MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535
SHA3-384 hash: a025280a33ee8ec5a7116e32f8f76dbbe7115a12e1a2fe4de9f1faecb7658d931bc1526ba3f01a33fa82a40800f87989
SHA1 hash: 585e1d1d2fa16787793c81f345c6e99918f24851
MD5 hash: 3f0ca7aeed4c60b1301e0e0b49fe8faa
humanhash: cup-eleven-three-apart
File name:Cleaner.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'568'552 bytes
First seen:2022-01-09 06:32:58 UTC
Last seen:2022-01-09 08:34:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:gBHAVp4QADb0iF5IYrVzN86gGff95Tpn0EA:gBA3q0iFaGB1ffBn0J
Threatray 531 similar samples on MalwareBazaar
TLSH T1C4F533E54F15896CCB8DB03870A6BA5B342B06F0579314EA7914F9E9DB2C651ECCE3B0
Reporter tech_skeech
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cleaner.exe
Verdict:
Malicious activity
Analysis date:
2022-01-09 06:37:12 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/88f291b6-313c-4c8a-80f1-90acf545a15c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217866/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61da81a002e388f9fdb9403f/reports/dac86302-5552-4749-a82a-0ce8900caa9e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a13d0a36-02f0-4bc3-b465-76b8433f003e
Result
Threat name:
BitCoin Miner RedLine Redline Clipper Si
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917244
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Redline Clipper
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549722 Sample: Cleaner.exe Startdate: 09/01/2022 Architecture: WINDOWS Score: 100 102 Antivirus detection for URL or domain 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 Yara detected SilentXMRMiner 2->106 108 9 other signatures 2->108 14 Cleaner.exe 2->14         started        process3 signatures4 154 Writes to foreign memory regions 14->154 156 Allocates memory in foreign processes 14->156 158 Injects a PE file into a foreign processes 14->158 17 AppLaunch.exe 15 8 14->17         started        22 WerFault.exe 23 9 14->22         started        process5 dnsIp6 82 cdn.discordapp.com 162.159.133.233, 443, 49772 CLOUDFLARENETUS United States 17->82 84 162.159.134.233, 443, 49775 CLOUDFLARENETUS United States 17->84 86 3 other IPs or domains 17->86 68 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 17->68 dropped 70 C:\Users\user\AppData\Local\Temp\debug.exe, PE32 17->70 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->112 114 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->114 116 Tries to harvest and steal browser information (history, passwords, etc) 17->116 118 Tries to steal Crypto Currency Wallets 17->118 24 svhost.exe 17->24         started        27 debug.exe 17->27         started        72 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->72 dropped file7 signatures8 process9 signatures10 140 Antivirus detection for dropped file 24->140 142 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->142 144 Machine Learning detection for dropped file 24->144 152 4 other signatures 24->152 29 AppLaunch.exe 6 24->29         started        146 Multi AV Scanner detection for dropped file 27->146 148 Writes to foreign memory regions 27->148 150 Allocates memory in foreign processes 27->150 33 AppLaunch.exe 2 27->33         started        process11 dnsIp12 92 data-host-coin-8.com 47.251.44.201, 49776, 49777, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 29->92 76 C:\ProgramData\8885_1641406066_6042.exe, PE32 29->76 dropped 78 C:\ProgramData\6986_1641405981_8863.exe, PE32+ 29->78 dropped 35 6986_1641405981_8863.exe 29->35         started        38 8885_1641406066_6042.exe 29->38         started        41 WerFault.exe 29->41         started        file13 process14 dnsIp15 120 Antivirus detection for dropped file 35->120 122 Multi AV Scanner detection for dropped file 35->122 124 Detected unpacking (changes PE section rights) 35->124 130 5 other signatures 35->130 43 conhost.exe 35->43         started        88 ip-api.com 208.95.112.1, 49778, 80 TUT-ASUS United States 38->88 90 api.telegram.org 149.154.167.220, 443, 49779 TELEGRAMRU United Kingdom 38->90 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->126 128 May check the online IP address of the machine 38->128 46 conhost.exe 38->46         started        signatures16 process17 file18 74 C:\Users\user\AppData\...\services32.exe, PE32+ 43->74 dropped 48 cmd.exe 43->48         started        50 cmd.exe 43->50         started        process19 signatures20 53 services32.exe 48->53         started        56 conhost.exe 48->56         started        110 Uses schtasks.exe or at.exe to add and modify task schedules 50->110 58 conhost.exe 50->58         started        60 schtasks.exe 50->60         started        process21 signatures22 132 Antivirus detection for dropped file 53->132 134 Multi AV Scanner detection for dropped file 53->134 136 Detected unpacking (changes PE section rights) 53->136 138 5 other signatures 53->138 62 conhost.exe 53->62         started        process23 file24 80 C:\Users\user\AppData\...\sihost32.exe, PE32+ 62->80 dropped 65 sihost32.exe 62->65         started        process25 signatures26 94 Multi AV Scanner detection for dropped file 65->94 96 Writes to foreign memory regions 65->96 98 Allocates memory in foreign processes 65->98 100 Creates a thread in another existing process (thread injection) 65->100
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-09 06:33:21 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iiwroi4dnav3lugtcghfzl2zbo7zbyzkmbsxwr4pfadw67meau2q._file
Verdict:
malicious
Similar samples:
0e49a7e27c826b6afb92d25bd287493693af46e42838270cf96ee2f27c2c0521
RedLineStealer
1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334
RedLineStealer
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
RedLineStealer
5eac63fc61a6c010a8be021bf6d86d377f03c10fcd447c1342d0aba35ae6b68a
RedLineStealer
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
RedLineStealer
92561a2126c31ee34edef41557d2c312a3e1f4b9909c99d8ca23d3cae19ee173
RedLineStealer
a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf
RedLineStealer
aa8b65b91dabd75e184fef4367d05df97aae8da466c1896b2ca60f601a8b9681
RedLineStealer
b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94
RedLineStealer
f3b7556c1a960019ed0c01cdff84412b5c58beed377181573bb34a92f00ddb76
RedLineStealer
+ 521 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220109-ha7jsadgel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
11933ff107d000b9d7237c41168f99193a63f740e978633c77633314eb9a9d5f
MD5 hash:
d75df14cfc76daaf16e0595552302039
SHA1 hash:
3b48bd9f0edbca7e0ce6bd58e882fde57e626bc8
Link:
https://www.unpac.me/results/649f0b76-c563-475a-95fc-3dd79d570db1/
SH256 hash:
422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535
MD5 hash:
3f0ca7aeed4c60b1301e0e0b49fe8faa
SHA1 hash:
585e1d1d2fa16787793c81f345c6e99918f24851
Link:
https://www.unpac.me/results/649f0b76-c563-475a-95fc-3dd79d570db1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/422d17238368/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217866/

Comments