MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7791d1d43d552dc3a51864f9ec670d073bbfc0c7eed0415b902674fc24c4fca1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7791d1d43d552dc3a51864f9ec670d073bbfc0c7eed0415b902674fc24c4fca1
SHA3-384 hash: ce9ea31f82231c9296d978b5fabe820d276ae278e0b56886b424654ec532f6acd4fd22c44711017bee5fd1403c2a4f67
SHA1 hash: 99c06fdbbd8f8ba7fb4f08d80e38a2c8084b672c
MD5 hash: 61751b9b8ec2ec12b307e079c5d14a8d
humanhash: ink-october-oregon-march
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'341'440 bytes
First seen:2023-12-08 12:43:31 UTC
Last seen:2023-12-09 05:24:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 739c3d1d58b1191eaf8e71018311bbd7 (1 x RedLineStealer)
ssdeep 24576:zwdOkvJwHMnzdsel8y5V0rQG4hqHDngqkrM6AQdR6H1l1:zwdOHHCsZvpNjngNKkR6F
TLSH T1F155E175F2D14437E173297D9C5B97A4AC3AFE90392898462FE82C4C5F35782342A3A7
TrID 68.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13097/50/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4d0ecdcc4c4d4c4 (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc418490229_669333413?hash=3pJPTJtbaIKfsl69ff2o3yLpKfQZ2YgXhuOxABvTJv0&dl=kzPuILVGGOaTaM4ZG436HRDo3EKIzqQFgfSdh7fqcdD&api=1&no_preview=1#loch

Intelligence

File Origin
# of uploads :
45
# of downloads :
314
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463589/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.5274.24717.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
DNS request
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control greyware hook keylogger lolbin
Link:
https://www.filescan.io/uploads/65730f943636548f3742f833/reports/fe8fe0cb-69f2-4f4c-87e3-d7c233eb7d81/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/7791d1d43d552dc3a51864f9ec670d073bbfc0c7eed0415b902674fc24c4fca1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d9c58c52-c9e2-42b4-abdf-9ef6ad88728c
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356210
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356210 Sample: file.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 45 LxKEnIWzhxmEGdtgMLuGKbGuIFoQ.LxKEnIWzhxmEGdtgMLuGKbGuIFoQ 2->45 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 5 other signatures 2->63 10 file.exe 7 2->10         started        signatures3 process4 file5 41 C:\Users\user\AppData\Local\Temp\...\Bottle, PE32 10->41 dropped 13 cmd.exe 1 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 73 Uses ping.exe to sleep 13->73 75 Drops PE files with a suspicious file extension 13->75 77 Uses ping.exe to check the status of other devices and networks 13->77 18 cmd.exe 1 13->18         started        21 conhost.exe 13->21         started        process8 signatures9 47 Uses ping.exe to sleep 18->47 23 Index.pif 1 18->23         started        27 cmd.exe 2 18->27         started        29 cmd.exe 2 18->29         started        31 6 other processes 18->31 process10 file11 37 C:\Users\user\AppData\Local\Temp\...\jsc.exe, PE32 23->37 dropped 65 Found API chain indicative of debugger detection 23->65 67 Found API chain indicative of sandbox detection 23->67 69 Writes to foreign memory regions 23->69 71 2 other signatures 23->71 33 jsc.exe 8 4 23->33         started        39 C:\Users\user\AppData\Local\...\Index.pif, PE32 27->39 dropped signatures12 process13 dnsIp14 43 89.23.96.47, 22010, 49712 MAXITEL-ASRU Russian Federation 33->43 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->49 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->51 53 Tries to harvest and steal browser information (history, passwords, etc) 33->53 55 Tries to steal Crypto Currency Wallets 33->55 signatures15
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7791d1d43d552dc3a51864f9ec670d073bbfc0c7eed0415b902674fc24c4fca1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7791d1d43d552dc3a51864f9ec670d073bbfc0c7eed0415b902674fc24c4fca1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 12:44:04 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6i5dvb5kuw4hjiymt46yzyna4537qgh53iecw4qez2pyjge7sqq._file
Verdict:
unknown
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:build new crypt infostealer
Link:
https://tria.ge/reports/231208-pykhgsee5w/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
RedLine
RedLine payload
Malware Config
C2 Extraction:
89.23.96.47:22010
Unpacked files
SH256 hash:
abc2b19ba9855aed284b69e24da9743c66b45a9c6ffb2d320015b2aae3531172
MD5 hash:
5aec565c53894ff1ec71b89858a9aea4
SHA1 hash:
2553e2d1bbf71c848c974004f517724a5cb05270
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/2455631b-e4e8-4588-8174-e68c557caff0/
Parent samples :
7791d1d43d552dc3a51864f9ec670d073bbfc0c7eed0415b902674fc24c4fca1
412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb
1ed614298823aac2a94b9ed2dee72e311c4c69e385a29b13e3aaa445740cd4ee
SH256 hash:
7791d1d43d552dc3a51864f9ec670d073bbfc0c7eed0415b902674fc24c4fca1
MD5 hash:
61751b9b8ec2ec12b307e079c5d14a8d
SHA1 hash:
99c06fdbbd8f8ba7fb4f08d80e38a2c8084b672c
Link:
https://www.unpac.me/results/2455631b-e4e8-4588-8174-e68c557caff0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7791d1d43d55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7791d1d43d552dc3a51864f9ec670d073bbfc0c7eed0415b902674fc24c4fca1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/463589/

Comments