MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 52 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053
SHA3-384 hash: d4dbbf9a5e8739de78390ed297182ea5d230c92585782269ef2f2a6d74ffce2218116a98e0e351a0ca9038c484cb984b
SHA1 hash: 70f64e9bbc1dce9efe7d4d891504bbfd56b2cdf2
MD5 hash: 2cd9b5d48c0904c90537d3eb0f1becad
humanhash: victor-oregon-nuts-pennsylvania
File name:SynapseExploit.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'199'672 bytes
First seen:2023-12-08 02:02:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 954a638f7d616d50845d17dd2901de21 (2 x RedLineStealer, 1 x LummaStealer)
ssdeep 12288:JsSzartxSD/6+s8RPJsw9/r59yJUGaH881u4bT+txTanMwCxhFO5nG/sE:hzartxSD/6+sXsF9ygvbnMhxhgn5E
TLSH T1B7458D6139804576DDE730F24BDDBAB253BDA1A02B14C6CF1B881FDDAB546C22A31DD2
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463427/
Detection(s):
Win.Malware.Botx-10004968-0
Create hunting rule

Win.Trojan.Fugrafa-10010052-0
Create hunting rule

Win.Packed.Pwsx-10012424-0
Create hunting rule

Win.Trojan.Stealerc-10014035-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed risepro
Link:
https://www.filescan.io/uploads/6572795a56d08f7811abb874/reports/e25b8c6e-b822-4875-be66-2e5b5919dcda/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d109877-3a00-43d1-8217-1473b3caabfc
Result
Threat name:
RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1355914
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops password protected ZIP file
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1355914 Sample: SynapseExploit.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 97 pastebin.com 2->97 99 api.ip.sb 2->99 101 3 other IPs or domains 2->101 111 Snort IDS alert for network traffic 2->111 113 Multi AV Scanner detection for domain / URL 2->113 115 Found malware configuration 2->115 119 11 other signatures 2->119 12 SynapseExploit.exe 1 2->12         started        15 GeforceUpdater.exe 2->15         started        signatures3 117 Connects to a pastebin service (likely for C&C) 97->117 process4 signatures5 145 Encrypted powershell cmdline option found 12->145 147 Contains functionality to inject code into remote processes 12->147 149 Writes to foreign memory regions 12->149 151 2 other signatures 12->151 17 AppLaunch.exe 23 7 12->17         started        22 powershell.exe 12->22         started        24 conhost.exe 12->24         started        26 conhost.exe 12->26         started        process6 dnsIp7 93 45.15.156.167, 49705, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 17->93 95 195.20.16.153, 49707, 49718, 49719 EITADAT-ASFI Finland 17->95 77 C:\Users\user\AppData\Local\...\svchost.exe, MS-DOS 17->77 dropped 79 C:\Users\user\AppData\Local\...\conhost.exe, PE32 17->79 dropped 121 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->121 123 Found many strings related to Crypto-Wallets (likely being stolen) 17->123 125 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->125 129 2 other signatures 17->129 28 svchost.exe 7 17->28         started        32 conhost.exe 8 17->32         started        127 Potential dropper URLs found in powershell memory 22->127 file8 signatures9 process10 file11 81 C:\ProgramData\...behaviorgrapheforceUpdater.exe, MS-DOS 28->81 dropped 153 Antivirus detection for dropped file 28->153 155 Multi AV Scanner detection for dropped file 28->155 157 Detected unpacking (changes PE section rights) 28->157 161 3 other signatures 28->161 34 cmd.exe 1 28->34         started        83 C:\Users\user\AppData\Roaming\temp\7z.exe, PE32+ 32->83 dropped 85 C:\Users\user\AppData\Roaming\temp\7z.dll, PE32+ 32->85 dropped 159 Contains functionality to register a low level keyboard hook 32->159 36 cmd.exe 2 32->36         started        signatures12 process13 signatures14 39 GeforceUpdater.exe 34->39         started        43 conhost.exe 34->43         started        45 timeout.exe 1 34->45         started        131 Uses schtasks.exe or at.exe to add and modify task schedules 36->131 47 Installer.exe 36->47         started        50 7z.exe 36->50         started        52 7z.exe 3 36->52         started        54 11 other processes 36->54 process15 dnsIp16 103 api4.ipify.org 64.185.227.156, 443, 49717 WEBNXUS United States 39->103 105 ip-api.com 208.95.112.1, 49720, 80 TUT-ASUS United States 39->105 107 45.15.156.43, 1588, 49715 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 39->107 133 Antivirus detection for dropped file 39->133 135 Multi AV Scanner detection for dropped file 39->135 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->137 141 5 other signatures 39->141 56 cmd.exe 39->56         started        109 pastebin.com 104.20.67.143, 443, 49716 CLOUDFLARENETUS United States 47->109 87 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 47->87 dropped 89 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 47->89 dropped 139 Sample is not signed and drops a device driver 47->139 58 cmd.exe 47->58         started        61 cmd.exe 47->61         started        63 cmd.exe 47->63         started        91 C:\Users\user\AppData\...\Installer.exe, PE32 50->91 dropped file17 signatures18 process19 signatures20 65 conhost.exe 56->65         started        67 schtasks.exe 56->67         started        143 Encrypted powershell cmdline option found 58->143 69 conhost.exe 61->69         started        71 schtasks.exe 61->71         started        73 conhost.exe 63->73         started        75 schtasks.exe 63->75         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 02:03:07 UTC
File Type:
PE (Exe)
AV detection:
20 of 23 (86.96%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpv3lkddaql5qwhyonyrc6bwliomafpevgkszhp3wf2vbmzbabjq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@ssmvw2 infostealer spyware
Link:
https://tria.ge/reports/231208-cgpdwshh8t/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
RedLine payload
Malware Config
C2 Extraction:
45.15.156.167:80
Unpacked files
SH256 hash:
67f58aacbe8863d9ad255604ee98b05a72b4177ceb3c0377ea4fd8b1400eca30
MD5 hash:
0e34fc8f84e82981a6e92ee7c6efddd7
SHA1 hash:
9b7f9adc50ec1a8a0231ca91c0901b01cb558494
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/94d66785-0e02-40ca-8c64-b0687bef9741/
SH256 hash:
b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053
MD5 hash:
2cd9b5d48c0904c90537d3eb0f1becad
SHA1 hash:
70f64e9bbc1dce9efe7d4d891504bbfd56b2cdf2
Link:
https://www.unpac.me/results/94d66785-0e02-40ca-8c64-b0687bef9741/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3ebb5a86304/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_xfilesstealer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xfilesstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463427/
  
URLhaus
https://urlhaus.abuse.ch/url/2738727/

Comments