MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 456322f2294df3b13e243170fcd360068d42ebcebf13a481f9e837f031067b3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 456322f2294df3b13e243170fcd360068d42ebcebf13a481f9e837f031067b3f
SHA3-384 hash: 2fd41b693cc1c4ccb3247531dd68fc6a696e7bc5a7402bc16abf3e9c13bd6c7b12a5bf20cb0f7b0d312c983fc4a55e82
SHA1 hash: ac9753238607950e3c180b9952bc7f5b468721ec
MD5 hash: 2c4fa583724925a71a42b2fa0df7fe9c
humanhash: spaghetti-batman-india-orange
File name:2c4fa583724925a71a42b2fa0df7fe9c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:70'144 bytes
First seen:2021-10-04 16:03:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:fgvoTA6Hp1VOcW1IVpV5I8e8PWTo0W2qc:fFTASS440WTL9
Threatray 396 similar samples on MalwareBazaar
TLSH T1E763A477006591A6C5491734F4B50F4B3A7CD6391A80B698F04FB2EAEC1D69D8EF83B8
File icon (PE):PE icon
dhash icon e5da5e5a6bc966ce (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
373
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2c4fa583724925a71a42b2fa0df7fe9c.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 16:34:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/da210cba-6e0d-43a4-8160-e53cd1038190

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194733/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.4751.1393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a service
Creating a window
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c1066e3d213d202b76fcf/reports/1d7530b3-e930-43d0-a703-412e9ea2865f/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1148734-4658-4a98-84aa-bb393200fb29
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864132
Signature
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496562 Sample: WpA1JleZ55.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 60 clientconfig.passport.net 2->60 84 Multi AV Scanner detection for submitted file 2->84 86 Yara detected RedLine Stealer 2->86 88 Found many strings related to Crypto-Wallets (likely being stolen) 2->88 90 2 other signatures 2->90 8 WpA1JleZ55.exe 15 8 2->8         started        13 WinHoster.exe 2->13         started        15 WinHoster.exe 2->15         started        signatures3 process4 dnsIp5 62 iplogger.org 88.99.66.31, 443, 49751, 49752 HETZNER-ASDE Germany 8->62 64 onepremiumstore.bar 104.21.42.252, 443, 49714, 49720 CLOUDFLARENETUS United States 8->64 66 2 other IPs or domains 8->66 38 C:\Users\user\AppData\Roaming\8326504.scr, PE32 8->38 dropped 40 C:\Users\user\AppData\Roaming\7408768.scr, PE32 8->40 dropped 42 C:\Users\user\AppData\Roaming\7165205.scr, PE32 8->42 dropped 44 2 other malicious files 8->44 dropped 92 May check the online IP address of the machine 8->92 94 Drops PE files with a suspicious file extension 8->94 17 2655292.scr 8->17         started        21 7165205.scr 3 8->21         started        23 8326504.scr 8->23         started        25 2 other processes 8->25 file6 signatures7 process8 dnsIp9 48 178.63.26.132, 29795 HETZNER-ASDE Germany 17->48 68 Detected unpacking (changes PE section rights) 17->68 70 Query firmware table information (likely to detect VMs) 17->70 72 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->72 28 conhost.exe 17->28         started        50 94.140.112.88, 49765, 49767, 49770 TELEMACHBroadbandAccessCarrierServicesSI Latvia 21->50 52 45.129.99.59, 49769, 49772, 49776 GMHOSTUA Estonia 21->52 54 45.129.99.60, 49768, 49771, 49775 GMHOSTUA Estonia 21->54 74 Hides threads from debuggers 21->74 76 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->76 30 conhost.exe 21->30         started        56 newbestpewpewcompany.com 172.67.130.64, 443, 49763 CLOUDFLARENETUS United States 23->56 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->78 80 Tries to harvest and steal browser information (history, passwords, etc) 23->80 82 Tries to steal Crypto Currency Wallets 23->82 32 conhost.exe 23->32         started        58 the-lead-bitter.com 104.21.66.135, 443, 49746 CLOUDFLARENETUS United States 25->58 46 C:\Users\user\AppData\...\WinHoster.exe, PE32 25->46 dropped 34 WinHoster.exe 2 25->34         started        36 conhost.exe 25->36         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/456322f2294df3b13e243170fcd360068d42ebcebf13a481f9e837f031067b3f/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 10:31:40 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
48f9b4bc2bf75c03449857ff0d6b47c35ab97ed8ba444890ccdd4128d9ae1027
RedLineStealer
523047b46cbcb7ea5a0cba6b5e91d915bfc864a6dd3772e36f6c637e6f0fff97
RedLineStealer
a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a
RedLineStealer
b94115f5638021ccf653c3de4c947632560d95d967d64b7b84860e813a8f692a
RedLineStealer
c0aef5e5917abe6276cc6ee7225cc9f47115d1f95e1a5ec861fb0f42a8d4af18
RedLineStealer
c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d
RedLineStealer
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
RedLineStealer
de1f0fd799400e19b3861700ccbf709ca7f4868571a211ddaae754420ce8a128
RedLineStealer
e371f0c9caa5fcc9a9698f9de2a40d815e22db19b37454781450633249b84dc4
RedLineStealer
ee3a537e93bb22332bf7e3f8d9286870208f7fd75ce60ce91ae23f87901b22eb
RedLineStealer
+ 386 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211004-thxv4agfb4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
d3dc6d4491c174db2cb4a32ccf322bf8777b578df2121ba94ad94134717b9f34
MD5 hash:
4156d4f516d27665648e7234bae1c387
SHA1 hash:
34c1c2710122b3bdaa523d5950358b264b159056
Link:
https://www.unpac.me/results/4dbf6b36-8936-4f7f-98dd-2acae4f3b70e/
SH256 hash:
456322f2294df3b13e243170fcd360068d42ebcebf13a481f9e837f031067b3f
MD5 hash:
2c4fa583724925a71a42b2fa0df7fe9c
SHA1 hash:
ac9753238607950e3c180b9952bc7f5b468721ec
Link:
https://www.unpac.me/results/4dbf6b36-8936-4f7f-98dd-2acae4f3b70e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/456322f2294d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/456322f2294df3b13e243170fcd360068d42ebcebf13a481f9e837f031067b3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 456322f2294df3b13e243170fcd360068d42ebcebf13a481f9e837f031067b3f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639256/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194733/

Comments