MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030
SHA3-384 hash: 2c48c86be8d58d8a4a4c1c587112b45b0ae1a80c1e725f0277bb964335bb429789c6986fca4a269168beb842e37c7b3c
SHA1 hash: f95085eefed703a78bb4923a8b5f4679f75d878b
MD5 hash: 513fa9c1cda05671928e6a85667ec61d
humanhash: four-happy-florida-table
File name:Installer.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:355'840 bytes
First seen:2022-11-07 19:12:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a07bb4b81e6c6d0f72670722ee7e56 (20 x RedLineStealer)
ssdeep 6144:ww10AFFI27IUoDGu9wATm45BWRUAOtJYJ8vLzXFKQ2Qzklr/VSwKruZU5VBM6MJX:ww102FI27IUoD/ffnX8Q2Qz6UDruZgVq
Threatray 16'755 similar samples on MalwareBazaar
TLSH T1E774CF40B5D3D972D9B2543A09E0DA35C97DB8200F345AFF67E4177B4E202C3A972A7A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Installer.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 19:04:11 UTC
Tags:
redline trojan rat
Link:
https://app.any.run/tasks/3b05fa87-d824-48e1-907a-52a367cfa75a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330178/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.21688.4099.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/636958bd5a33779d69ce80b7/reports/52138669-1187-43e4-8c91-6cf8a83cbe3b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04999d5e-8773-493b-a738-46dc319252e0
Result
Threat name:
Laplas Clipper, MicroClip, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107608
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected MicroClip
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740270 Sample: Installer.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 105 Snort IDS alert for network traffic 2->105 107 Multi AV Scanner detection for domain / URL 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 16 other signatures 2->111 9 Installer.exe 1 2->9         started        12 svcupdater.exe 2->12         started        15 svcupdater.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 131 Contains functionality to inject code into remote processes 9->131 133 Writes to foreign memory regions 9->133 135 Allocates memory in foreign processes 9->135 137 Injects a PE file into a foreign processes 9->137 19 AppLaunch.exe 15 10 9->19         started        24 WerFault.exe 23 9 9->24         started        26 conhost.exe 9->26         started        28 WerFault.exe 9->28         started        103 clipper.guru 45.159.189.115, 49718, 49721, 80 HOSTING-SOLUTIONSUS Netherlands 12->103 139 Multi AV Scanner detection for dropped file 12->139 30 conhost.exe 17->30         started        32 conhost.exe 17->32         started        signatures5 process6 dnsIp7 97 79.137.204.112, 49706, 80 PSKSET-ASRU Russian Federation 19->97 99 api.ip.sb 19->99 101 2 other IPs or domains 19->101 87 C:\Users\user\AppData\Local\...\conhost.exe, PE32+ 19->87 dropped 89 C:\Users\user\AppData\Local\...\setup.exe, PE32 19->89 dropped 91 C:\Users\user\AppData\Local\...\ofg.exe, PE32+ 19->91 dropped 93 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 19->93 dropped 123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->123 125 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->125 127 Tries to harvest and steal browser information (history, passwords, etc) 19->127 129 Tries to steal Crypto Currency Wallets 19->129 34 brave.exe 19->34         started        38 ofg.exe 19->38         started        40 setup.exe 19->40         started        42 conhost.exe 19->42         started        95 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->95 dropped file8 signatures9 process10 file11 77 C:\Users\user\AppData\Local\Temp\6257.tmp, PE32+ 34->77 dropped 79 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 34->79 dropped 113 Multi AV Scanner detection for dropped file 34->113 115 Writes to foreign memory regions 34->115 117 Modifies the context of a thread in another process (thread injection) 34->117 121 3 other signatures 34->121 44 cmd.exe 34->44         started        47 cmd.exe 34->47         started        49 powershell.exe 34->49         started        57 3 other processes 34->57 81 C:\Users\user\AppData\...\svcupdater.exe, PE32+ 38->81 dropped 51 cmd.exe 38->51         started        83 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 40->83 dropped 119 Encrypted powershell cmdline option found 40->119 53 powershell.exe 40->53         started        85 C:\Users\user\AppData\...\svcupdater.exe, PE32+ 42->85 dropped 55 cmd.exe 42->55         started        signatures12 process13 signatures14 59 conhost.exe 44->59         started        69 10 other processes 44->69 141 Modifies power options to not sleep / hibernate 47->141 71 5 other processes 47->71 61 conhost.exe 49->61         started        143 Uses cmd line tools excessively to alter registry or file data 51->143 145 Uses schtasks.exe or at.exe to add and modify task schedules 51->145 147 Uses powercfg.exe to modify the power settings 51->147 63 conhost.exe 51->63         started        65 schtasks.exe 51->65         started        67 conhost.exe 53->67         started        73 2 other processes 55->73 75 2 other processes 57->75 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 19:13:07 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3xwaqntfbdqbepje5oet2re3uwcm7ej7cjyyuryn6yfntffgaya._file
Verdict:
malicious
Similar samples:
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15
RedLineStealer
059b97d2db52813056ebdb7d6ea2ca90f9a7b10d4813b919b2ea78408a6e1508
RedLineStealer
0fddeb14acea742a808d10f5c6da7f411ea92e44f5e85b39cb8e9cf5e104a0ae
RedLineStealer
2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9
RedLineStealer
26f426fd4ff119e8830681f0692ff3b627f6c5a0d8905c2ca07b6b4298e07f95
RedLineStealer
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
RedLineStealer
ab15105c31b25984d7a7838bc7f95c65002c1657d8cd25c69fa8a7dd3e624077
RedLineStealer
c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289
RedLineStealer
c832fe9f9a39541e3e1ba09c0b2c143d639c235f3634db05b487cb9518779506
RedLineStealer
+ 16'745 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@chykhas evasion infostealer persistence spyware upx
Link:
https://tria.ge/reports/221107-xw2yradeg4/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
Stops running service(s)
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
79.137.204.112:80
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/83f46ba1-d429-481f-80d5-097f0fe03d9f
Unpacked files
SH256 hash:
394bfd981dcf506f067322c90091dc055e0af598df034cd81bb52505b3d5642c
MD5 hash:
d8beb9c1837b0cd22707dd73d97d1187
SHA1 hash:
a805ffde3c42d051b7fd982c0d94e976f1fb8e91
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/7292b4fe-78e6-49d7-a262-265fbc8017c3/
Parent samples :
5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030
90d6ab9d8c74e5724137f1137335ddfba5ce53f1e277c453c984c51b7ee53b46
SH256 hash:
5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030
MD5 hash:
513fa9c1cda05671928e6a85667ec61d
SHA1 hash:
f95085eefed703a78bb4923a8b5f4679f75d878b
Link:
https://www.unpac.me/results/7292b4fe-78e6-49d7-a262-265fbc8017c3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5eef6041b328/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5eef6041b328470091e9275c49ea24dd2c267c89f8938c52386fb056cca53030

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/330178/

Comments