MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775
SHA3-384 hash: 3ead676e408f6ceb2c715b73afcfce2848c3098be0fedab43e9300304b1d5c9f9fa77a8844482e790f95b855a966577a
SHA1 hash: 26774d3f71bb03f94588b04e9bd8926fc87c6653
MD5 hash: 45cee4ec3643349ffdf7395f7b4a5b3f
humanhash: ink-lactose-west-uranus
File name:modest-menu.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'457'152 bytes
First seen:2023-11-26 19:31:02 UTC
Last seen:2023-11-26 22:03:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 073577fa717a5d9f152374e9e2eb34c4 (1 x RedLineStealer)
ssdeep 24576:n5hGigbZWG8Srp651ZFL3XVTLcx9+WrCkF2gNCs46sL3f:n0SYP+cRF2gNlsD
TLSH T1AF65F132F2F14637E1331A789D2B56BC592A7F212D3854862FD86D8C5F3A791342B293
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13097/50/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 74f4d8dadc9492d6 (1 x RedLineStealer)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460460/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.24734.21041.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Searching for the window
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process from a recently created file
DNS request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control hook keylogger lolbin
Link:
https://www.filescan.io/uploads/65639d3a380413dc0c217518/reports/9bc4e627-702e-4922-8107-db7b14dd9e63/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/514d869d-a2af-4677-8ea4-88c427e2dda3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348160
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1348160 Sample: modest-menu.exe Startdate: 26/11/2023 Architecture: WINDOWS Score: 100 45 NHfiAJEUODCInFXQxnyiVuvllZZBD.NHfiAJEUODCInFXQxnyiVuvllZZBD 2->45 59 Snort IDS alert for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 4 other signatures 2->65 10 modest-menu.exe 9 2->10         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\Temp\...\Sentence, PE32 10->43 dropped 13 cmd.exe 1 10->13         started        process6 signatures7 75 Uses ping.exe to sleep 13->75 77 Drops PE files with a suspicious file extension 13->77 79 Uses ping.exe to check the status of other devices and networks 13->79 16 cmd.exe 1 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 49 Uses ping.exe to sleep 16->49 21 Connection.pif 1 16->21         started        25 cmd.exe 2 16->25         started        27 cmd.exe 2 16->27         started        29 6 other processes 16->29 process10 file11 37 C:\Users\user\AppData\Local\Temp\...\jsc.exe, PE32 21->37 dropped 67 Found API chain indicative of debugger detection 21->67 69 Found API chain indicative of sandbox detection 21->69 71 Writes to foreign memory regions 21->71 73 2 other signatures 21->73 31 jsc.exe 8 5 21->31         started        35 jsc.exe 21->35         started        39 C:\Users\user\AppData\...\Connection.pif, PE32 25->39 dropped 41 C:\Users\user\AppData\Local\Temp\13023\...\C, ASCII 27->41 dropped signatures12 process13 dnsIp14 47 45.15.156.186, 29975, 49734 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->47 51 Tries to harvest and steal browser information (history, passwords, etc) 31->51 53 Tries to steal Crypto Currency Wallets 31->53 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->55 57 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->57 signatures15
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-11-25 11:01:49 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcbnf6tv3vbj2i3gacn342gdx44rbtcuxtukdnxd5rlprsxbc52q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/231126-x8d3fsbh8v/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
28f90c96570b77a2131fec062631796dca25be1ce08ae6792caa7ad7d44e6056
MD5 hash:
d3c59e3f050c7adfe6b7fc4b5fbad950
SHA1 hash:
a194727a34a7f1d72886a9f5ba9c72e0f35c8137
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/3ddc0527-2d28-40c0-b8d3-5dbdc5e98099/
SH256 hash:
b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775
MD5 hash:
45cee4ec3643349ffdf7395f7b4a5b3f
SHA1 hash:
26774d3f71bb03f94588b04e9bd8926fc87c6653
Link:
https://www.unpac.me/results/3ddc0527-2d28-40c0-b8d3-5dbdc5e98099/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b882d2fa75dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/460460/

Comments