MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4328f39a7aa063cec4f191652436df9c9f88432b61c09333a57d0957371e53a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 1 File information Comments

SHA256 hash:	4328f39a7aa063cec4f191652436df9c9f88432b61c09333a57d0957371e53a4
SHA3-384 hash:	56d2d671c3bcb303e8da0235f732bdd50c1943ddab6d11d3871e5f9c84518f95e637b38c49a72d695e69fb50b8f2b05e
SHA1 hash:	1bdf19b5ce25e6b71011e75ac6cdae0434c51eee
MD5 hash:	b2c930642ff14027e660c185dd216f4c
humanhash:	lake-mockingbird-low-hamper
File name:	b2c930642ff14027e660c185dd216f4c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	7'814'448 bytes
First seen:	2021-11-22 02:15:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep	196608:yMAUUQiKDIykLkMQxozZ9MxYffP25yh5rlD:p5hcyFvxCMxYffdjF
Threatray	5 similar samples on MalwareBazaar
TLSH	T1C57623B356340089E0E0CC3A8A3BFEE1B2F10F979B417C7955DB76C52235690E266E97
File icon (PE):
dhash icon	046270e4f4b07004 (6 x RedLineStealer, 2 x CoinMiner, 1 x Formbook)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.153.230.94:52980

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.153.230.94:52980	https://threatfox.abuse.ch/ioc/229075/

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b2c930642ff14027e660c185dd216f4c.exe

Verdict:

No threats detected

Analysis date:

2021-11-22 02:18:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/36cbd36d-d040-495d-94ca-2c7674c2220f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Bulz.925285.602.824.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Creating a window

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

njRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f4ae42e-89ca-4436-9246-0e26c03a3f9e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/893520

Signature

Connects to many ports of the same IP (likely port scanning)

Detected VMProtect packer

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4328f39a7aa063cec4f191652436df9c9f88432b61c09333a57d0957371e53a4/

Threat name:

Win32.Trojan.Bulz

Status:

Malicious

First seen:

2021-11-15 23:34:59 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=imuphgt2ubr45rhrsfssinw7tspyqqzlmhajgm5fpuevony6kosa._file

Verdict:

malicious

RedLineStealer

5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b

RedLineStealer

84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04

RedLineStealer

e9d3473f5093679f5cfd91de7bec0b7388fb7986ba0c3d7cdd5e8bca14236516

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer vmprotect

Link:

https://tria.ge/reports/211122-cp52lshfd9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks installed software on the system

Reads user/profile data of web browsers

VMProtect packed file

RedLine

RedLine Payload

Unpacked files

SH256 hash:

93cc356c81e69a8c624f40a0c778a0f320bb5673faf578824d9b51a73b5d84aa

MD5 hash:

4c413eb0dd5a558ade69049f77ae6165

SHA1 hash:

b31afa4bdfe4f539d38362a7e68e68e81ce64542

Link:

https://www.unpac.me/results/15e68a3a-9fbb-4d75-b8cb-471803fd6811/

SH256 hash:

f62cf1916d43f20e1806c1fec7c78a7a25ed99d6a37e29c5d2acc32159140c9a

MD5 hash:

30adc54aabb5bca3a8d08d5269b43943

SHA1 hash:

a520c02d4e795703c99ba7de55e9f1fd9cdc1abc

Link:

https://www.unpac.me/results/15e68a3a-9fbb-4d75-b8cb-471803fd6811/

SH256 hash:

7d6b44bea3372d41cd2c1f7fc566626eb84da909636f321bdacbc1bd2758cd48

MD5 hash:

294603f65990d531bc8fe1dac97dd807

SHA1 hash:

d086e9abf6f368273d6d641b61dd143ede282f41

Link:

https://www.unpac.me/results/15e68a3a-9fbb-4d75-b8cb-471803fd6811/

SH256 hash:

93cc356c81e69a8c624f40a0c778a0f320bb5673faf578824d9b51a73b5d84aa

MD5 hash:

4c413eb0dd5a558ade69049f77ae6165

SHA1 hash:

b31afa4bdfe4f539d38362a7e68e68e81ce64542

Link:

https://www.unpac.me/results/15e68a3a-9fbb-4d75-b8cb-471803fd6811/

SH256 hash:

f62cf1916d43f20e1806c1fec7c78a7a25ed99d6a37e29c5d2acc32159140c9a

MD5 hash:

30adc54aabb5bca3a8d08d5269b43943

SHA1 hash:

a520c02d4e795703c99ba7de55e9f1fd9cdc1abc

Link:

https://www.unpac.me/results/15e68a3a-9fbb-4d75-b8cb-471803fd6811/

SH256 hash:

3ee260195c111a73cdfd0a81ca9d3e84187b81d9a7cf1cdc0e9d73eb7179dfd5

MD5 hash:

12d1f7ae4071621013b41ab1457749c2

SHA1 hash:

c192a51a38261e70f273c7a31a4bf704e6b7c1f7

Link:

https://www.unpac.me/results/15e68a3a-9fbb-4d75-b8cb-471803fd6811/

SH256 hash:

e6d9daaf7e15c0bb82e2c7e623153632494ebbd23bf976ef6166540f2f30d739

MD5 hash:

b3472f6ae0fc2cbe26ebc42e0d24a40c

SHA1 hash:

a22bcb11a6dfb7e6623c4174a58324c75ea9277d

Link:

https://www.unpac.me/results/15e68a3a-9fbb-4d75-b8cb-471803fd6811/

SH256 hash:

4328f39a7aa063cec4f191652436df9c9f88432b61c09333a57d0957371e53a4

MD5 hash:

b2c930642ff14027e660c185dd216f4c

SHA1 hash:

1bdf19b5ce25e6b71011e75ac6cdae0434c51eee

Link:

https://www.unpac.me/results/15e68a3a-9fbb-4d75-b8cb-471803fd6811/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4328f39a7aa0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4328f39a7aa063cec4f191652436df9c9f88432b61c09333a57d0957371e53a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/207985/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample