MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
SHA3-384 hash: fa74188b0afecd7dfe224087c7a3ef4a29fb322ba2958f2232d22dba9fb01c14fceb712849407cd776762e432843944c
SHA1 hash: c4e9098f51df0aa1bc68bb97a71967191eb1951b
MD5 hash: 44c007c4b3596626b27c7a1e6b5b4d1c
humanhash: spaghetti-illinois-stream-idaho
File name:44c007c4b3596626b27c7a1e6b5b4d1c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:973'824 bytes
First seen:2020-12-08 07:02:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:IAHnh+eWsN3skA4RV1Hom2KXMmHa/Xn94Y5:Ph+ZkldoPK8Ya/XZ
Threatray 27 similar samples on MalwareBazaar
TLSH DF259C0273D1C036FFABA2739B6AF60556BC79254123852F13981DB9BD701B2273E663
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://94.177.123.237:35200/IRemotePanel
http://addstar.site:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
44c007c4b3596626b27c7a1e6b5b4d1c.exe
Verdict:
Malicious activity
Analysis date:
2020-12-08 07:05:47 UTC
Tags:
evasion adware loader trojan rat redline
Link:
https://app.any.run/tasks/87d61374-b77f-4f13-93a7-948210641be4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107161/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Connection attempt
Sending an HTTP POST request
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/557625
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Creates files in alternative data streams (ADS)
Creates processes via WMI
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames wscript.exe to bypass HIPS
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327910 Sample: 56HMUThTRj.exe Startdate: 08/12/2020 Architecture: WINDOWS Score: 100 88 raw.githubusercontent.com 2->88 90 zrh.speedtest.gtt.net 2->90 92 9 other IPs or domains 2->92 132 Antivirus detection for URL or domain 2->132 134 Antivirus / Scanner detection for submitted sample 2->134 136 Multi AV Scanner detection for dropped file 2->136 138 15 other signatures 2->138 11 56HMUThTRj.exe 21 2->11         started        16 explorer.exe 2->16         started        signatures3 process4 dnsIp5 96 haroldreadlife.info 84.38.180.31, 49724, 49726, 49737 SELECTELRU Russian Federation 11->96 98 superload24.info 84.38.185.106, 49718, 80 SELECTELRU Russian Federation 11->98 100 2 other IPs or domains 11->100 72 C:\Users\user\AppData\...\1247259912.exe, PE32 11->72 dropped 74 C:\Users\user\AppData\...\1120548543.exe, PE32 11->74 dropped 76 C:\Users\user\AppData\Local\...\zzz[1].exe, PE32 11->76 dropped 78 C:\Users\user\AppData\Local\...\remeus[1].exe, PE32 11->78 dropped 146 Binary is likely a compiled AutoIt script file 11->146 18 1247259912.exe 3 11->18         started        21 1120548543.exe 15 3 11->21         started        24 cmd.exe 11->24         started        148 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 16->148 26 powershell.exe 16->26         started        file6 signatures7 process8 dnsIp9 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->114 116 Machine Learning detection for dropped file 18->116 118 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->118 29 1247259912.exe 14 24 18->29         started        94 03rdk6.kayumina.ru 81.177.165.230, 443, 49720 RTCOMM-ASRU Russian Federation 21->94 120 Multi AV Scanner detection for dropped file 21->120 122 Writes to foreign memory regions 21->122 124 Allocates memory in foreign processes 21->124 126 Injects a PE file into a foreign processes 21->126 34 AddInProcess32.exe 14 23 21->34         started        36 conhost.exe 24->36         started        38 PING.EXE 24->38         started        66 C:\Windows\Branding\mediasvc.png, PE32+ 26->66 dropped 68 C:\Windows\Branding\mediasrv.png, PE32+ 26->68 dropped 70 C:\Users\user\AppData\...\cxnyr5rs.cmdline, UTF-8 26->70 dropped 128 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 26->128 130 Powershell drops PE file 26->130 40 csc.exe 26->40         started        42 powershell.exe 26->42         started        44 conhost.exe 26->44         started        file10 signatures11 process12 dnsIp13 102 api.ip.sb 29->102 104 173.234.155.143, 35253, 49739, 49746 LEASEWEB-USA-NYC-11US United States 29->104 110 6 other IPs or domains 29->110 80 C:\Users\user\AppData\Local\Temp\helper.exe, PE32+ 29->80 dropped 150 Tries to harvest and steal browser information (history, passwords, etc) 29->150 46 helper.exe 29->46         started        106 api.ip.sb 34->106 108 WHOIS.RIPE.NET 193.0.6.135, 43, 49733, 49745 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 34->108 112 6 other IPs or domains 34->112 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->152 154 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->154 82 C:\Users\user\AppData\Local\...\cxnyr5rs.dll, PE32 40->82 dropped 50 cvtres.exe 40->50         started        52 conhost.exe 42->52         started        file14 signatures15 process16 file17 84 C:\Users\user\AppData\...\list.txt:metadata, PE32+ 46->84 dropped 86 C:\Users\user\AppData\Local\Temp\...\list.txt, PE32+ 46->86 dropped 156 Multi AV Scanner detection for dropped file 46->156 158 Creates files in alternative data streams (ADS) 46->158 54 cmd.exe 46->54         started        signatures18 process19 process20 56 rundll32.exe 54->56         started        60 conhost.exe 54->60         started        file21 62 C:\Users\user\AppData\Local\...\explorer.exe, PE32+ 56->62 dropped 64 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 56->64 dropped 140 Renames wscript.exe to bypass HIPS 56->140 142 Creates processes via WMI 56->142 144 Drops PE files with benign system names 56->144 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2/
Threat name:
Win32.Trojan.Masson
Create hunting rule
Status:
Malicious
First seen:
2020-12-06 21:41:18 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqvth75ewrn4qg3r6e6ytxasqoyvkicjcovigyxjt2nkiq3gx6za._file
Verdict:
suspicious
Similar samples:
0fce4c62d03dc1076db031e5770d863591801ce25f18f2f516205b35be85e9b5
RedLineStealer
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
RedLineStealer
91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c
RedLineStealer
9ab99b021cac114dbf496c1b48e7f704799a1ca7d8b1e7e4366743f2e0ebcdfd
RedLineStealer
a01cd6294d3b5bdf73771b113493d8a5c2df3f105db7d084b0729345a32a4453
RedLineStealer
bdda7b20a2773900ed2a046e25bbb583c906e818c355b3de59b0ff75e1f40780
RedLineStealer
c8f9155cc97bde13afcdba0abd2264f8a91c73c39a8cfb4f8559a8276237e708
RedLineStealer
ce2369f1ba154a1fdd0599648dfbe32d6ad832c25d3f043bbe6b456cee609eeb
RedLineStealer
f0b43b05479d8dde3603ef587da02925b703d7d5bc8332656ab9ca7f7e1554a4
RedLineStealer
f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7
RedLineStealer
+ 17 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline discovery infostealer keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201208-vxvvhvsc1n/
Behaviour
Modifies system certificate store
NTFS ADS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
MD5 hash:
44c007c4b3596626b27c7a1e6b5b4d1c
SHA1 hash:
c4e9098f51df0aa1bc68bb97a71967191eb1951b
Link:
https://www.unpac.me/results/b878658c-169b-4938-bb6a-365c1cbaed56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GameHack
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/896486/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107161/

Comments