MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 487435d01fc04eba8555aab50d83ef39195f810786da6df4eebb4b88623aba2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	487435d01fc04eba8555aab50d83ef39195f810786da6df4eebb4b88623aba2d
SHA3-384 hash:	c4d764a56d48c67e06e90f0bf6557aac76d1ad4041f9e8b074203a68fef966cc49a0a5e27a42f8ce0e7ddb46d0963b81
SHA1 hash:	2b56472eaf4eab93fc1ac5e854211cee553435c4
MD5 hash:	6eadf501dea6c35522a38b61467cbc34
humanhash:	west-nebraska-angel-happy
File name:	INSTALLER_Robot_V_7.8.9.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'932'144 bytes
First seen:	2021-11-10 08:53:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep	49152:mmRWUpnO5mgkLlX1sfki1SOsXcBPJ8bqrNa6U6NV:mmRWUl+gl+si1SfcGqZN
Threatray	154 similar samples on MalwareBazaar
TLSH	T1069533597395B5B3D843B2B0433B174C97491A7DA3EDFF876E2816F6480924CCB09AAC
Reporter	JAMESWT_WT
Tags:	45.67.231.218 alutecfundicao exe pw2021 RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INSTALLER_Robot_V_7.8.9.exe

Verdict:

Suspicious activity

Analysis date:

2021-11-10 08:54:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6ec1626c-fbc8-4c61-83f8-78b3ea9e0b76

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/204651/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Dropper.Nanocore-9905694-0

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/618b88b0dec3347825a112a5/reports/8ba1e640-501b-43d7-b675-5e9d3b54f0bc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d4e3889f-f03a-481c-b957-bf1ebb6dd2d2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/886561

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/487435d01fc04eba8555aab50d83ef39195f810786da6df4eebb4b88623aba2d/

Threat name:

ByteCode-MSIL.Trojan.Reline

Status:

Malicious

First seen:

2021-11-09 18:39:12 UTC

AV detection:

13 of 45 (28.89%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33

RedLineStealer

1b40867dde275738e50b3d41dc494c9839f6854324238b64b292db34ef35f454

RedLineStealer

2ad43643048779d8e1dd32d57685a10629526ded6c862b8abfc0c292a0784bf0

RedLineStealer

433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3

RedLineStealer

57fb9f191f910890da8143e222ed68a876620f84444a5679fbbed4eecec1cc7e

RedLineStealer

5abd9d487390c078b40484c584723743f62e263d75a49f318dc0e350b3acb0bd

RedLineStealer

7d61f984aeed2f5bc08d55a88a18f7002049bafc046e3154831f728f961c4921

RedLineStealer

c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0

RedLineStealer

+ 144 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline evasion infostealer spyware trojan

Link:

https://tria.ge/reports/211110-ktw89sdggj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

9b9b5ba221467a409cd4cba6fb6824d9cabb806b544203a86304b836194e513c

MD5 hash:

8dd1a2d499506e3d750081dad131cc75

SHA1 hash:

cb8a6a92e0b099c061f3fe03631e38bafb77c7f4

Link:

https://www.unpac.me/results/797edf2b-a335-42c8-a73a-53c912a5cb27/

SH256 hash:

a40bc71657c2c27916e1f694e389baba0da664cdc928a4e88df65ea3669cf99f

MD5 hash:

e58f6714d499a497364da83c9c0787e4

SHA1 hash:

22f30a88f7eda55578205e51057eb1f43fdb43f2

Link:

https://www.unpac.me/results/797edf2b-a335-42c8-a73a-53c912a5cb27/

SH256 hash:

487435d01fc04eba8555aab50d83ef39195f810786da6df4eebb4b88623aba2d

MD5 hash:

6eadf501dea6c35522a38b61467cbc34

SHA1 hash:

2b56472eaf4eab93fc1ac5e854211cee553435c4

Link:

https://www.unpac.me/results/797edf2b-a335-42c8-a73a-53c912a5cb27/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/487435d01fc0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/487435d01fc04eba8555aab50d83ef39195f810786da6df4eebb4b88623aba2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/204651/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample