MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38298f1d758713254e21b9c6a6f3d3c81522a5a45c5adf01db5b8053b204d266. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38298f1d758713254e21b9c6a6f3d3c81522a5a45c5adf01db5b8053b204d266
SHA3-384 hash: 99723261803f9196847217f43452990b6a10b9e67f0eaeefd9a1c5ef053440675565d2a463ed578dd17dbc22e4859bb2
SHA1 hash: 7dc75fd3785ee1fd4510b40b41a4e479e1cd8124
MD5 hash: fa2df76c3c4e4f06db7895e7e55ad5a8
humanhash: five-hot-video-fruit
File name:fa2df76c3c4e4f06db7895e7e55ad5a8
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:21'504 bytes
First seen:2022-01-12 21:19:03 UTC
Last seen:2022-01-12 22:58:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 192:svGBdWHcIcAcJUVcvqhkWfevG+q9mQpEbnGPlQjlLJ1Yx6:svGBdW4UCMsvG+K1kDln
Threatray 156 similar samples on MalwareBazaar
TLSH T11BA240018BD09CEFC5654F3C7BA145868AE16C62BB35B29B3CA131FD2C753008769AEC
File icon (PE):PE icon
dhash icon ecd3d14d4d7434c8 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fa2df76c3c4e4f06db7895e7e55ad5a8
Verdict:
Malicious activity
Analysis date:
2022-01-12 21:20:35 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/d5234d1a-3722-4694-95a2-7e0adc1b0114

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218843/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.5329.18284.16760.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
Creating a window
Searching for the window
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat obfuscated packed replace.exe shelma
Link:
https://www.filescan.io/uploads/61df45ca1883c5ba4ec54011/reports/a65c6efd-68b1-4bf6-ad15-a634a8679a8a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42dccb8e-b2b8-41bf-ad2a-977eab5a993a
Result
Threat name:
DCRat RedLine TVrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919648
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to prevent local Windows debugging
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DCRat
Yara detected RedLine Stealer
Yara detected TVrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552126 Sample: rTxXMIDYVm Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 92 Antivirus detection for URL or domain 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 11 other signatures 2->98 10 rTxXMIDYVm.exe 14 7 2->10         started        14 AppLaunch.exe 2->14         started        17 schtasks.exe 2->17         started        19 6 other processes 2->19 process3 dnsIp4 84 dogelab.net 104.21.59.127, 49718, 80 CLOUDFLARENETUS United States 10->84 70 C:\Users\user\AppData\Local\Temp\red.exe, PE32 10->70 dropped 72 C:\Users\user\AppData\Local\Temp\dc.exe, PE32 10->72 dropped 74 C:\Users\user\AppData\Local\Temp\build.exe, PE32 10->74 dropped 76 C:\Users\user\AppData\...\rTxXMIDYVm.exe.log, ASCII 10->76 dropped 21 red.exe 10->21         started        24 build.exe 1 56 10->24         started        27 dc.exe 10->27         started        118 Contains functionality to prevent local Windows debugging 14->118 file5 signatures6 process7 file8 100 Machine Learning detection for dropped file 21->100 102 Writes to foreign memory regions 21->102 104 Allocates memory in foreign processes 21->104 29 AppLaunch.exe 15 5 21->29         started        62 C:\Users\user\AppData\Local\...\quartz.dll, PE32 24->62 dropped 64 C:\Users\user\AppData\...\vcruntime140.dll, PE32 24->64 dropped 66 C:\Users\user\AppData\Local\...\vcomp140.dll, PE32 24->66 dropped 68 21 other files (none is malicious) 24->68 dropped 106 Multi AV Scanner detection for dropped file 24->106 33 cmd.exe 24->33         started        108 Injects a PE file into a foreign processes 27->108 35 AppLaunch.exe 8 16 27->35         started        signatures9 process10 dnsIp11 86 172.67.177.130, 443, 49754 CLOUDFLARENETUS United States 29->86 88 178.20.44.131, 49738, 8842 ASN-FRWInternetServiceProviderIT Russian Federation 29->88 90 dogelab.net 29->90 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->120 122 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->122 124 Drops PE files to the user root directory 29->124 126 4 other signatures 29->126 38 ast.exe 33->38         started        42 conhost.exe 33->42         started        54 C:\Windows\Microsoft.NET\...\AppLaunch.exe, PE32 35->54 dropped 56 C:\Users\Default\smss.exe, PE32 35->56 dropped 58 C:\Users\user\AppData\...\VPJKw3QTlo.bat, DOS 35->58 dropped 60 2 other files (none is malicious) 35->60 dropped 44 cmd.exe 35->44         started        file12 signatures13 process14 dnsIp15 78 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.74, 443, 49785, 49788 SAFIB-ASRU Russian Federation 38->78 80 127.0.0.1 unknown unknown 38->80 82 192.168.2.1 unknown unknown 38->82 110 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->110 112 Tries to delay execution (extensive OutputDebugStringW loop) 38->112 114 Tries to evade analysis by execution special instruction which cause usermode exception 38->114 116 2 other signatures 38->116 46 w32tm.exe 44->46         started        48 conhost.exe 44->48         started        50 smss.exe 44->50         started        signatures16 process17 process18 52 w32tm.exe 46->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38298f1d758713254e21b9c6a6f3d3c81522a5a45c5adf01db5b8053b204d266/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 21:20:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hauy6hlvq4jsktrbxhdkn46tzaksfjnelrnn6ao3loafhmqe2jta._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
30a4539d1a49783943ad6917b42a30788ba09ddf9eb73c504134393c2ca63da5
RedLineStealer
51b1472cdc8034acd1518ac9ef068ea546f318088957a52f14e6112dd0f33f73
RedLineStealer
7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6
RedLineStealer
7a4c304b810703f0eb30ae166efb16ff9c1cfb0ebc9db5948e959614a3e49d5d
RedLineStealer
b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048
RedLineStealer
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
RedLineStealer
f0b3267fa660090a9f3008f4fe70f4191d51ec5d087692a0e218a137f10dbaae
RedLineStealer
+ 146 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220112-z57xgaeab7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
38298f1d758713254e21b9c6a6f3d3c81522a5a45c5adf01db5b8053b204d266
MD5 hash:
fa2df76c3c4e4f06db7895e7e55ad5a8
SHA1 hash:
7dc75fd3785ee1fd4510b40b41a4e479e1cd8124
Link:
https://www.unpac.me/results/4a258b09-9752-4fdf-bae2-8b5276f5b845/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38298f1d758713254e21b9c6a6f3d3c81522a5a45c5adf01db5b8053b204d266

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 38298f1d758713254e21b9c6a6f3d3c81522a5a45c5adf01db5b8053b204d266

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/218843/
  
URLhaus
https://urlhaus.abuse.ch/url/1971836/

Comments


Avatar
zbet commented on 2022-01-12 21:19:04 UTC

url : hxxp://data-host-coin-8.com/files/3369_1641995271_8399.exe