MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2
SHA3-384 hash: 7e653e0d215be7d2219fd10cd89082022688a5cf6368bc5132c8e2a383af62fd34ea869f82e917aae978dcdbf3884362
SHA1 hash: 221cfaece1b2b6a736f071b367a62d4f229e940e
MD5 hash: ed05d2c233a6a37bfbffd7b27c12d2b9
humanhash: red-delta-lamp-earth
File name:SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:121'856 bytes
First seen:2021-02-12 14:59:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 1536:lJi9hN08JvS9/40jYD8eX1ANBAzp0RD52bh5rSFFiZSp4sL:rahCUvSy0jYYO1CDRD6XSFg8pRL
Threatray 6 similar samples on MalwareBazaar
TLSH B4C3C097A23652F3C9392639C8714F0F2BA8CE3D450077E8B50BB76D8D3950D1EB4A69
Reporter SecuriteInfoCom
Tags:RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089
Verdict:
Malicious activity
Analysis date:
2021-02-12 15:01:45 UTC
Tags:
evasion stealer trojan rat redline phishing blocrypt bot
Link:
https://app.any.run/tasks/7465bbee-aed6-4933-ad16-a9b0df493263

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116939/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.cm.19089.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Creating a process from a recently created file
Sending a UDP request
Enabling the 'hidden' option for recently created files
Creating a window
Searching for analyzing tools
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Deleting a recently created file
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending a custom TCP request
Creating a file in the %temp% directory
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Forced shutdown of a browser
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/606860
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352462 Sample: SecuriteInfo.com.BehavesLik... Startdate: 12/02/2021 Architecture: WINDOWS Score: 100 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 11 other signatures 2->113 14 SecuriteInfo.com.BehavesLike.Win32.Generic.cm.exe 14 8 2->14         started        19 Windows Host.exe 2->19         started        21 Windows Host.exe 2->21         started        process3 dnsIp4 103 cryptobstar.xyz 104.21.85.36, 443, 49720 CLOUDFLARENETUS United States 14->103 75 C:\ProgramData\6648512.73, PE32 14->75 dropped 77 C:\ProgramData\3008972.33, PE32 14->77 dropped 79 C:\ProgramData\2067397.22, PE32 14->79 dropped 81 3 other malicious files 14->81 dropped 105 Detected unpacking (changes PE section rights) 14->105 23 6648512.73 2 14->23         started        28 1292348.14 14->28         started        30 1380748.15 3 14->30         started        32 2 other processes 14->32 file5 signatures6 process7 dnsIp8 91 109.236.88.152, 443, 49768, 49769 WORLDSTREAMNL Netherlands 23->91 65 C:\...\fedfa8-cd34c1-6adc5704-4ebde0-8ff0.db, PE32+ 23->65 dropped 123 Detected unpacking (changes PE section rights) 23->123 125 Detected unpacking (overwrites its own PE header) 23->125 127 Machine Learning detection for dropped file 23->127 145 2 other signatures 23->145 34 regsvr32.exe 23->34         started        93 api.ip.sb 28->93 95 kynananti.xyz 5.34.180.229, 49742, 49764, 49765 ITLDC-NLUA Ukraine 28->95 101 2 other IPs or domains 28->101 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->129 131 Query firmware table information (likely to detect VMs) 28->131 133 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->133 147 2 other signatures 28->147 135 Antivirus detection for dropped file 30->135 137 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->137 139 Injects a PE file into a foreign processes 30->139 36 1380748.15 30->36         started        97 iplogger.org 88.99.66.31, 443, 49727 HETZNER-ASDE Germany 32->97 99 blockfproperties.xyz 172.67.144.16, 443, 49723 CLOUDFLARENETUS United States 32->99 67 C:\ProgramData\...\Windows Host.exe, PE32 32->67 dropped 69 C:\ProgramData\54\vcruntime140.dll, PE32 32->69 dropped 71 C:\ProgramData\54\sqlite3.dll, PE32 32->71 dropped 73 5 other files (none is malicious) 32->73 dropped 141 Multi AV Scanner detection for dropped file 32->141 143 Creates multiple autostart registry keys 32->143 40 Windows Host.exe 2 32->40         started        file9 signatures10 process11 dnsIp12 42 regsvr32.exe 34->42         started        85 api.ip.sb 36->85 87 WHOIS.RIPE.NET 193.0.6.135, 43, 49739 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 36->87 89 3 other IPs or domains 36->89 121 Tries to harvest and steal browser information (history, passwords, etc) 36->121 signatures13 process14 process15 44 regsvr32.exe 42->44         started        process16 46 regsvr32.exe 44->46         started        process17 48 regsvr32.exe 46->48         started        process18 50 regsvr32.exe 48->50         started        dnsIp19 83 192.168.2.1 unknown unknown 50->83 63 C:\...\45c533-82f533-e48c5056-fbb2b1-01a0.db, PE32+ 50->63 dropped 115 System process connects to network (likely due to code injection or exploit) 50->115 117 Creates multiple autostart registry keys 50->117 119 Creates an autostart registry key pointing to binary in C:\Windows 50->119 55 regsvr32.exe 50->55         started        57 regsvr32.exe 50->57         started        59 regsvr32.exe 50->59         started        file20 signatures21 process22 process23 61 regsvr32.exe 55->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2/
Threat name:
ByteCode-MSIL.Packed.Confuser
Create hunting rule
Status:
Malicious
First seen:
2021-02-12 14:25:02 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
7519ecc88854cf96e369f110243fec46fbf20e8d1259ffaee06ef865f59a3aa7
RedLineStealer
942fee1452e6210f9f70c2a500bea5720100df2e118bd4765a18d66f40f1e467
RedLineStealer
9a1f36511ec56cbf0cf30080cdc11d8f261823079838cedd5ce0e6391ec815ef
RedLineStealer
b833d79953fe177a48a5832ce2606c41d00f0d5b9bd31ceb25d3055a3850c2f7
RedLineStealer
cbf41a6d78de6866a9f86a9d1b2b63720f4ea5f63c9be909764154e6bd674f66
RedLineStealer
fc0438827ee653b0804b75e30b97d4fe48180881ed25c5a3d5b9bb4fc669f2aa
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer persistence spyware themida trojan
Link:
https://tria.ge/reports/210212-p9h2hpy9re/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
themida
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Unpacked files
SH256 hash:
381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2
MD5 hash:
ed05d2c233a6a37bfbffd7b27c12d2b9
SHA1 hash:
221cfaece1b2b6a736f071b367a62d4f229e940e
Link:
https://www.unpac.me/results/ccef395a-a36d-48fb-ba74-7061544ad724/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1002525/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116939/

Comments