MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4035294bf7f0ff54530e66db45dfe19ec280d03d14ea5e0bab72ab6f8690a8b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	4035294bf7f0ff54530e66db45dfe19ec280d03d14ea5e0bab72ab6f8690a8b8
SHA3-384 hash:	81c93ad8ad0a5921162839ac3ddc668fb38b51b0f38160576338552517cb7795f552d4400a98ca016a3c1373414a6c21
SHA1 hash:	69877d470faaecd1f88c69578ef028dce37b8eaf
MD5 hash:	054673314559aa5a96bec52a63e401bf
humanhash:	robin-angel-alpha-bulldog
File name:	Setup.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'157'808 bytes
First seen:	2022-05-03 11:37:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1260128ced57c3c803c7e904fe44ebcb (1 x RedLineStealer)
ssdeep	24576:9tWd+ztjZhFq/4hQP6RmdZhy8CMqHk/m1bNTPtcVyY/X0fm0CTFUoxd:3Wd+ztjZhFq/4hQP6RmdvorHku1XcVdn
Threatray	1'564 similar samples on MalwareBazaar
TLSH	T10E35BE52B740C9E3C81C0135A85BA3572FB0B45B3F42ABA73349575E9EF23C57B026A9
File icon (PE):
dhash icon	f0f0a0a0a0a1c4c4 (1 x RedLineStealer)
Reporter	tech_skeech
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

929

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-05-03 11:30:24 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/6ee9c629-12d5-4ff4-b33b-a04290ef92f5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/268358/

Detection(s):

SecuriteInfo.com.Variant.Lazy.177021.32448.11543.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6271141b0d3e2bd52d248e84/reports/5bb8648b-b921-4040-90f0-a6e4f2e94f0b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/51cb689f-9286-4405-a5cc-8b4e316ad053

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/987028

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4035294bf7f0ff54530e66db45dfe19ec280d03d14ea5e0bab72ab6f8690a8b8/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-05-02 01:10:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 42 (50.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ia2sss7x6d7viuyom3nulx7bt3bibub5ctvf4c5lokvw7buqvc4a._file

Verdict:

malicious

RedLineStealer

3d93d1e45579a47c3a3425fd16319c5a004396a2d98b7cf170ed009dad29c247

RedLineStealer

5cae80a1904f6c451d33efb081dbbb179f2ccc4ec600bcc2158023ffcb3ebfa9

RedLineStealer

67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33

RedLineStealer

71f1ecc7fcd998c22c671c04cecc13b3f5bfcc33b11fb8ac9674c717301db3f2

RedLineStealer

923e1d37bb37118bd66462b153d9fa0d4518898ed56f0252690a6d9eb111a0d7

RedLineStealer

a1325e79e1ac9114bdd898cbf9bd735d1ecf9475d72aca44b5a52d7b99952640

RedLineStealer

b7f4f03a2bc3785a10f958b20228291164c9c014b203ced1c39cf5348c04f356

RedLineStealer

d256af9cf801950977e5c289587c7c9664d75d0d36e8b19c55e5e9b0ec0312a5

RedLineStealer

e5c5ed9b49632298fb4d1927636e7a97fae95bdb5b13e1a5942a5b93dd21d2f5

RedLineStealer

+ 1'554 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220503-nrpyysfgak/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

36e50ad8260eb38a321a8846f42afa9d53543a22985dbffb5b36cfcdffda8ddb

MD5 hash:

16c9016563d6c12199b08abb7a03bb97

SHA1 hash:

ed799dcfc0ee7b49690326345b566190aa66f714

Link:

https://www.unpac.me/results/00f86832-ee49-456b-8a47-40f692365c04/

SH256 hash:

4035294bf7f0ff54530e66db45dfe19ec280d03d14ea5e0bab72ab6f8690a8b8

MD5 hash:

054673314559aa5a96bec52a63e401bf

SHA1 hash:

69877d470faaecd1f88c69578ef028dce37b8eaf

Link:

https://www.unpac.me/results/00f86832-ee49-456b-8a47-40f692365c04/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4035294bf7f0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4035294bf7f0ff54530e66db45dfe19ec280d03d14ea5e0bab72ab6f8690a8b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	NETDIC208_NOCEX Create hunting rule

Rule name:	NETDIC208_NOCEX_NOREACTOR Create hunting rule

Rule name:	NETDIC_208 Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 4035294bf7f0ff54530e66db45dfe19ec280d03d14ea5e0bab72ab6f8690a8b8

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/268358/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample