15 32 13->19         started        72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->72 74 Writes to foreign memory regions 16->74 76 Tries to evade analysis by execution special instruction which cause usermode exception 16->76 78 4 other signatures 16->78 24 conhost.exe 3 16->24         started        signatures5 process6 dnsIp7 66 46.3.199.41, 49742, 49746, 49747 ALEXHOST_SRLMD Russian Federation 19->66 68 api.ip.sb 19->68 70 cdn.discordapp.com 162.159.135.233, 443, 49748 CLOUDFLARENETUS United States 19->70 58 C:\Users\user\AppData\Local\Temp\123.exe, PE32+ 19->58 dropped 60 C:\Users\user\AppData\Local\...\cs.exe.log, ASCII 19->60 dropped 96 Antivirus detection for dropped file 19->96 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->98 100 Machine Learning detection for dropped file 19->100 102 4 other signatures 19->102 26 123.exe 19->26         started        29 conhost.exe 19->29         started        file8 signatures9 process10 signatures11 112 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->112 114 Writes to foreign memory regions 26->114 116 Tries to evade analysis by execution special instruction which cause usermode exception 26->116 120 4 other signatures 26->120 31 conhost.exe 4 26->31         started        118 Drops PE files to the user root directory 29->118 process12 file13 64 C:\Users\user\services32.exe, PE32+ 31->64 dropped 34 cmd.exe 1 31->34         started        36 cmd.exe 1 31->36         started        process14 signatures15 39 services32.exe 34->39         started        42 conhost.exe 34->42         started        94 Uses schtasks.exe or at.exe to add and modify task schedules 36->94 44 conhost.exe 36->44         started        46 schtasks.exe 1 36->46         started        process16 signatures17 104 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 39->104 106 Writes to foreign memory regions 39->106 108 Tries to detect debuggers (CloseHandle check) 39->108 110 2 other signatures 39->110 48 conhost.exe 4 39->48         started        process18 file19 56 C:\Users\user\AppData\...\sihost32.exe, PE32+ 48->56 dropped 51 sihost32.exe 48->51         started        process20 signatures21 88 Writes to foreign memory regions 51->88 90 Allocates memory in foreign processes 51->90 92 Creates a thread in another existing process (thread injection) 51->92 54 conhost.exe 2 51->54         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36318442bbfa58a7dfa39620245f9e0fa3c672c0c9e63c267150c03fed4bb550/
Threat name:
ByteCode-MSIL.Trojan.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-11-28 17:42:14 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gyyyiqv37jmkpx5dsyqcix46b6r4m4wazhtdyjtrkdad73klwvia._file
Verdict:
malicious
Similar samples:
1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
RedLineStealer
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
RedLineStealer
67ad7348d5bfbb13a98697962b46a7a833137b636b49c6eac2829c2d425e9dfa
RedLineStealer
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
RedLineStealer
888b7c0da59de4fb96352a4db14b1674881eea78028100bd8ffd8757f21fffdc
RedLineStealer
96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
RedLineStealer
c4e9742a6a418ee7366c594a4f1206d468f6147792407fcd9ac6b452369d88bb
RedLineStealer
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
RedLineStealer
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
RedLineStealer
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
RedLineStealer
+ 311 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer vmprotect
Link:
https://tria.ge/reports/211128-v91lqsdbf4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
RedLine
RedLine Payload
Unpacked files
SH256 hash:
e2a2b63948fc300ded450cb19907261f3b29ef2866099f38dc2c8c58e869e32d
MD5 hash:
ee2103f4e7d103856a6912427c92d200
SHA1 hash:
fcf29934cf50c5747f868bc9d24f2d9e80c23f20
Link:
https://www.unpac.me/results/0468b4d2-f2a7-4c5a-9ce9-529a7a41dc6a/
SH256 hash:
36318442bbfa58a7dfa39620245f9e0fa3c672c0c9e63c267150c03fed4bb550
MD5 hash:
8f92c3e6d8ac8def613b09c2c293aadd
SHA1 hash:
018991065f32529ed158047dffc75ea9779c7d8b
Link:
https://www.unpac.me/results/0468b4d2-f2a7-4c5a-9ce9-529a7a41dc6a/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/36318442bbfa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36318442bbfa58a7dfa39620245f9e0fa3c672c0c9e63c267150c03fed4bb550

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 36318442bbfa58a7dfa39620245f9e0fa3c672c0c9e63c267150c03fed4bb550

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1827980/
  
Delivery method
Distributed via web download

Comments