MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c
SHA3-384 hash: 5eb12bc1374ed53026a94aa2d9e4b870e10a42db5493061010b36e1f01fa3b8a8a8a1d8a0e707d50bf50266c52eec869
SHA1 hash: e4e1eff852c77bc3cd58eededec847213df192b3
MD5 hash: dd5c236dfdf63f032d700e10ed7a5efe
humanhash: football-red-queen-berlin
File name:dd5c236dfdf63f032d700e10ed7a5efe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:567'296 bytes
First seen:2022-03-23 07:22:41 UTC
Last seen:2022-03-25 07:03:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:Y3x7PExU43DyxcNHr21QS03ULaHNqrxlKIQNovEqolY3NVzrEerA:W7PEN3D5RrQkEaHNYK3A7oy3NVzLrA
Threatray 3'102 similar samples on MalwareBazaar
TLSH T160C423FBE3C5B91CC2DA3AF41A2B9F0F125552AD36E4F15FA0585E4B046C0E1DB4C2A5
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.88.244:3821 https://threatfox.abuse.ch/ioc/441907/

Intelligence

File Origin
# of uploads :
3
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/255396/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/623acaf20cd58dbd92ddc562/reports/958354ea-e8db-4dfc-b9ee-e1826bd86aa8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1e657db-488c-4266-ba04-ec856effc784
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962477
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594957 Sample: LGaHSLlBZw Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 4 other signatures 2->35 7 LGaHSLlBZw.exe 1 2->7         started        process3 signatures4 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 47 Injects a PE file into a foreign processes 7->47 10 AppLaunch.exe 15 7 7->10         started        15 conhost.exe 7->15         started        process5 dnsIp6 25 45.9.88.244, 3821, 49771 RAINBOW-HKRainbownetworklimitedHK Russian Federation 10->25 27 dl.uploadgram.me 176.9.247.226, 443, 49772 HETZNER-ASDE Germany 10->27 21 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 10->21 dropped 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->49 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->51 53 Tries to harvest and steal browser information (history, passwords, etc) 10->53 55 Tries to steal Crypto Currency Wallets 10->55 17 fl.exe 2 10->17         started        file7 signatures8 process9 dnsIp10 23 192.168.2.1 unknown unknown 17->23 37 Antivirus detection for dropped file 17->37 39 Multi AV Scanner detection for dropped file 17->39 41 Machine Learning detection for dropped file 17->41 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-23 07:23:11 UTC
File Type:
PE (Exe)
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=woh3fep5lhxb42egcicrhpvtl6tkvzpvwgwhpqhrzb2giwgutuwa._file
Verdict:
malicious
Similar samples:
06af78c89fc6b79696c14326d98a5d8ff14ae51b4303c308a77d980dbd731922
RedLineStealer
0dee20eae747781c183499abc341feded87a5a6325f0a9b789067d1b6377ef89
RedLineStealer
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
RedLineStealer
716408476bc23c3e74a852ed6246dd60e8ed18533bedc13d4984279c97cd1a74
RedLineStealer
89dac706230235cd4cf9b37c009ed2a37955a888a826a5db197c91a3e6feee7f
RedLineStealer
8abaa521a014cdbda2afe77042f21947b147197d274bf801de2df55b1e01c904
RedLineStealer
d9ef2723a2d54f8774224b15ad9324598e2213597cf882292af713223b097294
RedLineStealer
+ 3'092 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@blood_ra1n infostealer spyware vmprotect
Link:
https://tria.ge/reports/220323-h7tdeshdg8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.88.244:3821
Unpacked files
SH256 hash:
7420a505b856a38c01f7762b49fa299cb1247dcd4b9f2fccebc6cb7c565f7295
MD5 hash:
d864eaa8853afe59c4cc7dc65bee76d4
SHA1 hash:
b4b83a6479c297ec801f6b90c711129db991b6ff
Link:
https://www.unpac.me/results/c1c84ae9-471b-4c30-aacc-ac7b89863825/
SH256 hash:
5d357a905744c9f9859bb0cb8d4fa5dd10a4e01e117c1bc902ec6978fe6e61f2
MD5 hash:
47729ac460348b28198ab5e6b6725a53
SHA1 hash:
fb9bf76b5fbeed3ba8907f39d23580172b4ba454
Link:
https://www.unpac.me/results/c1c84ae9-471b-4c30-aacc-ac7b89863825/
SH256 hash:
b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c
MD5 hash:
dd5c236dfdf63f032d700e10ed7a5efe
SHA1 hash:
e4e1eff852c77bc3cd58eededec847213df192b3
Link:
https://www.unpac.me/results/c1c84ae9-471b-4c30-aacc-ac7b89863825/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b38fb291fd59/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2111784/
Cape
Cape
https://www.capesandbox.com/analysis/255396/

Comments


Avatar
zbet commented on 2022-03-23 07:22:46 UTC

url : hxxp://file-coin-coin-10.com/files/208_1647718949_1931.exe