MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
SHA3-384 hash: 671f5090f2d0fbfea5f79ae556dfca93368bbc243727c845c51bc3b29bfee4f6a09f6de4ec675b03c32d9dbc98ed4495
SHA1 hash: 8dcb0e04058e1e54cd58a45b4941d4c3e82c1c4d
MD5 hash: 37c2da964c80b136058a17c05a815271
humanhash: don-butter-seventeen-east
File name:37c2da964c80b136058a17c05a815271.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:460'800 bytes
First seen:2021-08-22 10:39:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:stzE5elwLz9Trh6uIMzCXr17Z3P8VHbba:stA4KdTl/jzCbL3EHfa
Threatray 126 similar samples on MalwareBazaar
TLSH T139A4E096B1E02199EBF681FAD5921742EB7074321B11B3DB1B7463B31B1A8C69F7C390
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://keygenit.com
Verdict:
Malicious activity
Analysis date:
2021-08-21 02:18:18 UTC
Tags:
evasion trojan rat azorult stealer fareit pony loader opendir autoit redline vidar phishing
Link:
https://app.any.run/tasks/a2ed4720-3da7-4ea3-9267-7c5b24730abb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181206/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.27269.24432.13950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP POST request
Creating a file
Deleting a recently created file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Sending a UDP request
Unauthorized injection to a recently created process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b37671ed-71ee-4e8c-963f-7f2921850a16
Result
Threat name:
DCRat RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837009
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected BatToExe compiled binary
Yara detected DCRat
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 469440 Sample: FlAhLaO4h1.exe Startdate: 22/08/2021 Architecture: WINDOWS Score: 100 105 Multi AV Scanner detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 Yara detected DCRat 2->109 111 6 other signatures 2->111 10 FlAhLaO4h1.exe 9 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 1 2->16         started        process3 dnsIp4 83 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 10->83 dropped 18 cmd.exe 3 10->18         started        20 conhost.exe 10->20         started        103 127.0.0.1 unknown unknown 13->103 file5 process6 process7 22 bb.exe 3 6 18->22         started        26 yeeeeeeeeeee.exe 15 26 18->26         started        29 setup.exe 18->29         started        31 7 other processes 18->31 dnsIp8 69 C:\sessioncrt\sessioncrtdllSvc.exe, PE32 22->69 dropped 113 Machine Learning detection for dropped file 22->113 33 wscript.exe 22->33         started        93 45.87.3.183, 2705, 49705, 49713 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 26->93 95 192.168.2.1 unknown unknown 26->95 97 api.ip.sb 26->97 115 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->115 117 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->117 119 Tries to harvest and steal browser information (history, passwords, etc) 26->119 121 Tries to steal Crypto Currency Wallets 26->121 35 conhost.exe 26->35         started        71 C:\Windows\Client.exe, PE32 29->71 dropped 73 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 29->73 dropped 75 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 29->75 dropped 123 Disables security and backup related services 29->123 37 cmd.exe 29->37         started        39 cmd.exe 29->39         started        41 cmd.exe 29->41         started        43 cmd.exe 29->43         started        99 162.159.129.233, 443, 49703 CLOUDFLARENETUS United States 31->99 101 cdn.discordapp.com 162.159.133.233, 443, 49701, 49704 CLOUDFLARENETUS United States 31->101 77 C:\Users\user\AppData\...\yeeeeeeeeeee.exe, PE32 31->77 dropped 79 C:\Users\user\AppData\Local\...\setup.exe, PE32 31->79 dropped 81 C:\Users\user\AppData\Local\Temp\...\bb.exe, PE32 31->81 dropped file9 signatures10 process11 process12 45 cmd.exe 33->45         started        47 net.exe 37->47         started        49 conhost.exe 37->49         started        51 conhost.exe 39->51         started        53 sc.exe 39->53         started        55 conhost.exe 41->55         started        57 sc.exe 41->57         started        59 conhost.exe 43->59         started        process13 61 sessioncrtdllSvc.exe 45->61         started        65 conhost.exe 45->65         started        67 net1.exe 47->67         started        file14 85 C:\Windows\System32\...\UsoClient.exe, PE32 61->85 dropped 87 C:\Windows\System32\...\ctfmon.exe, PE32 61->87 dropped 89 C:\Program Files\...\System.exe, PE32 61->89 dropped 91 2 other files (1 malicious) 61->91 dropped 125 Creates multiple autostart registry keys 61->125 127 Drops executables to the windows directory (C:\Windows) and starts them 61->127 129 Creates an autostart registry key pointing to binary in C:\Windows 61->129 131 Creates processes via WMI 61->131 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-08-21 13:09:36 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
RedLineStealer
5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb
RedLineStealer
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
RedLineStealer
767e8cdbeeb723d9a79665ef465e3ceca2595d773a04a7c900d550ad780ee1ff
RedLineStealer
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
RedLineStealer
9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
RedLineStealer
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
RedLineStealer
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
RedLineStealer
+ 116 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@des6_6_6 discovery infostealer spyware stealer upx
Link:
https://tria.ge/reports/210822-xq5abjlxfe/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.87.3.183:2705
Unpacked files
SH256 hash:
b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
MD5 hash:
37c2da964c80b136058a17c05a815271
SHA1 hash:
8dcb0e04058e1e54cd58a45b4941d4c3e82c1c4d
Link:
https://www.unpac.me/results/9419dd77-207a-435f-be5c-cd6cc2bf0b4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/181206/
  
URLhaus
https://urlhaus.abuse.ch/url/1550115/
  
Delivery method
Distributed via web download

Comments