MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b460853c5ec595df43a8cb5b67d9e8d41348334060e3766c8c14709e03a826ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b460853c5ec595df43a8cb5b67d9e8d41348334060e3766c8c14709e03a826ab
SHA3-384 hash: de55150dfd7709ba5ff7709efd5e5a728c27719a00d6ad854ea8dc8b38052325b6cc41f51ca84f05d10e3ff63ab4a3de
SHA1 hash: 8de4b9adf85c10c7e06692342c0d8160fb3e5fea
MD5 hash: 2b0b66998f57d3e02f0594d552bdb96d
humanhash: romeo-wolfram-pluto-friend
File name:2b0b66998f57d3e02f0594d552bdb96d.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:364'544 bytes
First seen:2021-01-08 06:53:21 UTC
Last seen:2021-01-08 09:11:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:oD8gjIZ5ImyqyHMwQ5vGNx/tar+zowcdH3rdNCYlFmbNGjfB17Iuoe9jAzuow2Bi:oKPIjqAM3oqAzuoXb9N
Threatray 235 similar samples on MalwareBazaar
TLSH 4B74366438DB3E9ADB42A477CBB78B1B5F1FBD3B95D192CD0800324A48768687E53D24
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2b0b66998f57d3e02f0594d552bdb96d.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-08 06:54:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/32229f84-4f91-400d-9ddb-4f8b31912bfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110905/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.3674.19744.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/576401
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Disable Task List ballon tips (likely to surpress security warnings)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337253 Sample: umOXxQ9PFS.exe Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 100 Multi AV Scanner detection for submitted file 2->100 102 Yara detected RedLine Stealer 2->102 104 Sigma detected: Dot net compiler compiles file from suspicious location 2->104 106 10 other signatures 2->106 10 umOXxQ9PFS.exe 15 18 2->10         started        process3 dnsIp4 82 checkip.dyndns.org 10->82 84 checkip.dyndns.com 131.186.161.70, 49735, 80 DYNDNSUS United States 10->84 68 C:\Users\user\AppData\...\fc1wbc50.cmdline, UTF-8 10->68 dropped 70 C:\Users\user\AppData\...\umOXxQ9PFS.exe.log, ASCII 10->70 dropped 14 umOXxQ9PFS.exe 3 13 10->14         started        19 csc.exe 3 10->19         started        21 csc.exe 3 10->21         started        23 umOXxQ9PFS.exe 10->23         started        file5 process6 dnsIp7 92 1khr.dubakui.ru 81.177.141.231, 443, 49746, 49749 RTCOMM-ASRU Russian Federation 14->92 94 0r0.auchabut.ru 14->94 72 C:\Users\user\AppData\Local\1529203782.exe, PE32 14->72 dropped 96 Disable Task List ballon tips (likely to surpress security warnings) 14->96 98 Changes the view of files in windows explorer (hidden files and folders) 14->98 25 1529203782.exe 14 4 14->25         started        30 csc.exe 3 14->30         started        32 cmd.exe 14->32         started        74 C:\Users\user\AppData\Local\...\fc1wbc50.dll, PE32 19->74 dropped 34 conhost.exe 19->34         started        36 cvtres.exe 1 19->36         started        76 C:\Users\user\AppData\Local\...\1gbvgj4j.dll, PE32 21->76 dropped 38 conhost.exe 21->38         started        40 cvtres.exe 1 21->40         started        file8 signatures9 process10 dnsIp11 80 1khr.dubakui.ru 25->80 64 C:\Users\user\AppData\Local\...\chrome.exe, PE32 25->64 dropped 110 Antivirus detection for dropped file 25->110 112 Multi AV Scanner detection for dropped file 25->112 114 Machine Learning detection for dropped file 25->114 116 4 other signatures 25->116 42 chrome.exe 25->42         started        66 C:\Users\user\AppData\Local\...\2l43mptg.dll, PE32 30->66 dropped 46 conhost.exe 30->46         started        48 cvtres.exe 1 30->48         started        50 conhost.exe 32->50         started        52 taskkill.exe 32->52         started        54 choice.exe 32->54         started        file12 signatures13 process14 dnsIp15 86 api.ip.sb 42->86 88 WHOIS.RIPE.NET 193.0.6.135, 43, 49765 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 42->88 90 3 other IPs or domains 42->90 118 Tries to harvest and steal browser information (history, passwords, etc) 42->118 56 cmd.exe 42->56         started        signatures16 process17 dnsIp18 78 127.0.0.1 unknown unknown 56->78 108 Uses ping.exe to sleep 56->108 60 conhost.exe 56->60         started        62 PING.EXE 56->62         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b460853c5ec595df43a8cb5b67d9e8d41348334060e3766c8c14709e03a826ab/
Threat name:
Win32.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 03:24:00 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
09cb72a7bbb6ed837874193fcecdc231ed9d87752d1d1f668e7afcb2f10440de
RedLineStealer
29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
RedLineStealer
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
RedLineStealer
3783ac39db69caabe6962ba2b23ab079443353db1cd7bd1d1d8e645cb8dded8b
RedLineStealer
3d2d9b8e5738024ffaa470410dfae954d73f049fdb2619be6864e399f3da6390
RedLineStealer
7918e6ed1823254990f59d6015d43cae2f3cccad92e725aa9b2a0f294dc08b61
RedLineStealer
aa10af5c6a92dc01b8ba38871c9a1b111cc36a6e0f6d1a039b5ba624bb700a36
RedLineStealer
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
RedLineStealer
b4711ee19363ec125911ae1356714720a9d9b463848b1044d08d56977cb960db
RedLineStealer
c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424
RedLineStealer
+ 225 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/210108-hh197sybgx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Unpacked files
SH256 hash:
288dc97552cd413288d873f04eb05372cca78c38bc25e981797d7bf37ea82fdb
MD5 hash:
fde3e418f8cd9031406ba9e3b07ae393
SHA1 hash:
0ec7542456d8a372d6b84eedfc7ffca529ebea44
Link:
https://www.unpac.me/results/3eaee005-b8c0-4ef4-ab4f-4e353905c27b/
SH256 hash:
0a7a17d26824e725e4e339e16fa545cb51e0f6cfb963d1f05d3e00cbe2a2ce9b
MD5 hash:
3feef35ecbfe212efbcd3912432f355c
SHA1 hash:
65c7ef779d22166c1c741ea33ee86f39c944bb26
Link:
https://www.unpac.me/results/3eaee005-b8c0-4ef4-ab4f-4e353905c27b/
SH256 hash:
95b2373fe392250a3a2ce4a298b5634a499201884e141e2e5a87306e8a282127
MD5 hash:
8ce1e6ea6da831217d92d98536830872
SHA1 hash:
a08063482998a1c1219ebc609d2b54b77c764e9e
Link:
https://www.unpac.me/results/3eaee005-b8c0-4ef4-ab4f-4e353905c27b/
SH256 hash:
b460853c5ec595df43a8cb5b67d9e8d41348334060e3766c8c14709e03a826ab
MD5 hash:
2b0b66998f57d3e02f0594d552bdb96d
SHA1 hash:
8de4b9adf85c10c7e06692342c0d8160fb3e5fea
Link:
https://www.unpac.me/results/3eaee005-b8c0-4ef4-ab4f-4e353905c27b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/b460853c5ec595df43a8cb5b67d9e8d41348334060e3766c8c14709e03a826ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110905/

Comments