MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04
SHA3-384 hash: 3bd784d34e903c78fa37e2173f26430de091110a73668d4705c6626914abd617d1818917aa501cd7e3efe29da80f277f
SHA1 hash: 02dd82c6b0a04f643e40c9081232a3a85ed245ea
MD5 hash: 2ea06bd1fde79f90b4b5eae6dc1603b3
humanhash: tango-charlie-steak-vermont
File name:2ea06bd1fde79f90b4b5eae6dc1603b3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:799'232 bytes
First seen:2020-10-28 09:58:42 UTC
Last seen:2020-10-28 12:07:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b831d380405f32be656172bf4f384195 (8 x ArkeiStealer, 4 x RedLineStealer)
ssdeep 12288:IwwbQr/aUXYom2rpRgRLraOI/xDNlUAV2f1t5PmbZpVxl:Lw6aUc2rpRgZ6/lNlU7pm9prl
TLSH 7205F11036A1C576D24758380425C771963ABC2EFB34CA9F37D42F6BAF726C016A6F4A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://138.124.180.19:35200/IRemotePanel

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/80438/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.71033.5657.24892.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a file
Connecting to a non-recommended domain
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Running batch commands
Sending a UDP request
Unauthorized injection to a recently created process
Connection attempt to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/514891
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 306556 Sample: jF6QQemFXE.exe Startdate: 28/10/2020 Architecture: WINDOWS Score: 100 51 rrkimal.xyz 2->51 83 Multi AV Scanner detection for domain / URL 2->83 85 Antivirus detection for URL or domain 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 8 other signatures 2->89 10 jF6QQemFXE.exe 10 2->10         started        signatures3 process4 dnsIp5 61 ip-api.com 208.95.112.1, 49759, 80 TUT-ASUS United States 10->61 63 gferhrolklm.top 185.212.128.72, 49757, 80 INTERNET-ITNL Germany 10->63 65 iplogger.org 88.99.66.31, 443, 49745 HETZNER-ASDE Germany 10->65 47 C:\Users\user\AppData\Roaming\...\bestofd.exe, PE32 10->47 dropped 49 C:\Users\user\AppData\Roaming\...\bestof.exe, PE32 10->49 dropped 99 Detected unpacking (changes PE section rights) 10->99 101 Detected unpacking (overwrites its own PE header) 10->101 103 Contains functionality to register a low level keyboard hook 10->103 105 Sample or dropped binary is a compiled AutoHotkey binary 10->105 15 bestof.exe 15 3 10->15         started        19 bestofd.exe 14 2 10->19         started        21 WerFault.exe 9 10->21         started        23 2 other processes 10->23 file6 signatures7 process8 dnsIp9 67 b.ssigu.ru 81.177.135.41, 443, 49758 RTCOMM-ASRU Russian Federation 15->67 69 Writes to foreign memory regions 15->69 71 Allocates memory in foreign processes 15->71 73 Sample uses process hollowing technique 15->73 75 Injects a PE file into a foreign processes 15->75 25 AddInProcess32.exe 14 23 15->25         started        29 AddInProcess32.exe 15->29         started        77 Multi AV Scanner detection for dropped file 19->77 79 Detected unpacking (changes PE section rights) 19->79 81 Detected unpacking (overwrites its own PE header) 19->81 31 WerFault.exe 19->31         started        33 WerFault.exe 19->33         started        35 WerFault.exe 19->35         started        37 WerFault.exe 19->37         started        signatures10 process11 dnsIp12 55 WHOIS.RIPE.NET 193.0.6.135, 43, 49766 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 25->55 57 138.124.180.19, 35200, 49762 NOKIA-ASFI Norway 25->57 59 7 other IPs or domains 25->59 93 Tries to harvest and steal browser information (history, passwords, etc) 25->93 39 cmd.exe 25->39         started        95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->95 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->97 signatures13 process14 dnsIp15 53 127.0.0.1 unknown unknown 39->53 91 Uses ping.exe to sleep 39->91 43 conhost.exe 39->43         started        45 PING.EXE 39->45         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-10-28 10:00:09 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wq7uznalmy7ptfw7kgz4ucccbzoovkcffpgzd6f2fowamgxdfica._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:redline infostealer keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201028-vr4ydrat5a/
Behaviour
Checks processor information in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
RedLine
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b43f4cb40b663ef996df51b3ca08420e5ceaa8452bcd91f8ba2bac061ae32a04

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/80438/
  
URLhaus
https://urlhaus.abuse.ch/url/758221/
  
Delivery method
Distributed via web download

Comments