MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 434f5aab30a4580a2e84f816dcc873482f08dcaedb7b6fe4737d958fed0182ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 434f5aab30a4580a2e84f816dcc873482f08dcaedb7b6fe4737d958fed0182ab
SHA3-384 hash: 42b7d0d8e03380679a8a8697215b42822c1eb6dee7e08f5e36a34b12f82298b8e0bbfd48d684bd2a8ec526dabeba7dbd
SHA1 hash: facf34743ed1476960ca920113ec516251d18b41
MD5 hash: cf47055d134e02d7d33c80cc30120b70
humanhash: eight-johnny-low-speaker
File name:repair inject.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'434'112 bytes
First seen:2022-02-13 21:40:14 UTC
Last seen:2022-02-13 23:49:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:1Xbfjb38UfLBufBUaJYw4YOqMTpiw8mcGajUP5EUkCSJhMbUwWQDodgOu2Lr3hV:tw4LBufB7YcEVaS3ZgQpwr
Threatray 554 similar samples on MalwareBazaar
TLSH T1FF654CDC51C60848CE9F03F44DFBE22E817792D95B476BE9721E92F4AB6109FE46D0A0
Reporter adm1n_usa32
Tags:exe Redline RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
deathloop.rar
Verdict:
Malicious activity
Analysis date:
2022-02-13 21:35:35 UTC
Tags:
trojan rat redline evasion
Link:
https://app.any.run/tasks/1d224912-d2c9-45c5-aaf5-8343c08c732b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241207/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31811.20795.8408.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Unauthorized injection to a system process
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a71af80e-6bda-4008-b6ac-4c842676bed3
Result
Threat name:
BitCoin Miner Clipboard Hijacker RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939021
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 571499 Sample: repair inject.exe Startdate: 13/02/2022 Architecture: WINDOWS Score: 100 96 transfer.sh 2->96 98 cdn.discordapp.com 2->98 100 c9d0e790b353537889bd47a364f5acff43c11f2411.xyz 2->100 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for URL or domain 2->134 136 Multi AV Scanner detection for submitted file 2->136 138 6 other signatures 2->138 14 repair inject.exe 3 2->14         started        17 home.exe 2->17         started        20 oobeldr.exe 2->20         started        signatures3 process4 file5 94 C:\Users\user\...\repair inject.exe.log, ASCII 14->94 dropped 22 RegAsm.exe 15 6 14->22         started        114 Antivirus detection for dropped file 17->114 116 Multi AV Scanner detection for dropped file 17->116 118 Writes to foreign memory regions 17->118 124 2 other signatures 17->124 27 conhost.exe 4 17->27         started        120 Found evasive API chain (may stop execution after checking mutex) 20->120 122 Contains functionality to compare user and computer (likely to detect sandboxes) 20->122 29 schtasks.exe 1 20->29         started        signatures6 process7 dnsIp8 108 c9d0e790b353537889bd47a364f5acff43c11f2414.xyz 185.112.83.122, 49773, 49823, 49852 SUPERSERVERSDATACENTERRU Russian Federation 22->108 110 ipwhois.app 136.243.172.101, 49772, 49819, 49850 HETZNER-ASDE Germany 22->110 112 9 other IPs or domains 22->112 84 C:\Users\user\AppData\Roaming\e3dwefw.exe, PE32 22->84 dropped 86 C:\Users\user\AppData\Roaming\asf3r3.exe, PE32 22->86 dropped 88 C:\Users\user\AppData\Roaming\asd3wwfd.exe, PE32+ 22->88 dropped 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->140 142 Performs DNS queries to domains with low reputation 22->142 144 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->144 31 asd3wwfd.exe 22->31         started        34 e3dwefw.exe 1 22->34         started        37 asf3r3.exe 3 22->37         started        39 sihost32.exe 27->39         started        41 cmd.exe 27->41         started        43 conhost.exe 29->43         started        file9 signatures10 process11 file12 154 Antivirus detection for dropped file 31->154 156 Multi AV Scanner detection for dropped file 31->156 158 Writes to foreign memory regions 31->158 45 conhost.exe 4 31->45         started        82 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 34->82 dropped 160 Found evasive API chain (may stop execution after checking mutex) 34->160 162 Uses schtasks.exe or at.exe to add and modify task schedules 34->162 164 Contains functionality to compare user and computer (likely to detect sandboxes) 34->164 48 schtasks.exe 1 34->48         started        166 Machine Learning detection for dropped file 37->166 168 Injects a PE file into a foreign processes 37->168 50 RegAsm.exe 37->50         started        170 Allocates memory in foreign processes 39->170 172 Creates a thread in another existing process (thread injection) 39->172 53 conhost.exe 39->53         started        55 conhost.exe 41->55         started        57 taskkill.exe 41->57         started        signatures13 process14 dnsIp15 92 C:\Users\user\AppData\Roaming\home.exe, PE32+ 45->92 dropped 59 cmd.exe 1 45->59         started        61 cmd.exe 1 45->61         started        63 conhost.exe 48->63         started        102 5.206.227.11, 49864, 63730 DOTSIPT Portugal 50->102 104 ipwhois.app 50->104 106 5 other IPs or domains 50->106 file16 process17 process18 65 home.exe 59->65         started        68 conhost.exe 59->68         started        70 conhost.exe 61->70         started        72 schtasks.exe 1 61->72         started        signatures19 126 Writes to foreign memory regions 65->126 128 Allocates memory in foreign processes 65->128 130 Creates a thread in another existing process (thread injection) 65->130 74 conhost.exe 4 65->74         started        process20 file21 90 C:\Users\user\AppData\...\sihost32.exe, PE32+ 74->90 dropped 77 sihost32.exe 74->77         started        process22 signatures23 146 Antivirus detection for dropped file 77->146 148 Multi AV Scanner detection for dropped file 77->148 150 Writes to foreign memory regions 77->150 152 2 other signatures 77->152 80 conhost.exe 77->80         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/434f5aab30a4580a2e84f816dcc873482f08dcaedb7b6fe4737d958fed0182ab/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 05:47:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=inhvvkzqurmaulue7alnzsdtjaxqrxfo3n5w7zdtpwky73ibqkvq._file
Verdict:
malicious
Similar samples:
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29
RedLineStealer
0ba5bc2a4412ad5a9e6c873d77ca59d2650ca6138126737e02f89a0581832ed5
RedLineStealer
0fa8590f343d914ef7231f1897289146b9a660b06586d2ffcdb5a3c1e846881e
RedLineStealer
1f3246dd99e2f38b68b94c56fc44ac8994eb924e8526d395dcdfb7a9fd34da91
RedLineStealer
479e5e3f4b38759f6a9b5f16565ce5e416ca3609f6b138b87ae2ac3740edac5c
RedLineStealer
6825716f7a72eedb249630bf9b0331a80cb09db8522f0fccbdcdbbe333c1c2c7
RedLineStealer
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
RedLineStealer
bc12a6b4163adef9b218e107ebf1afae1e4daac171a9f8c6692d9943a214e808
RedLineStealer
ee2d8c841bb376f17fb4a469cd2bfcdb209e5f537bd3b5791a470066ef18676e
RedLineStealer
ef3e8b5d5f06f7303cd60e8e7cf970c70bb5939f59d56a2a39ca6a87f1ca507f
RedLineStealer
+ 544 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/220213-1jr5kadebp/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
5.206.227.246:80
Unpacked files
SH256 hash:
d5536c16b86177257bb55b7a7c5bb62acb02c12b58314cdfea766734aa851d0d
MD5 hash:
fa0976ed827c52d8584a344e910b07c5
SHA1 hash:
7ab3d5a7de8457225d545fcc47f83accfa9f4397
Link:
https://www.unpac.me/results/2ef9f248-bcae-495b-aee1-ea0800d02823/
SH256 hash:
434f5aab30a4580a2e84f816dcc873482f08dcaedb7b6fe4737d958fed0182ab
MD5 hash:
cf47055d134e02d7d33c80cc30120b70
SHA1 hash:
facf34743ed1476960ca920113ec516251d18b41
Link:
https://www.unpac.me/results/2ef9f248-bcae-495b-aee1-ea0800d02823/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/434f5aab30a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/434f5aab30a4580a2e84f816dcc873482f08dcaedb7b6fe4737d958fed0182ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 434f5aab30a4580a2e84f816dcc873482f08dcaedb7b6fe4737d958fed0182ab

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/241207/

Comments