MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca
SHA3-384 hash: 2949937a60f6fa2d2733bb05f3b2c22ba62009748f7affbea2a49d02a5d5b94876253146703517ce8332553180fc8a9a
SHA1 hash: 4db33fdeb96cf1d70da21a7d2175cc70e6b08aa8
MD5 hash: bcdc78b5b9ce0f67548d947f4a345e4d
humanhash: zulu-timing-fruit-nebraska
File name:bcdc78b5b9ce0f67548d947f4a345e4d
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'803'823 bytes
First seen:2021-11-23 01:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 196608:DaMi0BAE+OquiehuMk9Y9adBhoQbghumu02T7URLPAIH6JMMV:W/0YkhpQsumLRjZ6/
Threatray 1'736 similar samples on MalwareBazaar
TLSH T19E96232367C7D1ECD09639FD00236E995824D82CC5B34EA977894A0BE7B06F776936C2
File icon (PE):PE icon
dhash icon e0c4a02469e2e4e0 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.20.184:13650 https://threatfox.abuse.ch/ioc/246265/

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bcdc78b5b9ce0f67548d947f4a345e4d
Verdict:
Malicious activity
Analysis date:
2021-11-23 01:38:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/737aba71-e620-4022-810c-0c06fc0e6392

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed packed wacatac
Link:
https://www.filescan.io/uploads/619c4585f36138de3f35e884/reports/66fb1f54-f5ab-49b4-b7d1-2025ae76f3b0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06f173b9-5d96-43b9-8fe8-ac50570c4f2f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894362
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526838 Sample: wz7FRFwqp8 Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected RedLine Stealer 2->55 57 6 other signatures 2->57 8 wz7FRFwqp8.exe 9 2->8         started        process3 file4 35 C:\Users\user\AppData\Local\Temp\ver2.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\runrunrun.exe, PE32+ 8->37 dropped 11 ver2.exe 8->11         started        14 runrunrun.exe 25 4 8->14         started        process5 dnsIp6 67 Multi AV Scanner detection for dropped file 11->67 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->69 71 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 11->71 79 2 other signatures 11->79 17 AppLaunch.exe 15 7 11->17         started        22 WerFault.exe 11->22         started        45 api.telegram.org 149.154.167.220, 443, 49786 TELEGRAMRU United Kingdom 14->45 47 www.google.com 172.217.168.68, 49765, 80 GOOGLEUS United States 14->47 49 icanhazip.com 104.18.115.97, 443, 49785 CLOUDFLARENETUS United States 14->49 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->73 75 May check the online IP address of the machine 14->75 77 Writes to foreign memory regions 14->77 81 2 other signatures 14->81 24 MSBuild.exe 14->24         started        26 WerFault.exe 14->26         started        signatures7 process8 dnsIp9 39 65.108.20.184, 13650, 49750 ALABANZA-BALTUS United States 17->39 41 cdn.discordapp.com 162.159.135.233, 443, 49766 CLOUDFLARENETUS United States 17->41 33 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 17->33 dropped 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->61 63 Tries to harvest and steal browser information (history, passwords, etc) 17->63 65 Tries to steal Crypto Currency Wallets 17->65 28 fl.exe 17->28         started        43 192.168.2.1 unknown unknown 22->43 31 WerFault.exe 24->31         started        file10 signatures11 process12 signatures13 83 Multi AV Scanner detection for dropped file 28->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-22 15:20:41 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
21 of 28 (75.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofelwqp65ehsjbb2geagvxk4qttfrtgdlayutqfswaoww2nk5lfa._file
Verdict:
malicious
Similar samples:
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
RedLineStealer
16361779af23f2bf8e9061bbf7ab4b702bbec1ceafec1eb4e97dc23a7373ac31
RedLineStealer
33465a3c5546d6863c136167f666d58513bab040dcabf3c9af8b8e807a25f1d8
RedLineStealer
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
RedLineStealer
84becd454a058c325e514ac677c33b1493833b35d8b566a2275a9542bea4ca03
RedLineStealer
a5cff8be9bcf62d52112968e176e33103c2589f7fad004023543a041adfa9578
RedLineStealer
aaa0f060df90b346b6ee2befdebaaa9df8ee085f4f4879adcf38c54a0cdee0b8
RedLineStealer
bc06c918fab5afbb61d15611dedadbc9012cf9e4979e9d3f261a9046c306bb87
RedLineStealer
be79e9e636884e314d9f302c161d615348cf81d5e6020c988c37e0a541b85236
RedLineStealer
c43f3217c1cb4f9b4c30ab1d7e5c58994a7f7ad3c639c6641f3e1602295313a6
RedLineStealer
+ 1'726 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211123-bz9l4shbcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6ec51e19321447d72cccf2b9d383a828cc73027d22535339e99cf874e8ebbe3e
MD5 hash:
18011b6c084834961ed63f8b2edd5afa
SHA1 hash:
0146735f4e101cea6590cccd9df596587353702a
Link:
https://www.unpac.me/results/e2d36045-bc48-486c-9ca7-2cb3b3d786fb/
SH256 hash:
0ca0553d22e46a5624712cf0990b18ca972427ef080f98d11de12995277aa31b
MD5 hash:
3071b63fbeab276d9b0dcce9e9de28eb
SHA1 hash:
bcffe70881fbc9d498c7ac1361875857db174efb
Link:
https://www.unpac.me/results/e2d36045-bc48-486c-9ca7-2cb3b3d786fb/
SH256 hash:
7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca
MD5 hash:
bcdc78b5b9ce0f67548d947f4a345e4d
SHA1 hash:
4db33fdeb96cf1d70da21a7d2175cc70e6b08aa8
Link:
https://www.unpac.me/results/e2d36045-bc48-486c-9ca7-2cb3b3d786fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 7148bb41fee90f24843a31006add5c84e658ccc3583149c0b2b01d6b69aaeaca

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208488/
  
URLhaus
https://urlhaus.abuse.ch/url/1807596/

Comments


Avatar
zbet commented on 2021-11-23 01:35:19 UTC

url : hxxp://host-file-host9.com/files/1451_1637540313_1932.exe