MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3e1842d258c8e873289ce27144138d7b25d10a6abbe01df45a9de4dd1d34079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3e1842d258c8e873289ce27144138d7b25d10a6abbe01df45a9de4dd1d34079
SHA3-384 hash: 11bfeeb02b7dfa49a5a67eb0eb5380d76e302b2e82f2961d818b766ea1642ebd969e3bac74909fea3619a08c6f3f46fe
SHA1 hash: 393aa9048f2aaaeab2d5951942d8f46abca14b25
MD5 hash: 4ab0cac7b6a88138863e19db5177801a
humanhash: hawaii-uranus-montana-fillet
File name:KRAKEN.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'024'195 bytes
First seen:2022-02-05 18:45:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 196608:T/WFm1RrhDbhY0hm5zz3zgQHOKVV9kTP/CIVwbFmWdDAf:TzFHWKmR0QuKVV9UaIVy+f
Threatray 287 similar samples on MalwareBazaar
TLSH T13C6633E1AD7474D0D0A4A6B37898693C3BD38D48CE744D60A78BF91628E1AD974FBC07
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter tech_skeech
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.128.107.100:80 https://threatfox.abuse.ch/ioc/377546/

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KRAKEN.exe
Verdict:
Malicious activity
Analysis date:
2022-02-05 18:45:35 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/b9e4f44e-d0f9-4ab4-b124-f5999f566b02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/233622/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Creating a window
Reading critical registry keys
Running batch commands
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6077/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61fec5f09046890c53ae2ce5/reports/81d5afc9-a4e3-434b-b057-0c977d4b207b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9aab34a4-2d19-4831-9a63-5d4b13291cd1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934608
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567085 Sample: KRAKEN.exe Startdate: 05/02/2022 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 5 other signatures 2->47 8 KRAKEN.exe 9 2->8         started        process3 file4 27 C:\Users\user\AppData\Roaming\2.exe, PE32+ 8->27 dropped 29 C:\Users\user\AppData\Roaming\1.exe, PE32 8->29 dropped 11 1.exe 8->11         started        14 2.exe 8->14         started        process5 dnsIp6 57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 61 Writes to foreign memory regions 11->61 67 3 other signatures 11->67 17 AppLaunch.exe 15 5 11->17         started        21 WerFault.exe 23 9 11->21         started        35 accounts.google.com 142.250.203.109, 443, 49768 GOOGLEUS United States 14->35 37 youtube-ui.l.google.com 172.217.168.46, 443, 49767 GOOGLEUS United States 14->37 39 www.youtube.com 14->39 63 Antivirus detection for dropped file 14->63 65 Tries to harvest and steal browser information (history, passwords, etc) 14->65 23 cmd.exe 1 14->23         started        signatures7 process8 dnsIp9 31 185.128.107.100, 49777, 80 SUPERSERVERSDATACENTERRU Russian Federation 17->31 33 api.ip.sb 17->33 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->49 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->51 53 Tries to harvest and steal browser information (history, passwords, etc) 17->53 55 Tries to steal Crypto Currency Wallets 17->55 25 conhost.exe 23->25         started        signatures10 process11
Gathering data
Threat name:
Win32.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-02-05 10:49:42 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 43 (48.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpqyiljfrshiomujzytriqjy26zf2efgvo7adx2fvhpe3uotib4q._file
Verdict:
malicious
Similar samples:
10c760b38e37d7df4fdb3caa56328e51943ac422018b1261fbd4820cdaa046d3
RedLineStealer
53d1708d666d49dcdd2834d91de3f2bfb61f7263a5e3213635d6e893d28e5bca
RedLineStealer
7d8de08a564f08ee20d746a2c445245b75247e772248073431fc30d16a4b9b14
RedLineStealer
96ed2610e94b19233c22c2341bb36f340298d76bb36bf658a0d853b91e1acc4e
RedLineStealer
9e719c4dd5e1086d5197fded7b8cdb0d3d592c0636b0d469fcda22c9723e8e7c
RedLineStealer
a206d34bbfb7274775956f308ae81339a673c0e894ed55ee1e8e0f01f20ba5fb
RedLineStealer
ee31b5f97e35ab401e74ad66f1d39479fb6bdefa3018dee605cfc6bd76bc1c46
RedLineStealer
fde5ae51e9d386cb7a78da447c48101a50f543faffd5a9929451249bcce654c8
RedLineStealer
+ 277 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220205-xemgqseeeq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
b5f74a17ec237ae3fdc2e46ae854b74940fdad8607d3bd1facb5de1ae8130d7d
MD5 hash:
906878e6fe5b701389ac1267aa7e1374
SHA1 hash:
81f5b34e34ed3719060cc7a013f2d25e3c3a0b9f
Link:
https://www.unpac.me/results/888dff52-4048-42aa-9591-4ab4a5d791dc/
SH256 hash:
b3e1842d258c8e873289ce27144138d7b25d10a6abbe01df45a9de4dd1d34079
MD5 hash:
4ab0cac7b6a88138863e19db5177801a
SHA1 hash:
393aa9048f2aaaeab2d5951942d8f46abca14b25
Link:
https://www.unpac.me/results/888dff52-4048-42aa-9591-4ab4a5d791dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3e1842d258c8e873289ce27144138d7b25d10a6abbe01df45a9de4dd1d34079

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b3e1842d258c8e873289ce27144138d7b25d10a6abbe01df45a9de4dd1d34079

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/233622/

Comments