MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 589e3d0fa9a36fd20b921f49347b072cab0a92174ff5f4418d11f52b745066ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 589e3d0fa9a36fd20b921f49347b072cab0a92174ff5f4418d11f52b745066ce
SHA3-384 hash: b8a229598420769b71f563fecc3e9b7684b3ee3a863a15b2af2312173ca2707361cf4c7146ee154680422d92118d110f
SHA1 hash: 7776bfba2049c7835cebc66f24b1ab9e58724fc5
MD5 hash: 00acc533459788270736da0ac3665564
humanhash: fifteen-papa-comet-solar
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:364'544 bytes
First seen:2022-10-13 11:47:15 UTC
Last seen:2022-10-14 20:42:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ad15fdb24faeb03249108181ff92c49 (3 x RedLineStealer)
ssdeep 6144:3lOxgwltNKxATWbrUR1SeoECg1AOZpOSt6rpsOm5MWOJfBXb:3lggwltNKxBAgg1fpnsraj5AXb
Threatray 390 similar samples on MalwareBazaar
TLSH T1E974AF0037938035E97F1EF609E88768792D79524B634DFF538807FE4F21AD2A632566
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc120747115_650450815?hash=qLRtegW54Pzf89ZVFfERHnUvzQZ857b9bZls8L0jZfc&dl=GEZDANZUG4YTCNI:1665660980:ZSniTAX3YgQZhapjBbTZeaGwCnqFE7zqcEvgfZkA5hD&api=1&no_preview=1#1

Intelligence

File Origin
# of uploads :
615
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
589e3d0fa9a36fd20b921f49347b072cab0a92174ff5f4418d11f52b745066ce.exe
Verdict:
Malicious activity
Analysis date:
2022-10-13 16:06:11 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/86c4ad8a-88f6-4d52-9906-1c85b9119b66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319900/
Detection(s):
Win.Malware.Pwsx-9963812-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the system32 subdirectories
Creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42920/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6347faf5316b332dfca8fb33/reports/b5126850-8e6d-4dfe-aedc-2470cf62e264/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf129e05-7052-4d07-8682-db9207f1d9c0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089813
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 722425 Sample: file.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 90 raw.githubusercontent.com 2->90 92 objects.githubusercontent.com 2->92 94 2 other IPs or domains 2->94 136 Snort IDS alert for network traffic 2->136 138 Multi AV Scanner detection for domain / URL 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 7 other signatures 2->142 15 file.exe 2->15         started        18 MoUSO.exe 2->18         started        signatures3 process4 signatures5 186 Contains functionality to inject code into remote processes 15->186 188 Writes to foreign memory regions 15->188 190 Allocates memory in foreign processes 15->190 192 Injects a PE file into a foreign processes 15->192 20 AppLaunch.exe 15 7 15->20         started        25 WerFault.exe 23 9 15->25         started        194 Antivirus detection for dropped file 18->194 196 Detected unpacking (changes PE section rights) 18->196 198 Machine Learning detection for dropped file 18->198 200 4 other signatures 18->200 process6 dnsIp7 96 51.89.201.21, 49722, 7161 OVHFR France 20->96 98 transfer.sh 144.76.136.153, 443, 49726 HETZNER-ASDE Germany 20->98 74 C:\Users\user\AppData\Local\Temp\setup.exe, PE32+ 20->74 dropped 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->170 172 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->172 174 Tries to harvest and steal browser information (history, passwords, etc) 20->174 176 Tries to steal Crypto Currency Wallets 20->176 27 setup.exe 20->27         started        76 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->76 dropped file8 signatures9 process10 signatures11 178 Hijacks the control flow in another process 27->178 180 Writes to foreign memory regions 27->180 182 Allocates memory in foreign processes 27->182 184 2 other signatures 27->184 30 RegSvcs.exe 21 27->30         started        process12 dnsIp13 106 github.com 140.82.121.3, 443, 49734, 49738 GITHUBUS United States 30->106 108 objects.githubusercontent.com 185.199.108.133, 443, 49737, 49739 FASTLYUS Netherlands 30->108 110 cdn.discordapp.com 162.159.134.233, 443, 49732, 49733 CLOUDFLARENETUS United States 30->110 82 C:\Users\user\AppData\Local\...\watchdog.exe, PE32 30->82 dropped 84 C:\Users\user\AppData\Local\Temp\setup1.exe, PE32 30->84 dropped 86 C:\Users\user\AppData\...\watchdog[1].exe, PE32 30->86 dropped 88 2 other malicious files 30->88 dropped 34 setup.exe 30->34         started        37 setup1.exe 18 30->37         started        41 watchdog.exe 30->41         started        file14 process15 dnsIp16 116 Hijacks the control flow in another process 34->116 118 Writes to foreign memory regions 34->118 120 Allocates memory in foreign processes 34->120 122 Modifies the context of a thread in another process (thread injection) 34->122 43 RegSvcs.exe 17 34->43         started        100 dba692117be7b6d3480fe5220fdd58b38bf.xyz 104.21.17.54, 443, 49735, 49736 CLOUDFLARENETUS United States 37->100 78 C:\Users\user\AppData\Local\cache\MoUSO.exe, PE32 37->78 dropped 124 Antivirus detection for dropped file 37->124 126 Detected unpacking (changes PE section rights) 37->126 128 Found evasive API chain (may stop execution after checking mutex) 37->128 134 8 other signatures 37->134 47 schtasks.exe 37->47         started        130 Machine Learning detection for dropped file 41->130 132 Injects a PE file into a foreign processes 41->132 49 conhost.exe 41->49         started        51 RegSvcs.exe 41->51         started        file17 signatures18 process19 dnsIp20 102 objects.githubusercontent.com 43->102 104 github.com 43->104 80 C:\Users\user\AppData\...\watchdog[1].exe, PE32 43->80 dropped 53 setup.exe 43->53         started        56 watchdog.exe 43->56         started        58 setup1.exe 43->58         started        60 conhost.exe 47->60         started        file21 process22 signatures23 156 Hijacks the control flow in another process 53->156 158 Writes to foreign memory regions 53->158 160 Allocates memory in foreign processes 53->160 162 Modifies the context of a thread in another process (thread injection) 53->162 62 RegSvcs.exe 53->62         started        164 Injects a PE file into a foreign processes 56->164 65 conhost.exe 56->65         started        166 Hides threads from debuggers 58->166 168 Tries to detect sandboxes / dynamic malware analysis system (registry check) 58->168 process24 dnsIp25 112 140.82.121.4, 443, 49743, 49750 GITHUBUS United States 62->112 114 github.com 62->114 67 setup.exe 62->67         started        70 setup1.exe 62->70         started        process26 signatures27 144 Hijacks the control flow in another process 67->144 146 Writes to foreign memory regions 67->146 148 Allocates memory in foreign processes 67->148 154 2 other signatures 67->154 72 RegSvcs.exe 67->72         started        150 Hides threads from debuggers 70->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 70->152 process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/589e3d0fa9a36fd20b921f49347b072cab0a92174ff5f4418d11f52b745066ce/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 11:48:08 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcpd2d5junx5ec4sd5eti6yhfsvqveqxj727iqmnch2sw5cqm3ha._file
Verdict:
malicious
Similar samples:
18d76178e1c00f40d1728f9a1ad418d67f74b9ae8ab96fc290fd992bafc5125a
RedLineStealer
4f97a39e2daa7ef37ec205221d380be46be6f763558b9686ecb668286d9096de
RedLineStealer
64fb39b5034c845cb7b9bfc50591b5f5febd44e52872405aefcb4a356c493c41
RedLineStealer
71976a8939fca900ea30249c75dc1f462bebf2d9bac2e9900679c59bf2ad00c8
RedLineStealer
bba50bad1c1ca3d8e311cf17c45693949838403569d6fdb49fe0699eb9ee3202
RedLineStealer
f1f912280be7cc45100b01e152420e36c76a731d5258e2c617e3a824cf494ddc
RedLineStealer
+ 380 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221013-nyfnvscha3/
Unpacked files
SH256 hash:
589e3d0fa9a36fd20b921f49347b072cab0a92174ff5f4418d11f52b745066ce
MD5 hash:
00acc533459788270736da0ac3665564
SHA1 hash:
7776bfba2049c7835cebc66f24b1ab9e58724fc5
Link:
https://www.unpac.me/results/3738b2fa-1491-486f-8d19-8f30e9e3a766/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/589e3d0fa9a36fd20b921f49347b072cab0a92174ff5f4418d11f52b745066ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/319900/

Comments