MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b879d49fd40621e64e4719c1a3702bcb2779b386378d60051de52de58b360e9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b879d49fd40621e64e4719c1a3702bcb2779b386378d60051de52de58b360e9d
SHA3-384 hash: a27e090515deb67be4e6a37f77489365082dba729496f0b167772aee48d01451de1708c2a28ec79416c2372d7b6b46e1
SHA1 hash: 71b31fc3b554db31be7d51cc76854dc88186f736
MD5 hash: a903cf8d3a470d145554f183c21a4791
humanhash: november-twelve-purple-california
File name:a903cf8d3a470d145554f183c21a4791.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'739'440 bytes
First seen:2022-02-07 03:25:12 UTC
Last seen:2022-02-07 04:34:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep 98304:gKNcs+hNy3xljrulsbhKedC8rCv5xSeq4HGb:gKNwkrAMYxFtDHO
Threatray 391 similar samples on MalwareBazaar
TLSH T179063389DF92FE29F643ECF836EA5627FB3496105859CDCCF1DF44826329268E930464
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
141.95.227.187:6238

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
141.95.227.187:6238 https://threatfox.abuse.ch/ioc/379565/

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a903cf8d3a470d145554f183c21a4791.exe
Verdict:
Malicious activity
Analysis date:
2022-02-07 03:34:10 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/07595aa2-a696-48d1-bca0-2caff400e8c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/233890/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Sending a TCP request to an infection source
Stealing user critical data
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed raccoon
Link:
https://www.filescan.io/uploads/6200914eaccdde96b5e2edd2/reports/e08294c3-c78d-4e58-b7f2-2b9ab1ecdf06/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/522b97b7-e184-4a60-9569-23c8b90594ba
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934883
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567361 Sample: Jwd5H8TOWY.exe Startdate: 07/02/2022 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 5 other signatures 2->65 9 Jwd5H8TOWY.exe 2->9         started        12 RegHost.exe 1 2->12         started        process3 signatures4 67 Writes to foreign memory regions 9->67 69 Allocates memory in foreign processes 9->69 71 Tries to detect virtualization through RDTSC time measurements 9->71 73 Injects a PE file into a foreign processes 9->73 14 AppLaunch.exe 15 7 9->14         started        19 WerFault.exe 23 9 9->19         started        75 Multi AV Scanner detection for dropped file 12->75 77 Machine Learning detection for dropped file 12->77 21 conhost.exe 12->21         started        process5 dnsIp6 47 141.95.227.187, 49786, 6238 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 14->47 49 cdn.discordapp.com 162.159.129.233, 443, 49826 CLOUDFLARENETUS United States 14->49 37 C:\Users\user\AppData\Local\Temp\a.exe, PE32+ 14->37 dropped 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->51 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->53 55 Tries to harvest and steal browser information (history, passwords, etc) 14->55 57 Tries to steal Crypto Currency Wallets 14->57 23 a.exe 1 2 14->23         started        39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->39 dropped file7 signatures8 process9 dnsIp10 41 185.137.234.33, 8080 SELECTELRU Russian Federation 23->41 35 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 23->35 dropped 79 Multi AV Scanner detection for dropped file 23->79 81 Machine Learning detection for dropped file 23->81 28 curl.exe 1 23->28         started        31 conhost.exe 23->31         started        file11 signatures12 process13 dnsIp14 43 api.telegram.org 149.154.167.220, 443, 49828 TELEGRAMRU United Kingdom 28->43 45 192.168.2.1 unknown unknown 28->45 33 conhost.exe 28->33         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b879d49fd40621e64e4719c1a3702bcb2779b386378d60051de52de58b360e9d/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 23:16:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xb45jh6uayq6mtshdha2g4blzmtxtm4gg6gwabi54uw6lczwb2oq._file
Verdict:
malicious
Similar samples:
2da24494535db516936e3fdf11f46423c3be7abd33afab194bd93388ab89b0cb
RedLineStealer
4b53dc815775a5f6d377218f9bee6b102d49f5dfc678f5a939ec2e0be0890e4b
RedLineStealer
5ed9c8e4709af1af34ea8d1e6d5177c3d164c62c7dece9adcdd3d9c1b402484f
RedLineStealer
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
RedLineStealer
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
RedLineStealer
d3a1bdd3ea570b33d18209bcc19d229229c95de8d4b13ffe76248ca72c17e09c
RedLineStealer
+ 381 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220207-dy731aegcr/
Unpacked files
SH256 hash:
6f5ece83de06ae31de156a772b558a50a564fa16454dff7b60acce9af1d30360
MD5 hash:
e69ac3b287978af04428e8df38718924
SHA1 hash:
d3a60f1cf00e79ad2e425b12e4bf014324c131ae
Link:
https://www.unpac.me/results/e00a3ac4-42d7-4e1a-915c-e537015f7bc0/
SH256 hash:
b879d49fd40621e64e4719c1a3702bcb2779b386378d60051de52de58b360e9d
MD5 hash:
a903cf8d3a470d145554f183c21a4791
SHA1 hash:
71b31fc3b554db31be7d51cc76854dc88186f736
Link:
https://www.unpac.me/results/e00a3ac4-42d7-4e1a-915c-e537015f7bc0/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/233890/

Comments