MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 367fe3f35e2c9c0e04a821cbc35ef8bcd174aaca7bd9650af414bd00dcf83138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 367fe3f35e2c9c0e04a821cbc35ef8bcd174aaca7bd9650af414bd00dcf83138
SHA3-384 hash: 4a77ab9754f7beb9acf94996e646686e4f65d7662560c8c7c17350b15da4757a9046f13832bc9d6443e0c2b8607435d2
SHA1 hash: 5654e3452ae4d0363f593f8a22d3b386bc3afcc5
MD5 hash: a0446cf95a58e55c98d3e00fb169c736
humanhash: river-november-arizona-kentucky
File name:a0446cf95a58e55c98d3e00fb169c736.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'337'615 bytes
First seen:2021-12-23 14:54:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 98304:lFz9/1THsUs3unFH6iKd2X40O7K/i2HH4eR3nZg5xQz8XkE3N6X:r9GDYF60O7K9nnZg5xQoXrNW
Threatray 2'769 similar samples on MalwareBazaar
TLSH T137163311B582F871C68A45344AF4EDA4D368B914E4E47AC73BC193AB2B61EB3D1B53C3
File icon (PE):PE icon
dhash icon e0f4c4d4f0d4c47c (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a0446cf95a58e55c98d3e00fb169c736.exe
Verdict:
Malicious activity
Analysis date:
2021-12-23 15:01:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/936cd236-7292-4a7a-9dcb-cb8810797577

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215983/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3022/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61c48dcaec6c6c14a9ecb97f/reports/60fbb13d-45f8-48f5-b3d4-a8c390aa58f4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6c95066-89c9-4a8a-b46e-8ff569c89236
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912056
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected VMProtect packer
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544534 Sample: KBvpTp8GyA.exe Startdate: 23/12/2021 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected RedLine Stealer 2->61 63 Detected VMProtect packer 2->63 65 5 other signatures 2->65 10 KBvpTp8GyA.exe 9 2->10         started        process3 file4 41 C:\Users\user\AppData\...\InstallDriver.exe, PE32+ 10->41 dropped 43 C:\Users\user\AppData\...\@sellfortya.exe, PE32 10->43 dropped 13 @sellfortya.exe 10->13         started        16 InstallDriver.exe 11 4 10->16         started        process5 dnsIp6 83 Multi AV Scanner detection for dropped file 13->83 85 Machine Learning detection for dropped file 13->85 87 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 13->87 95 3 other signatures 13->95 19 AppLaunch.exe 15 7 13->19         started        24 WerFault.exe 13->24         started        45 api.telegram.org 149.154.167.220, 443, 49781 TELEGRAMRU United Kingdom 16->45 47 www.google.com 172.217.168.36, 49768, 80 GOOGLEUS United States 16->47 49 icanhazip.com 104.18.114.97, 443, 49780 CLOUDFLARENETUS United States 16->49 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->89 91 May check the online IP address of the machine 16->91 93 Tries to delay execution (extensive OutputDebugStringW loop) 16->93 signatures7 process8 dnsIp9 53 vataeagene.xyz 45.130.151.74, 49750, 81 MARKTELRU Russian Federation 19->53 55 github.com 140.82.121.3, 443, 49761 GITHUBUS United States 19->55 57 2 other IPs or domains 19->57 39 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 19->39 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->67 69 Performs DNS queries to domains with low reputation 19->69 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->71 73 2 other signatures 19->73 26 build.exe 19->26         started        file10 signatures11 process12 signatures13 75 Antivirus detection for dropped file 26->75 77 Multi AV Scanner detection for dropped file 26->77 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->79 81 Tries to detect virtualization through RDTSC time measurements 26->81 29 cmd.exe 26->29         started        process14 signatures15 97 Encrypted powershell cmdline option found 29->97 32 powershell.exe 29->32         started        35 conhost.exe 29->35         started        37 powershell.exe 29->37         started        process16 dnsIp17 51 192.168.2.1 unknown unknown 32->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/367fe3f35e2c9c0e04a821cbc35ef8bcd174aaca7bd9650af414bd00dcf83138/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-23 14:55:20 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gz76h426fsoa4bfiehf4gxxyxtixjkwkppmwkcxucs6qbxhyge4a._file
Verdict:
malicious
Similar samples:
07de0324fd15b8dab3b0c9e4345a2ecc0d2bc0c806f6702cda99e480e9d6506c
RedLineStealer
44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d
RedLineStealer
7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca
RedLineStealer
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
RedLineStealer
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
RedLineStealer
ff96c1b6af7f067e0ffe1d90c7d91dd39ac01f22ebb7868eb54f2d414951a728
RedLineStealer
+ 2'759 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211223-sagcpsaghr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
e10fe0feab8dfcce3ef279a06cde3c6e47ea973e21c21ebe8b1c0a5d2465c928
MD5 hash:
ed35d395cbd7586a10db12e73996b2ed
SHA1 hash:
51751d535d24f9c30cc882b5a6a52fca8b8be5a8
Link:
https://www.unpac.me/results/1e4a37ae-f562-401d-8f46-d48eae38e775/
SH256 hash:
e86ea2243ff56f6d1cb163535535e45616793e506b9f528253983b4caecf0655
MD5 hash:
d70a2e80bbe36d2d8e9e9670a995ee66
SHA1 hash:
843124e7b4d01dc7981ca6b11a3a4a2854a55584
Link:
https://www.unpac.me/results/1e4a37ae-f562-401d-8f46-d48eae38e775/
SH256 hash:
f22d5443b543ff6696077c3c01e196faa98aceee1ef48ee3aa37ede629d39e8f
MD5 hash:
a78027fc2a2709982b6e9f52e9207766
SHA1 hash:
3098915781b7350a22f8bfad493a6a0c21433da9
Link:
https://www.unpac.me/results/1e4a37ae-f562-401d-8f46-d48eae38e775/
SH256 hash:
367fe3f35e2c9c0e04a821cbc35ef8bcd174aaca7bd9650af414bd00dcf83138
MD5 hash:
a0446cf95a58e55c98d3e00fb169c736
SHA1 hash:
5654e3452ae4d0363f593f8a22d3b386bc3afcc5
Link:
https://www.unpac.me/results/1e4a37ae-f562-401d-8f46-d48eae38e775/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/367fe3f35e2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/367fe3f35e2c9c0e04a821cbc35ef8bcd174aaca7bd9650af414bd00dcf83138

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 367fe3f35e2c9c0e04a821cbc35ef8bcd174aaca7bd9650af414bd00dcf83138

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/215983/
  
URLhaus
https://urlhaus.abuse.ch/url/1914427/
  
Delivery method
Distributed via web download

Comments