MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf
SHA3-384 hash: 64f1aa557e281148e0646e4ef153cca4191e9a9c1570d5ec00d353fea48420a7c5bd39ada7befe5d24555609b31598df
SHA1 hash: 41e3f94834eab4a8f2e8027d8d345c7ecacb8c3c
MD5 hash: 9e3a16edd9a6d9e24c253067ee217ccf
humanhash: idaho-friend-delaware-idaho
File name:9e3a16edd9a6d9e24c253067ee217ccf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'063'185 bytes
First seen:2021-07-29 13:25:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 24576:720gPgFKNpkQxAVBbIcXn0hDEB0k5QNe68CL:yKMxAjIEn0NEBb5mFt
Threatray 93 similar samples on MalwareBazaar
TLSH T173358DD2E384C4AAD4170276CC7AD971A517BEAA4570860F256E3D2B76F7383106BE0F
dhash icon f8dc988898a894b8 (3 x AveMariaRAT, 2 x RedLineStealer, 1 x QuasarRAT)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
212.224.105.82:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.224.105.82:80 https://threatfox.abuse.ch/ioc/163784/

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9e3a16edd9a6d9e24c253067ee217ccf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 13:29:14 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/138b2921-f1fa-4b91-86d0-3526cbbebcd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175033/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cc8b5ec7-cfc0-462a-b83d-05ba0506cea4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823842
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops batch files with force delete cmd (self deletion)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456254 Sample: jAW75LpXJL.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->65 67 2 other signatures 2->67 12 jAW75LpXJL.exe 3 8 2->12         started        process3 file4 51 C:\install\mastercool\bat.bat, ASCII 12->51 dropped 53 C:\install\mastercool\winl.exe, PE32 12->53 dropped 83 Drops batch files with force delete cmd (self deletion) 12->83 16 wscript.exe 1 12->16         started        signatures5 process6 process7 18 cmd.exe 2 16->18         started        signatures8 69 Uses cmd line tools excessively to alter registry or file data 18->69 21 wscript.exe 1 18->21         started        23 winl.exe 5 18->23         started        26 conhost.exe 18->26         started        28 3 other processes 18->28 process9 file10 30 cmd.exe 1 21->30         started        49 C:\install\mastercool\blopp.exe, PE32 23->49 dropped process11 dnsIp12 59 192.168.2.1 unknown unknown 30->59 85 Uses cmd line tools excessively to alter registry or file data 30->85 34 blopp.exe 30->34         started        37 conhost.exe 30->37         started        39 timeout.exe 1 30->39         started        41 5 other processes 30->41 signatures13 process14 signatures15 71 Detected unpacking (changes PE section rights) 34->71 73 Detected unpacking (overwrites its own PE header) 34->73 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->75 77 5 other signatures 34->77 43 blopp.exe 15 32 34->43         started        process16 dnsIp17 55 stanntinab.xyz 212.224.105.82, 49715, 49721, 80 DE-FIRSTCOLOwwwfirst-colonetDE Germany 43->55 57 api.ip.sb 43->57 79 Tries to harvest and steal browser information (history, passwords, etc) 43->79 81 Tries to steal Crypto Currency Wallets 43->81 47 conhost.exe 43->47         started        signatures18 process19
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 13:26:08 UTC
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=heftttnk7s7e6mk2rikx7qvhxzv5yepclgdfp7j6e2wixkccdoxq._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
RedLineStealer
2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b
RedLineStealer
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
RedLineStealer
82902f13b895c92b0995e65d4de03ff0cd50d89bbc027dc5e7ec338d9bede821
RedLineStealer
a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5
RedLineStealer
df2ed991a6ab65f2bc05805376dcf34de7febc5c5d4b37d400546e4e01d90fc0
RedLineStealer
ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df
RedLineStealer
fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
RedLineStealer
fd869766f1f735b4c1479ec1300fd63f4a203142e4ed0e6ac18f05d1cdba3ac8
RedLineStealer
+ 83 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:satan discovery evasion infostealer spyware stealer
Link:
https://tria.ge/reports/210729-ek7td1yltj/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets file to hidden
RedLine
RedLine Payload
Malware Config
C2 Extraction:
stanntinab.xyz:80
Unpacked files
SH256 hash:
4c94906b3dfc48658ce71aa661fd086bc6c51a6151f11c30b4d364ecb6e5ddf9
MD5 hash:
902b223b019cbea538fa0470151fef5b
SHA1 hash:
ec45bcd22ad89b010491fa64934fde334b7d3547
Link:
https://www.unpac.me/results/2b7d79e6-339e-4b2f-8556-928ce5755758/
SH256 hash:
980b68d7601339e4a39d9cec24c0c13756bde548577ee08a8a09b7b1cc30e17e
MD5 hash:
6b016fa97ff24a8433a62d3f616f278b
SHA1 hash:
cb16f67fec67e4dccf898d46f28b683363a6e006
Link:
https://www.unpac.me/results/2b7d79e6-339e-4b2f-8556-928ce5755758/
SH256 hash:
178177189e7297a02a43061db6ae44566981d4f56eeff4eb359bf7cd3168de03
MD5 hash:
af4a9d1ab99822b718b31897df57d037
SHA1 hash:
551d7a2e493ab19288b7710f9e0c5748c6c6c429
Link:
https://www.unpac.me/results/2b7d79e6-339e-4b2f-8556-928ce5755758/
SH256 hash:
507c8850f581e0af9b5140fba7b33f7492d45ed62dd0409a65529ecc361c06af
MD5 hash:
4b9a6348b90473688d550eda485fb66b
SHA1 hash:
ab724b28cd0f16f1ba82967f911890b01ea1146c
Link:
https://www.unpac.me/results/2b7d79e6-339e-4b2f-8556-928ce5755758/
SH256 hash:
358ce01877f88f40f084a773a8f21158f0e44bbce6b13c3451a19bd5d3edda03
MD5 hash:
45c1bc9e9083278f9d733edbee301190
SHA1 hash:
d2fc4b29ed4caa967b0c68f0cd37197c9309c5c4
Link:
https://www.unpac.me/results/2b7d79e6-339e-4b2f-8556-928ce5755758/
SH256 hash:
390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf
MD5 hash:
9e3a16edd9a6d9e24c253067ee217ccf
SHA1 hash:
41e3f94834eab4a8f2e8027d8d345c7ecacb8c3c
Link:
https://www.unpac.me/results/2b7d79e6-339e-4b2f-8556-928ce5755758/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 390b39cdaafcbe4f315a8a157fc2a7be6bdc11e2598657fd3e26ac8ba8421baf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1481367/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175033/

Comments