MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048
SHA3-384 hash: 7ba37392fc3b69f1dfc0fc236262fb3f77a7587ef47cdfa54373f84b2c39f26d5c7dfffd76b43464eca867c42a2d28c5
SHA1 hash: 30191bed4a2aa055b5f4467074a766c098621d3f
MD5 hash: ab618bcaf48dd623353077814ff9f65e
humanhash: pizza-violet-pip-arkansas
File name:ab618bcaf48dd623353077814ff9f65e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'715'256 bytes
First seen:2021-12-25 04:30:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 196608:lw01PkUBggtCEusRYwZrilN6qjmi/ntG19tBVzHUOn9XH7vKyZ:lw01PkCtC8HVif9j7f4t0E9XHTz
Threatray 789 similar samples on MalwareBazaar
TLSH T1C46633809FB6E2F9E2460DBB54BB947FEC2607502ECAE1931781C676C1E1F41256FC98
File icon (PE):PE icon
dhash icon 68f0e0ccccc4f070 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab618bcaf48dd623353077814ff9f65e
Verdict:
Malicious activity
Analysis date:
2021-12-25 04:37:42 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/cbee64cd-0d81-410d-8528-b5d2f8e91898

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216324/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Setting a single autorun event
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3177/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61c69e8f4ab5c44cbf50486a/reports/a6ec91d7-2c5a-4350-961b-c6f71f9639f8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b87d5dd0-cf2c-421e-9e1b-97e689ca40e4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912678
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to detect virtual machines (IN, VMware)
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545158 Sample: KONTvmmpXg Startdate: 25/12/2021 Architecture: WINDOWS Score: 100 56 id.xn--80akicokc0aablc.xn--p1ai 2->56 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Found malware configuration 2->66 68 Antivirus detection for URL or domain 2->68 70 8 other signatures 2->70 10 KONTvmmpXg.exe 52 2->10         started        13 ast.exe 4 2->13         started        15 ast.exe 4 2->15         started        17 build.exe 2->17         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\quartz.dll, PE32 10->46 dropped 48 C:\Users\user\AppData\...\vcruntime140.dll, PE32 10->48 dropped 50 C:\Users\user\AppData\Local\...\vcomp140.dll, PE32 10->50 dropped 52 21 other files (none is malicious) 10->52 dropped 19 cmd.exe 1 10->19         started        process6 process7 21 ast.exe 27 13 19->21         started        26 conhost.exe 19->26         started        dnsIp8 58 247opencloud.com 91.219.60.60, 49936, 49946, 49962 YANINA-ASUA Ukraine 21->58 60 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.74, 443, 44335, 49781 SAFIB-ASRU Russian Federation 21->60 62 6 other IPs or domains 21->62 40 C:\Users\user\AppData\Local\Temp\pid.exe, PE32 21->40 dropped 42 C:\Users\user\AppData\Local\Temp\build.exe, PE32 21->42 dropped 44 C:\Users\user\AppData\Local\Temp\ae.exe, PE32 21->44 dropped 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->72 74 Contains functionality to detect virtual machines (IN, VMware) 21->74 76 Contain functionality to detect virtual machines 21->76 78 4 other signatures 21->78 28 pid.exe 21->28         started        31 build.exe 21->31         started        34 ae.exe 21->34         started        file9 signatures10 process11 file12 80 Machine Learning detection for dropped file 28->80 82 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 28->82 84 Writes to foreign memory regions 28->84 92 2 other signatures 28->92 36 AppLaunch.exe 28->36         started        54 C:\Users\user\AppData\Roaming\...\build.exe, PE32 31->54 dropped 86 Antivirus detection for dropped file 31->86 88 Multi AV Scanner detection for dropped file 31->88 90 Drops PE files to the startup folder 31->90 38 build.exe 31->38         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 23:21:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2b802605ece335f6ff05062be544b40fc7e939c69391fbbaa4e930f5d621d064
RedLineStealer
30a1ae69eb70083e1fe40c28becf7de5ec557705aae764af211f70f87ae5a403
RedLineStealer
47d9aeb26536b9d9c74b69c0e7510cbdb6c3858e953711db573a5ff9112214cb
RedLineStealer
51f17dea64515d5a3a1a6b070fa9c5abb08c028ad9d116a49d796e354fcd68d3
RedLineStealer
5e68d9940778502674e10566a87b480c313a9b69ee64d0d62646fff7899f9f0d
RedLineStealer
6aad0a6b01ada93c5561a2d131eba960760dacbd8e998070adc9abbfafe7bace
RedLineStealer
6b52ea913b7eb0e3ece4410ddc5637da7f9dcbf8889302ee7e73fa220ba2c53c
RedLineStealer
94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
RedLineStealer
c05a5e19234c1647076dbbe2c35669e752c506beea33799718713f790064ea8d
RedLineStealer
+ 779 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211225-e5dneagfe5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
MD5 hash:
b9380b0bea8854fd9f93cc1fda0dfeac
SHA1 hash:
edb8d58074e098f7b5f0d158abedc7fc53638618
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e
MD5 hash:
d7778720208a94e2049972fb7a1e0637
SHA1 hash:
080d607b10f93c839ec3f07faec3548bb78ac4dc
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
b7b819dcf3aaed2774cecfa507f9baee47660b18758f7cb718bb5cb2d77947fa
MD5 hash:
5fc727c579f3c3b69ce0eb7f2ec7d48a
SHA1 hash:
4686ade71a45feb36f5f5f48e78bd673f60e45b5
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
e664756ea6bfb01787ee6dfe299f1e1cc52b0453759771124c9359cb3cf79cb4
MD5 hash:
602d953c391a05d2be162a661962c598
SHA1 hash:
794b83002517dca3a017337946d39df55646e3e0
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
MD5 hash:
34442e1e0c2870341df55e1b7b3cccdc
SHA1 hash:
99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
2c0d9900583de0a3a0d9db7d9af4751cd0e9d9c4c54a7acceea51420111111a7
MD5 hash:
bec008950bfb591665da574d38ee37d1
SHA1 hash:
e17202092d30c0d83abc0c5c64c5c7e30b6c9fa6
Detections:
win_wpbrutebot_auto
Create hunting rule
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
07030535a9079ddcd2b240f029ac26138a83c9fe357222ebbebbe67360de76a6
MD5 hash:
f6c8f861c7d2d92c59c6c00a89fea87c
SHA1 hash:
9d6c4f8568f62b4a39a704edde45168a83d4c20b
Detections:
win_rektloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
04e016dd073f98f6641588d2f874a0265a931754193f05434ec2b4237ef761ab
MD5 hash:
c218136868878ffdac00c4a92b57f825
SHA1 hash:
836c412ae18695a6a9ba1b7ede6bc0f3e68d30b2
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
08a84bd51df2774f589e3ab903506a885035f3b7a74ccace31cf7d56a32b39cb
MD5 hash:
bed0fa44ef6d38280fb0b9e451a290a8
SHA1 hash:
7a4c25bd03d46de6dc107ed2fc82b7369061947a
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
0bfe9a07b9cd44514428819ae05aaa2c9d702e0e7a4591f5b28715206006203a
MD5 hash:
092e11ab8b43efd74bba48e373e81513
SHA1 hash:
69b877a2110b45332f5d24ec191b512f4e0e9b20
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
015bb4b0008e86f49f62152b77df5340b8a1a9ac8f8f33cb8af7c546244cf2d2
MD5 hash:
61b90ca4cd50b3b3df0440cbd72bd1dd
SHA1 hash:
38b2cf4a902e42d7acae20bbd15ec5e27385ca48
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
c30afb52407d4c810c16e37604fd8b155e5b36c4d7617349310f9faf7c44ef31
MD5 hash:
31a9f1e7b6db12917251ea3c6390a1cd
SHA1 hash:
2945ea0faac830b0188b9ffe9209fa7797f133d9
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
c72c7d960e555fe0d5de6c8ee1c094ac9121104b3ff23ce828085cd5ac54f291
MD5 hash:
4448d8493714a477551ac2fd4737257d
SHA1 hash:
15faa6c9d5470514ed8d5c4014d5a97b21c6cb29
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
3b5b02f4b12dbf243d5aa7d906f7bd4d600d10a2838c7359aa386ea9be8e3279
MD5 hash:
939212ae016a60b4c9662cdfcf31101d
SHA1 hash:
13974ded49a7d6b8218b9d89078378c7eac82a54
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
afd67f96037a4a57ba846658933247e0193e925b5c42330bf5e134357494f15a
MD5 hash:
3a8dc2b0ddf9d3b7c02490ba6275a2bb
SHA1 hash:
a1f9a10d41b717f95ded58e5481c7e52428244da
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
SH256 hash:
b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048
MD5 hash:
ab618bcaf48dd623353077814ff9f65e
SHA1 hash:
30191bed4a2aa055b5f4467074a766c098621d3f
Link:
https://www.unpac.me/results/50db2a60-1043-4e97-9116-aa001b983634/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1919119/
Cape
Cape
https://www.capesandbox.com/analysis/216324/

Comments


Avatar
zbet commented on 2021-12-25 04:30:31 UTC

url : hxxps://chalecofenix.com/CPAN-Extension.exe