MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91b81e4f011d1d8e8ec8d50b7fed343ca5a92029ed96a5e4e4a77c7d27340d8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91b81e4f011d1d8e8ec8d50b7fed343ca5a92029ed96a5e4e4a77c7d27340d8d
SHA3-384 hash: 128e01916a77547cfc9dee22da833fd39affaa3b748fe8b3809dda8946daeb9ee362352b417ff57999fecb47ac3ae20c
SHA1 hash: 19000f8a024c0d1c8e600508b3c89703861a4535
MD5 hash: 5bcbc390b18ab8bef290bd444f784502
humanhash: winter-alanine-enemy-speaker
File name:SecuriteInfo.com.Variant.Fragtor.132154.3477.32360
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:110'080 bytes
First seen:2022-08-21 22:28:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e30af043142429ccc5d7bc35b017d9f (13 x RedLineStealer, 10 x RecordBreaker, 1 x Smoke Loader)
ssdeep 3072:geHymFJjCcDFu++bIZ8pDCdsvupyTpzDlnXJo07ur6UVgrbH:gejK++JmyTZDlnXKxarbH
Threatray 7'017 similar samples on MalwareBazaar
TLSH T1A4B39D03B9C19471E87A09B35974D9E19A3FFC201B60EE67378D163A0F306D19E25E7A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Fragtor.132154.3477.32360
Verdict:
No threats detected
Analysis date:
2022-08-21 22:30:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15b7f187-90cd-407b-a036-59abfaf9782e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300071/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.132154.3477.32360.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29585/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware keylogger packed
Link:
https://www.filescan.io/uploads/6302b1d33cbb13868a6cafa4/reports/cfb69fbd-450c-4811-ad21-75ca871d0368/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/32feb266-0b15-4bda-92dd-6d2bf9fb1431
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055171
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 687684 Sample: SecuriteInfo.com.Variant.Fr... Startdate: 22/08/2022 Architecture: WINDOWS Score: 100 74 coinsurf.com 2->74 76 in.appcenter.ms 2->76 88 Snort IDS alert for network traffic 2->88 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 9 other signatures 2->94 10 SecuriteInfo.com.Variant.Fragtor.132154.3477.exe 1 2->10         started        13 fugjcfd 2 2->13         started        signatures3 process4 signatures5 102 Contains functionality to inject code into remote processes 10->102 104 Writes to foreign memory regions 10->104 106 Allocates memory in foreign processes 10->106 108 2 other signatures 10->108 15 MSBuild.exe 10->15         started        18 conhost.exe 10->18         started        20 MSBuild.exe 10->20         started        22 conhost.exe 13->22         started        process6 signatures7 128 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->128 130 Maps a DLL or memory area into another process 15->130 132 Checks if the current machine is a virtual machine (disk enumeration) 15->132 134 Creates a thread in another existing process (thread injection) 15->134 24 explorer.exe 8 15->24 injected process8 dnsIp9 82 185.215.113.58, 49754, 49761, 80 WHOLESALECONNECTIONSNL Portugal 24->82 84 45.138.74.104, 49755, 80 HOSTGLOBALPLUS-ASRU Russian Federation 24->84 86 2 other IPs or domains 24->86 66 C:\Users\user\AppData\Roaming\fugjcfd, PE32 24->66 dropped 68 C:\Users\user\AppData\Local\Temp\FDA8.exe, PE32 24->68 dropped 70 C:\Users\user\AppData\Local\Temp4FF.exe, PE32 24->70 dropped 72 C:\Users\user\AppData\Local\Temp\389F.exe, PE32 24->72 dropped 110 System process connects to network (likely due to code injection or exploit) 24->110 112 Benign windows process drops PE files 24->112 114 Injects code into the Windows Explorer (explorer.exe) 24->114 116 2 other signatures 24->116 29 E4FF.exe 1 24->29         started        32 389F.exe 1 24->32         started        34 FDA8.exe 4 24->34         started        37 9 other processes 24->37 file10 signatures11 process12 file13 118 Machine Learning detection for dropped file 29->118 120 Writes to foreign memory regions 29->120 122 Allocates memory in foreign processes 29->122 39 MSBuild.exe 25 29->39         started        44 conhost.exe 29->44         started        124 Injects a PE file into a foreign processes 32->124 46 MSBuild.exe 2 32->46         started        48 conhost.exe 32->48         started        50 WerFault.exe 32->50         started        54 C:\Users\user\AppData\Local\...\Update.exe, PE32 34->54 dropped 126 Multi AV Scanner detection for dropped file 34->126 52 Update.exe 8 34->52         started        signatures14 process15 dnsIp16 78 89.208.104.46, 49759, 80 PSKSET-ASRU Russian Federation 39->78 56 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 39->56 dropped 58 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 39->58 dropped 60 C:\Users\user\AppData\LocalLow\mozglue.dll, PE32 39->60 dropped 64 4 other files (none is malicious) 39->64 dropped 96 Tries to harvest and steal browser information (history, passwords, etc) 39->96 98 DLL side loading technique detected 39->98 100 Tries to steal Crypto Currency Wallets 39->100 80 178.32.215.163, 17189, 49780 OVHFR France 46->80 62 C:\Users\user\AppData\Local\...\Update.exe, PE32 52->62 dropped file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91b81e4f011d1d8e8ec8d50b7fed343ca5a92029ed96a5e4e4a77c7d27340d8d/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-08-21 22:29:10 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sg4b4tybduoy5dwi2ufx73juhss2sibj5wlklzheu56h2jzubwgq._file
Verdict:
malicious
Similar samples:
01d7f7de616e35195a27d7354b78745e7dedcb4af64db9f53db1597bb42b1c21
RedLineStealer
049ae382c00f3cbd42e9108966c445234ed5bccce0913dae44c313295879a6c2
RedLineStealer
30f5564e58d11d68bb6f8f01c745a9e60f2dd5362534c7c959868d9d554e86e5
RedLineStealer
572ceb288c34f070937cada71821e3f7aae5b3158cba6f1c0f82cb72a0ef0e72
RedLineStealer
5786b1e1dc5abbeb0c60e1b7b652c49af8152c2e923894feb56aee8ad4c0f629
RedLineStealer
5cd575c5fa62c375ac8f979a0231f39b1779122a277ce4a5c2faa9f5e69e1d11
RedLineStealer
7ed50d6cf6c9904f2392e39ac88e5e024c21746d794b9dca4b51cbbbd444df4a
RedLineStealer
9f811e7bbc6d4799de5647e11e35d4e681485840ff65dc8ced5f956729ac3058
RedLineStealer
b99300d00050e4a8b2b0873723a9783b172776ba8cb7500d65e6d93bc3d37147
RedLineStealer
c7946da08940de7da39c9bcd1417e1926616d7953974ef5f24aacc6de9b362c9
RedLineStealer
+ 7'007 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220821-2d749saae7/
Unpacked files
SH256 hash:
3289ee2ba42c852e8fc31aa67035f05b1be9d622204afab44a0f46815be03496
MD5 hash:
81baf163fb4b3f6654b20d2f33791e3d
SHA1 hash:
1b54d58662a4d5630e9e95d147f1119d0eb876ed
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/4562836e-6b9b-41e9-8419-6b8e9aec61b4/
Parent samples :
16c32131c745115942dd6fedd809c8464bd7af2b90f331484c2b8841acc2d441
f226cc04ef1f4e94eb45916c6a5255bbdb228ec2d91ce76f205c864134ed9776
91b81e4f011d1d8e8ec8d50b7fed343ca5a92029ed96a5e4e4a77c7d27340d8d
7c907a02202f8d0769f00837717b0e59c4c3199e4dc00ae904ff109f26d24301
5ccc9b9ecf6654aa6fae02500b01daa5a8684e3214060f0b7f8a65c34e7d6589
f1f2d5a58abafeb678b2478d462e1b6a821a5cfd868a9c53438141de5d8aa148
edf6e2af884cf11eee6a8639a5cd594c32537063cf4c984bbd190d51d182c59c
SH256 hash:
91b81e4f011d1d8e8ec8d50b7fed343ca5a92029ed96a5e4e4a77c7d27340d8d
MD5 hash:
5bcbc390b18ab8bef290bd444f784502
SHA1 hash:
19000f8a024c0d1c8e600508b3c89703861a4535
Link:
https://www.unpac.me/results/4562836e-6b9b-41e9-8419-6b8e9aec61b4/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91b81e4f011d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91b81e4f011d1d8e8ec8d50b7fed343ca5a92029ed96a5e4e4a77c7d27340d8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 91b81e4f011d1d8e8ec8d50b7fed343ca5a92029ed96a5e4e4a77c7d27340d8d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2275334/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300071/

Comments