MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d
SHA3-384 hash: 8d43b5f891573b3e0267353b93e9d1c7760620a79f35add2e44b9ffea86927ccda07630312381e13a1b1ae188c2cbcfa
SHA1 hash: c13033d73efbbd1305866ce4c43791579647807d
MD5 hash: ae72d3f74514ce222a4da33f2b759fca
humanhash: chicken-purple-steak-ten
File name:ae72d3f74514ce222a4da33f2b759fca
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'386'442 bytes
First seen:2021-12-18 21:58:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 196608:2LGcy7Y9Yq6jHn0iVh1D6ArdxJDGdkcQDf7ll4o2vigCDznVtM8WH1:Bcyk6q64iVOAr31G+cQ/rX6vUpix
Threatray 303 similar samples on MalwareBazaar
TLSH T194A6339273C4A273F817C630CADB4206E93ABF7097B4908E5BBC1B7D59759638B14B42
File icon (PE):PE icon
dhash icon 402664e0c0e06688 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.104:30010 https://threatfox.abuse.ch/ioc/277656/

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215198/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2545/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed packed
Link:
https://www.filescan.io/uploads/61be59a9ec6c6c14a9e0e39a/reports/8b04487b-bd0f-489f-aed1-f206398bc6d5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78d8fbdf-de49-48ca-a743-565bbe982967
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909667
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected VMProtect packer
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 542141 Sample: u6Y1GQN4DE Startdate: 18/12/2021 Architecture: WINDOWS Score: 100 73 Found malware configuration 2->73 75 Antivirus detection for dropped file 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 9 other signatures 2->79 10 u6Y1GQN4DE.exe 10 2->10         started        process3 file4 51 C:\Users\user\AppData\...\WindowsDefender.exe, PE32+ 10->51 dropped 53 C:\Users\user\AppData\...\@sellfortya.exe, PE32 10->53 dropped 55 C:\Users\...\ks4.021.3.10.391en_25092.exe, PE32 10->55 dropped 13 @sellfortya.exe 10->13         started        16 WindowsDefender.exe 11 4 10->16         started        process5 dnsIp6 97 Multi AV Scanner detection for dropped file 13->97 99 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->99 101 Machine Learning detection for dropped file 13->101 107 5 other signatures 13->107 19 AppLaunch.exe 15 7 13->19         started        24 WerFault.exe 13->24         started        59 api.telegram.org 149.154.167.220, 443, 49751 TELEGRAMRU United Kingdom 16->59 61 www.google.com 172.217.168.36, 49748, 80 GOOGLEUS United States 16->61 63 icanhazip.com 104.18.115.97, 443, 49750 CLOUDFLARENETUS United States 16->63 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->103 105 May check the online IP address of the machine 16->105 signatures7 process8 dnsIp9 65 185.215.113.104, 30010, 49745 WHOLESALECONNECTIONSNL Portugal 19->65 67 github.com 140.82.121.3, 443, 49777 GITHUBUS United States 19->67 69 raw.githubusercontent.com 185.199.108.133, 443, 49778 FASTLYUS Netherlands 19->69 49 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 19->49 dropped 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->81 83 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->83 85 Tries to harvest and steal browser information (history, passwords, etc) 19->85 87 Tries to steal Crypto Currency Wallets 19->87 26 build.exe 19->26         started        71 192.168.2.1 unknown unknown 24->71 file10 signatures11 process12 file13 57 C:\Users\user\AppData\...\services.exe, PE32+ 26->57 dropped 89 Antivirus detection for dropped file 26->89 91 Multi AV Scanner detection for dropped file 26->91 93 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->93 95 Drops PE files with benign system names 26->95 30 cmd.exe 26->30         started        33 cmd.exe 26->33         started        35 cmd.exe 26->35         started        signatures14 process15 signatures16 109 Encrypted powershell cmdline option found 30->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 30->111 37 conhost.exe 30->37         started        39 powershell.exe 30->39         started        41 powershell.exe 30->41         started        43 conhost.exe 33->43         started        45 schtasks.exe 33->45         started        47 conhost.exe 35->47         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d/
Threat name:
ByteCode-MSIL.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 17:27:00 UTC
File Type:
PE (Exe)
Extracted files:
248
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=itjxcw3u2qlc2nah7rg475g32z7lhecfe4am2jriuyzzttjzs6oq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
057ff01b1f4ec1999bdfe0561f4dede6c6e1a115154a5754fbef9019f25599ad
RedLineStealer
1c9dfadbf7c7c45ba974f666c50694be5d3f29b76612a76ea0d95e780d40a210
RedLineStealer
5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4
RedLineStealer
7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca
RedLineStealer
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
RedLineStealer
8e7d62f065db87ae8a824816af5447845b4f1fdd02d97f759f251f0e1254f5c3
RedLineStealer
c23b096fdd5379aeaee9a28e4561143596fe1c7d32555f915a69725c99fba470
RedLineStealer
c4e9742a6a418ee7366c594a4f1206d468f6147792407fcd9ac6b452369d88bb
RedLineStealer
d8ce2e5613b91a46eb15835e6d2aac47a715e2ab55a97163bdf2ed8ac350f7a1
RedLineStealer
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
RedLineStealer
+ 293 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211218-1v24xafeh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
670a394dd0ab5cd4a475bfdfa4d51bb3fdfb2ec58e3c71214e19e72833299694
MD5 hash:
377ca0cb4c200566524f78325d4de1f1
SHA1 hash:
f4e6f2380f925d40e46fb51f061e2894c2c64254
Link:
https://www.unpac.me/results/4941d2fd-1be1-4309-bac6-0a066a46688c/
SH256 hash:
670603aa618b038c41c5f8aa20b5a2bbe402968cc02ed6d7573ff80b5ec2ad5f
MD5 hash:
75f9c6868749c0729be5e9108c5f06bd
SHA1 hash:
5d69e1c9e5fa02680e3e40d9fc404643087cf9d3
Link:
https://www.unpac.me/results/4941d2fd-1be1-4309-bac6-0a066a46688c/
SH256 hash:
070355f378f3bb4adfd4dd6d0c0c54be178fd23354a465ac4fa00d3d7ec67c6d
MD5 hash:
54ffe4a3ea2d3cd8cc7a41813ec9645b
SHA1 hash:
671d6a5a9455be37cc6cb8cb6b44bedd240d0ab8
Link:
https://www.unpac.me/results/4941d2fd-1be1-4309-bac6-0a066a46688c/
SH256 hash:
44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d
MD5 hash:
ae72d3f74514ce222a4da33f2b759fca
SHA1 hash:
c13033d73efbbd1305866ce4c43791579647807d
Link:
https://www.unpac.me/results/4941d2fd-1be1-4309-bac6-0a066a46688c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1896722/
Cape
Cape
https://www.capesandbox.com/analysis/215198/

Comments


Avatar
zbet commented on 2021-12-18 21:58:42 UTC

url : hxxp://coin-coin-data-6.com/files/8662_1639848816_1752.exe