MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bba34d947a4f9c559601f4fee0c1538804eab1b4b4cdf49d26a93eefb68702c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bba34d947a4f9c559601f4fee0c1538804eab1b4b4cdf49d26a93eefb68702c
SHA3-384 hash: 8697862bb753244e6ec35f85c19947a0f652799ec7617b4cca0d4cf229835bfc2d3b003af7a1fd89ce812d16387fd8c0
SHA1 hash: 21a4d5beae522e30e548194e98c0fd80d27710dd
MD5 hash: e8ff0c71d5824846836541dab93f9275
humanhash: stairway-oranges-violet-artist
File name:e8ff0c71d5824846836541dab93f9275
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'106'432 bytes
First seen:2022-01-10 12:37:49 UTC
Last seen:2022-01-10 14:52:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:T7G+sphYzDQqIYkKjasVIImleT2/GIxRunSvb6hJ0:2jpgIYbaysGy2hJ0
Threatray 301 similar samples on MalwareBazaar
TLSH T193352DCD51C15849CFEF03F00DFBE62E857296CA13475BEA731E95F0AB2208EA56D4A1
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.3.197.253:15761 https://threatfox.abuse.ch/ioc/292070/
2.58.149.186:40448 https://threatfox.abuse.ch/ioc/292256/

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e8ff0c71d5824846836541dab93f9275
Verdict:
Malicious activity
Analysis date:
2022-01-10 12:39:56 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a97e8a5f-db8d-4a32-ac83-a4f5ac41892e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217995/
Detection(s):
SecuriteInfo.com.AgentTesla-FDCVE8FF0C71D582.28782.25611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Searching for the window
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61dc28b31c0d769df9de7792/reports/b071f300-433c-42cf-bc31-2340100be6ba/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48b56e51-42b6-426e-a297-acb2c94424ac
Result
Threat name:
Clipboard Hijacker Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917641
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 550119 Sample: 2iaox5QZVF Startdate: 10/01/2022 Architecture: WINDOWS Score: 100 127 Multi AV Scanner detection for submitted file 2->127 129 Yara detected Clipboard Hijacker 2->129 131 Yara detected Phoenix Miner 2->131 133 4 other signatures 2->133 10 2iaox5QZVF.exe 3 2->10         started        13 RegHost.exe 2->13         started        16 oobeldr.exe 2->16         started        process3 file4 83 C:\Users\user\AppData\...\2iaox5QZVF.exe.log, ASCII 10->83 dropped 18 RegAsm.exe 15 8 10->18         started        145 Antivirus detection for dropped file 13->145 147 Multi AV Scanner detection for dropped file 13->147 149 Detected unpacking (changes PE section rights) 13->149 155 8 other signatures 13->155 23 explorer.exe 13->23         started        25 bfsvc.exe 13->25         started        27 conhost.exe 13->27         started        151 Found evasive API chain (may stop execution after checking mutex) 16->151 153 Contains functionality to compare user and computer (likely to detect sandboxes) 16->153 29 schtasks.exe 16->29         started        signatures5 process6 dnsIp7 89 c9d0e790b353537889bd47a364f5acff43c11f246.xyz 185.112.83.97, 49749, 80 SUPERSERVERSDATACENTERRU Russian Federation 18->89 91 2.58.149.186, 40448, 49762 GBTCLOUDUS Netherlands 18->91 93 2 other IPs or domains 18->93 75 C:\Users\user\AppData\Roaming\whw.exe, PE32 18->75 dropped 77 C:\Users\user\AppData\Roaming\safas2f.exe, PE32+ 18->77 dropped 79 C:\Users\user\AppData\Roaming\e3dwefw.exe, PE32 18->79 dropped 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->135 137 Performs DNS queries to domains with low reputation 18->137 139 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->139 141 Tries to steal Crypto Currency Wallets 18->141 31 safas2f.exe 1 2 18->31         started        35 whw.exe 3 18->35         started        38 e3dwefw.exe 1 18->38         started        40 RegHost.exe 23->40         started        81 \Device\ConDrv, ASCII 25->81 dropped 143 Hides threads from debuggers 25->143 42 conhost.exe 25->42         started        44 conhost.exe 29->44         started        file8 signatures9 process10 dnsIp11 85 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 31->85 dropped 99 Antivirus detection for dropped file 31->99 101 Multi AV Scanner detection for dropped file 31->101 103 Detected unpacking (changes PE section rights) 31->103 121 5 other signatures 31->121 46 explorer.exe 31->46         started        48 bfsvc.exe 1 31->48         started        51 curl.exe 1 31->51         started        54 conhost.exe 31->54         started        95 46.3.197.253, 15761, 49782 ALEXHOST_SRLMD Russian Federation 35->95 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->105 107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->107 109 Tries to harvest and steal browser information (history, passwords, etc) 35->109 111 Tries to steal Crypto Currency Wallets 35->111 87 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 38->87 dropped 113 Found evasive API chain (may stop execution after checking mutex) 38->113 115 Uses schtasks.exe or at.exe to add and modify task schedules 38->115 117 Contains functionality to compare user and computer (likely to detect sandboxes) 38->117 56 schtasks.exe 38->56         started        119 Writes to foreign memory regions 40->119 123 2 other signatures 40->123 58 conhost.exe 40->58         started        60 bfsvc.exe 40->60         started        file12 signatures13 process14 dnsIp15 62 RegHost.exe 46->62         started        125 Hides threads from debuggers 48->125 65 conhost.exe 48->65         started        97 api.telegram.org 149.154.167.220, 443, 49768 TELEGRAMRU United Kingdom 51->97 67 conhost.exe 51->67         started        69 conhost.exe 56->69         started        signatures16 process17 signatures18 157 Writes to foreign memory regions 62->157 159 Allocates memory in foreign processes 62->159 161 Hides threads from debuggers 62->161 163 Injects a PE file into a foreign processes 62->163 71 conhost.exe 62->71         started        73 bfsvc.exe 62->73         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bba34d947a4f9c559601f4fee0c1538804eab1b4b4cdf49d26a93eefb68702c/
Threat name:
ByteCode-MSIL.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-01-10 12:38:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lo5djwkhut44kwlad5h64davhcae5ky3jngn6sosnkj6563ioawa._file
Verdict:
malicious
Similar samples:
016c36da3c46c38f9bc18970acf60b437503e15139fd1047f4b73cdad4d6342a
RedLineStealer
1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59
RedLineStealer
63680cb50ca4c6ec5837dbc45a9a58f9b27fd33fb47e37e4e848225d0d0a1f2f
RedLineStealer
92ccbbead3ca1c2a221c3dd06da16bb15fe6aef02859087c09c7d248017d955d
RedLineStealer
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
RedLineStealer
9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed
RedLineStealer
+ 291 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220110-pt27qseeer/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
33ec404cc2738e6465bc59199d6f0f47afcfee77263367ae125511aef095349e
MD5 hash:
4fed8f04282c3404d116b150823594a9
SHA1 hash:
1fdb61087947b04ce361afff9225de8b57c7010a
Link:
https://www.unpac.me/results/6ed4eb8f-85c4-4c9d-a38e-ace4496d8a73/
SH256 hash:
5bba34d947a4f9c559601f4fee0c1538804eab1b4b4cdf49d26a93eefb68702c
MD5 hash:
e8ff0c71d5824846836541dab93f9275
SHA1 hash:
21a4d5beae522e30e548194e98c0fd80d27710dd
Link:
https://www.unpac.me/results/6ed4eb8f-85c4-4c9d-a38e-ace4496d8a73/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5bba34d947a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.78
Link:
https://yomi.yoroi.company/submissions/5bba34d947a4f9c559601f4fee0c1538804eab1b4b4cdf49d26a93eefb68702c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5bba34d947a4f9c559601f4fee0c1538804eab1b4b4cdf49d26a93eefb68702c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1962366/
Cape
Cape
https://www.capesandbox.com/analysis/217995/

Comments


Avatar
zbet commented on 2022-01-10 12:37:49 UTC

url : hxxps://botmaybe11.mcdir.me/newb.exe