MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542
SHA3-384 hash: 8a759f8c4301c1504005372e459e94132cc29e2f451beec116479294d52b2869f19a7c0a46d09e1cfd7c905fef7844c3
SHA1 hash: 2bc7cb74571686c329c4ada949ebc8ac73a629eb
MD5 hash: 1ae9d274e3fb54a3f05afc49b9332fc4
humanhash: connecticut-december-london-crazy
File name:Auto_Install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:871'936 bytes
First seen:2021-12-24 12:59:13 UTC
Last seen:2021-12-24 15:09:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6af73011d9ad7cbccf66eb190442910 (42 x RedLineStealer, 8 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 24576:eQEB4Xa1ccudJQAuBnteGMDkEaHNYK3V1ZOeQq5w:mBJmQnv5MDNa3PQx
Threatray 3'840 similar samples on MalwareBazaar
TLSH T1A105336E3E81DA6DC309657C0E77791F11CF6E6CDCE83A339665834326154A88CEBB81
Reporter tech_skeech
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Auto_Install.exe
Verdict:
Malicious activity
Analysis date:
2021-12-24 13:06:34 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/406d4245-f9cf-4715-a4aa-a74978a31017

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216155/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3095/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed redline
Link:
https://www.filescan.io/uploads/61c5c4564ab5c44cbf4f5e24/reports/be360d88-6c2f-463a-991d-45ea580cc68f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/842988fe-6f6b-4caa-9979-bb2ed45da8d0
Result
Threat name:
Oski Stealer RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912454
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Oski Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544932 Sample: Auto_Install.exe Startdate: 24/12/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Found malware configuration 2->76 78 10 other signatures 2->78 13 Auto_Install.exe 2->13         started        16 behjaes 2->16         started        18 lsm.exe 2->18         started        process3 signatures4 118 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 13->118 120 Writes to foreign memory regions 13->120 122 Allocates memory in foreign processes 13->122 20 AppLaunch.exe 15 7 13->20         started        25 WerFault.exe 23 9 13->25         started        124 Machine Learning detection for dropped file 16->124 126 Injects a PE file into a foreign processes 16->126 27 behjaes 16->27         started        128 Multi AV Scanner detection for dropped file 18->128 29 lsm.exe 18->29         started        process5 dnsIp6 70 92.255.85.131, 44159, 49746, 49751 SOVTEL-ASRU Russian Federation 20->70 60 C:\Users\user\Desktop\rundll32.exe, PE32 20->60 dropped 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->88 90 Tries to harvest and steal browser information (history, passwords, etc) 20->90 92 Tries to steal Crypto Currency Wallets 20->92 31 rundll32.exe 20->31         started        62 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->62 dropped 94 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->94 96 Maps a DLL or memory area into another process 27->96 98 Checks if the current machine is a virtual machine (disk enumeration) 27->98 100 Creates a thread in another existing process (thread injection) 27->100 file7 signatures8 process9 signatures10 130 Machine Learning detection for dropped file 31->130 132 Contains functionality to inject code into remote processes 31->132 134 Injects a PE file into a foreign processes 31->134 34 rundll32.exe 31->34         started        process11 signatures12 80 Maps a DLL or memory area into another process 34->80 82 Checks if the current machine is a virtual machine (disk enumeration) 34->82 84 Creates a thread in another existing process (thread injection) 34->84 37 explorer.exe 4 34->37 injected process13 file14 64 C:\Users\user\AppData\Roaming\behjaes, PE32 37->64 dropped 66 C:\Users\user\AppData\Local\Temp\C025.exe, PE32 37->66 dropped 102 System process connects to network (likely due to code injection or exploit) 37->102 104 Benign windows process drops PE files 37->104 106 Injects code into the Windows Explorer (explorer.exe) 37->106 108 2 other signatures 37->108 41 C025.exe 37->41         started        44 explorer.exe 37->44         started        46 explorer.exe 37->46         started        48 explorer.exe 37->48         started        signatures15 process16 signatures17 110 Multi AV Scanner detection for dropped file 41->110 112 May check the online IP address of the machine 41->112 114 Machine Learning detection for dropped file 41->114 116 2 other signatures 41->116 50 C025.exe 15 41->50         started        process18 dnsIp19 68 iplogger.org 148.251.234.83, 443, 49787, 49788 HETZNER-ASDE Germany 50->68 58 C:\ProgramData\...\lsm.exe, PE32 50->58 dropped 54 schtasks.exe 50->54         started        file20 process21 process22 56 conhost.exe 54->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542/
Threat name:
Win32.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2021-12-24 13:00:15 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5p3ayzsgcfu4igbq4rnohl2ysspunauz4wjg4qiad2s32zbovba._file
Verdict:
malicious
Similar samples:
010a62f966d9c564223913542c5acbfc3b46d5b7d0f8c44319c0231cd6d5ea5a
RedLineStealer
0d68db857ee83390dbbc73857445a2ed7276d1d1fba86a78b16b28edfbf42231
RedLineStealer
1b8dab946d42aa832cfd9df68593c311e979491f2bd7df7f6f1acb9427215b68
RedLineStealer
30a0834cb7fcd0232929e53c63e45fce83704c31fbcf1c32bb5a37db6be84931
RedLineStealer
46c5ca3a6f401ab5f7bbbb41195f7a159c49c4723eb243a14348ba78ff79809c
RedLineStealer
529984e86b3f9c641fda96119c5cce75d8f4d22f87d133b2a177bb2bb83bf6c4
RedLineStealer
65e7ba110226901fca80b18dd5aae377fa1db96f062e6566c4ac654364cae9a3
RedLineStealer
81d753e81a9ccd4d27eb749d382b0eebfdfd30d7533f8d6162bb043af1d2c4ca
RedLineStealer
d150e4f58b5e1705c4d7fb576534015a42f5ae34fd653a6dadb18088159f1c5d
RedLineStealer
+ 3'830 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211224-p8nb5aebf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
348d9f151b1ce92949c1127a69d410bfd8680f9d7cfaffde4445dc45d0ddc55d
MD5 hash:
172441be25d873ee3a90a1b04a51a165
SHA1 hash:
63bf6c74c8b50e18929e93c56a4551c4dfbef358
Link:
https://www.unpac.me/results/6b28c0c4-9194-4a46-9139-6199ad2750af/
SH256 hash:
42b0418ca7052073955b545e57782b4a4f0ade5f7fc334f330891f56f1289014
MD5 hash:
0b3b093eefbca2d89be16a5b15a9246c
SHA1 hash:
d874a70bdb550b7bb92ebce06e5ced96c53a16fc
Link:
https://www.unpac.me/results/6b28c0c4-9194-4a46-9139-6199ad2750af/
SH256 hash:
675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542
MD5 hash:
1ae9d274e3fb54a3f05afc49b9332fc4
SHA1 hash:
2bc7cb74571686c329c4ada949ebc8ac73a629eb
Link:
https://www.unpac.me/results/6b28c0c4-9194-4a46-9139-6199ad2750af/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/675fb0633230/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216155/

Comments