MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 398cb27e45b7edad5322cbf38a9c39510bb9d8b3267b6d88d9cb1c53c575a6bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 398cb27e45b7edad5322cbf38a9c39510bb9d8b3267b6d88d9cb1c53c575a6bb
SHA3-384 hash: 90a9684fbbef7309959fe94e2749ed2e060d820c8efb726e4b044a1a5a9a624d11de876ae4fe0c020a06c390f82da830
SHA1 hash: 33d641120036b21411060c42cd980096c549aa1e
MD5 hash: 42b5836dd513ca93cd60835c1e8cbdd8
humanhash: snake-earth-idaho-virginia
File name:42b5836dd513ca93cd60835c1e8cbdd8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'545'728 bytes
First seen:2022-02-13 20:15:45 UTC
Last seen:2022-02-13 21:51:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7dd6fa75115d9909f747434e40fff68 (173 x RedLineStealer, 10 x DCRat, 1 x CoinMiner.XMRig)
ssdeep 24576:uYgeikYvwQwSiNEWcif7nfDzFz/5m8y/5rkFNNNdrfNBkOpR5Un6J2UkEaHNYK3S:u3F1wSiOWf7rzpc3rkFN/RfMOOuNaBtg
Threatray 10'729 similar samples on MalwareBazaar
TLSH T1D16533F942C46DACC94ACB78AE62602F4124F620EDEE1356313F678D694ACCE7F78154
File icon (PE):PE icon
dhash icon 78187864b8e266e4 (1 x RedLineStealer, 1 x Socks5Systemz)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.38.20.145:6260

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.38.20.145:6260 https://threatfox.abuse.ch/ioc/387379/

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
42b5836dd513ca93cd60835c1e8cbdd8.exe
Verdict:
Malicious activity
Analysis date:
2022-02-13 20:47:30 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/04941098-072c-480a-95d1-38bacc0f4cfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241201/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Creating a file
Launching a process
Creating a window
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Sending a custom TCP request
Replacing system executable files
Moving a file to the Windows subdirectory
Enabling the 'hidden' option for recently created files
Moving a recently created file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Infecting executable files
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4290e95-72c9-484e-9f6d-69278c60eab4
Result
Threat name:
DCRat RedLine TVrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939006
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: File Created with System Process Name
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DCRat
Yara detected RedLine Stealer
Yara detected TVrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 571484 Sample: TbDXlssS18.exe Startdate: 13/02/2022 Architecture: WINDOWS Score: 100 87 prda.aadg.msidentity.com 2->87 89 id.xn--80akicokc0aablc.xn--p1ai 2->89 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for URL or domain 2->111 113 14 other signatures 2->113 9 TbDXlssS18.exe 15 8 2->9         started        14 clip.exe 2->14         started        16 schtasks.exe 2->16         started        18 12 other processes 2->18 signatures3 process4 dnsIp5 97 shopistar.com 185.112.83.46, 49748, 80 SUPERSERVERSDATACENTERRU Russian Federation 9->97 65 C:\Users\user\AppData\Local\Temp\rem.exe, PE32 9->65 dropped 67 C:\Users\user\AppData\Local\Temp\redik.exe, PE32 9->67 dropped 69 C:\Users\user\AppData\Local\Temp\n.exe, PE32 9->69 dropped 71 2 other malicious files 9->71 dropped 133 Detected unpacking (changes PE section rights) 9->133 135 Detected unpacking (overwrites its own PE header) 9->135 137 Query firmware table information (likely to detect VMs) 9->137 139 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->139 20 rem.exe 1 9->20         started        23 redik.exe 1 9->23         started        25 n.exe 52 9->25         started        28 clip.exe 1 9->28         started        file6 signatures7 process8 file9 115 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->115 117 Drops executables to the windows directory (C:\Windows) and starts them 20->117 119 Writes to foreign memory regions 20->119 30 AppLaunch.exe 20->30         started        34 conhost.exe 20->34         started        121 Allocates memory in foreign processes 23->121 123 Tries to detect virtualization through RDTSC time measurements 23->123 125 Injects a PE file into a foreign processes 23->125 36 AppLaunch.exe 14 27 23->36         started        39 conhost.exe 23->39         started        55 C:\Users\user\AppData\Local\Temp\...\ast.exe, PE32 25->55 dropped 57 C:\Users\user\AppData\Local\...\quartz.dll, PE32 25->57 dropped 59 C:\Users\user\AppData\Local\Temp\...\opus.dll, PE32 25->59 dropped 63 16 other files (none is malicious) 25->63 dropped 127 Machine Learning detection for dropped file 25->127 41 cmd.exe 25->41         started        61 C:\Users\user\AppData\Roaming\...\clip.exe, PE32 28->61 dropped 129 Antivirus detection for dropped file 28->129 131 Drops PE files to the startup folder 28->131 43 clip.exe 28->43         started        signatures10 process11 dnsIp12 73 C:\Windows\...\AppLaunch.exe (copy), PE32 30->73 dropped 75 C:\Users\user\AppData\Roaming\...\clip.exe, PE32 30->75 dropped 77 C:\Users\user\AppData\Roaming\...\RCX73D9.tmp, PE32 30->77 dropped 79 26 other files (2 malicious) 30->79 dropped 141 Infects executable files (exe, dll, sys, html) 30->141 45 clip.exe 30->45         started        91 194.38.20.145, 49759, 6260 PRAID-ASRU Ukraine 36->91 93 192.168.2.1 unknown unknown 36->93 95 api.ip.sb 36->95 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->143 145 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->145 147 Drops PE files to the startup folder 36->147 149 3 other signatures 36->149 47 conhost.exe 36->47         started        49 ast.exe 41->49         started        53 conhost.exe 41->53         started        file13 signatures14 process15 dnsIp16 81 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.74, 443, 49771, 49774 SAFIB-ASRU Russian Federation 49->81 83 193.228.110.105 ROSTELECOM-ASRU Russian Federation 49->83 85 2 other IPs or domains 49->85 99 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 49->99 101 Tries to delay execution (extensive OutputDebugStringW loop) 49->101 103 Tries to evade analysis by execution special instruction which cause usermode exception 49->103 105 2 other signatures 49->105 signatures17
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/398cb27e45b7edad5322cbf38a9c39510bb9d8b3267b6d88d9cb1c53c575a6bb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-09 08:49:25 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hggle7sfw7w22uzczpzyvhbzkef3twftez5w3cgzzmofhrlvu25q._file
Verdict:
malicious
Similar samples:
0ea0d467809f6db13fbbc3949ca3a4a0f90f60c80cb5cdc03aecdc6e060f0869
RedLineStealer
1fab157d0875965581784c280d4b74c0adef81be4c002563732dd004207ff8ae
RedLineStealer
29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03
RedLineStealer
324a89be242f69318c7aebe527f99698e39124572567ab3978c5278be373eeb0
RedLineStealer
38cfb802b835e2f9129680bbcbe93248ad21659931b8230e9c2109b3b496a873
RedLineStealer
8a1728feda85d1dfb53208fbe57c94085016d9865417c7cdcbbf16bdbd454775
RedLineStealer
9d2c9620d231cab41fd8a87797cb8f67ed96b79231473e728b72e17b055653db
RedLineStealer
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
RedLineStealer
+ 10'719 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/b072bde9-21a4-4ab2-90f5-d4c38d568703/
SH256 hash:
398cb27e45b7edad5322cbf38a9c39510bb9d8b3267b6d88d9cb1c53c575a6bb
MD5 hash:
42b5836dd513ca93cd60835c1e8cbdd8
SHA1 hash:
33d641120036b21411060c42cd980096c549aa1e
Link:
https://www.unpac.me/results/b072bde9-21a4-4ab2-90f5-d4c38d568703/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ArechClient
Create hunting rule
Author:@bartblaze
Description:Identifies ArechClient, infostealer.
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241201/

Comments