MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156
SHA3-384 hash: 3555c37e2a88a12f534b39a04e5190f1bd023f13dd2a304a1bcb73a9b33fd82d950d58dc5c5f88b47e196c8f65c1ee73
SHA1 hash: b57a90bf5383cd2cb3c9b4ce673f185decbe6c1b
MD5 hash: 208923115a4f639d4069ffc5499d250a
humanhash: hamper-table-pizza-early
File name:Umbrella.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'524'032 bytes
First seen:2021-06-21 15:57:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:aW0JBDJgchLrW8yHzYFiSecMXmvnaHwFTyCr8b:GBDJgOW84zYFpeccmvnCwACr8b
Threatray 1'964 similar samples on MalwareBazaar
TLSH 742617F13A0EBE9FC3465CB5F4029543C1281FE74658E550FA5A7C7887B2C6621CABAC
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Umbrella.exe
Verdict:
No threats detected
Analysis date:
2021-06-21 15:59:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f06ea27-48ce-4555-af40-37370e81f3d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167334/
Detection(s):
SecuriteInfo.com.Dropper.Generic.VZR.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine infostealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ca9f4e8-a4a7-4241-90d2-359170d6c4b3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805448
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437859 Sample: Umbrella.exe Startdate: 21/06/2021 Architecture: WINDOWS Score: 100 80 Found malware configuration 2->80 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 9 other signatures 2->86 7 Umbrella.exe 15 33 2->7         started        12 System.exe 42 2->12         started        process3 dnsIp4 58 185.252.144.65, 4545, 49736, 49749 FIRST-SERVER-EU-ASRU Russian Federation 7->58 60 api.ip.sb 7->60 62 firstick.club 172.67.219.198, 49751, 80 CLOUDFLARENETUS United States 7->62 40 C:\Users\user\AppData\Roaming\ze.exe, PE32 7->40 dropped 42 C:\Users\user\AppData\...\Umbrella.exe.log, ASCII 7->42 dropped 88 Detected unpacking (changes PE section rights) 7->88 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->90 92 Query firmware table information (likely to detect VMs) 7->92 98 3 other signatures 7->98 14 ze.exe 48 7->14         started        64 192.168.2.1 unknown unknown 12->64 66 iplogger.org 12->66 44 C:\ProgramData\Data\Database.exe, PE32+ 12->44 dropped 46 C:\ProgramData\Data\ssleay32.dll, PE32 12->46 dropped 48 C:\ProgramData\Data\msvcr110.dll, PE32+ 12->48 dropped 50 5 other files (none is malicious) 12->50 dropped 94 Hides threads from debuggers 12->94 96 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->96 19 cmd.exe 1 12->19         started        21 cmd.exe 1 12->21         started        23 conhost.exe 1 12->23         started        25 Database.exe 12->25         started        file5 signatures6 process7 dnsIp8 68 80.85.143.129, 21, 49760, 49761 INTERSTROOM-ASHengeloTheNetherlandsNL Netherlands 14->68 70 iplogger.org 88.99.66.31, 443, 49758, 49759 HETZNER-ASDE Germany 14->70 52 C:\ProgramData\Microsoft Network\System.exe, PE32 14->52 dropped 54 C:\Users\user\AppData\Local\...\7zxa[1].dll, PE32 14->54 dropped 56 C:\ProgramData\Microsoft Network\7zxa.dll, PE32 14->56 dropped 72 Query firmware table information (likely to detect VMs) 14->72 74 May check the online IP address of the machine 14->74 76 Hides threads from debuggers 14->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->78 27 WerFault.exe 20 3 14->27         started        30 Database.exe 14->30         started        32 conhost.exe 14->32         started        34 taskkill.exe 1 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 21->38         started        file9 signatures10 process11 signatures12 100 Tries to evade analysis by execution special instruction which cause usermode exception 27->100 102 Multi AV Scanner detection for dropped file 30->102
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 15:57:09 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwzm6ipnbafknuyfaoqyxthtdahkosfomsgawha6o5w6tmcmofla._file
Verdict:
malicious
Similar samples:
36ccee65e33ae4cd9c27f3396444fd35ca71ab931dd009c1da6abb0c8233e22c
RedLineStealer
50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce
RedLineStealer
554280d027e0ca9fac59307569a6352f04371cb55b35301b0a9432069ffc82c3
RedLineStealer
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
RedLineStealer
6e1831e748607edd5d4aeae00af2911061b0e9ca54a1e984807820559b793f66
RedLineStealer
8c373102d98ba3188c4361deee0bd43f89e4e8785b613a7af99bddd45329303d
RedLineStealer
a43aeebdf142d982d97157178d0b190e386b39d532c8782a7767f84f2a88e97b
RedLineStealer
b2dadf77d0f5917ce225ee0b177e4d5deb626a81ce33815f176d915ea21ba159
RedLineStealer
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
RedLineStealer
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
RedLineStealer
+ 1'954 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210621-cc2vnz9k4n/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156
MD5 hash:
208923115a4f639d4069ffc5499d250a
SHA1 hash:
b57a90bf5383cd2cb3c9b4ce673f185decbe6c1b
Link:
https://www.unpac.me/results/c3bbc296-a141-4b6d-a57f-bc51e6a1bbe3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4db2cf21ed080aa6d30503a18bccf3180ea748ae648c0b1c1e776de9b04c7156

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167334/

Comments