MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 18 File information Comments

SHA256 hash:	b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4
SHA3-384 hash:	0cfbec684c8f00040efb1a44188c86dad54166df0d92fcdb1acced75450bcaff2d9cb084797483f8fc37a17551eae186
SHA1 hash:	bb20b2598d5ac31d36717f316fc733c4f8df9a9c
MD5 hash:	eb48500860ece87bc7a169118c929fb3
humanhash:	hawaii-alabama-oklahoma-neptune
File name:	Setup_latest.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'456'480 bytes
First seen:	2024-07-01 23:11:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	24576:ZxgPnpq2yAY1szLSvJwv4ahekPxMB7Du173pG1szLSvJwv4a:EnpNyA9qvCvHOBK73pfqvCv
TLSH	T1CA651202BF05CD55C6363FF011A149AAE76A390128B56AF727FCA39AD7F25E36F48041
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	0040808484884800 (1 x RedLineStealer)
Reporter	Chainskilabs
Tags:	exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
147.45.44.12:13830	https://threatfox.abuse.ch/ioc/1291421/

Intelligence

File Origin

# of uploads :

# of downloads :

569

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

Setup_latest.exe

Verdict:

Malicious activity

Analysis date:

2024-07-01 23:09:59 UTC

Tags:

stealer metastealer redline exfiltration

Link:

https://app.any.run/tasks/3828ade1-b0c5-4583-8493-d30a5aed9420

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.27480.2839.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6683380ebe8570b8fa890531win10vpnfull_triage

Tags:

Encryption Infostealer Network Static Stealth Redlinesteal

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

installer lolbin microsoft_visual_cc overlay packed shell32

Link:

https://www.filescan.io/uploads/668337c4ee1e16e3eb15c278/reports/06dbcebf-4f3f-4911-b81c-72a589a7d102/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/652df83b-93a2-4738-b7ae-af106fe637fd

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1465756

Signature

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

19%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4/

Threat name:

Win32.Trojan.Sonbokli

Status:

Malicious

First seen:

2024-07-01 23:12:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xfugecdvqgw3t3h3syk2i3xnwkorhrqg44elpnjszzxngilzewsa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:red discovery infostealer spyware stealer

Link:

https://tria.ge/reports/240701-26tgkszarl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

147.45.44.12:13830

Unpacked files

SH256 hash:

b2f9554c8274ea714c388894b2d914c5d8d666a5976329bd7e7baf3adf540bf8

MD5 hash:

66bb3a1354b83896d93bcc3a6b686787

SHA1 hash:

16b20310440c14cc40f5425f406a8728222b893d

Detections:

redline

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

SH256 hash:

ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

MD5 hash:

38caa11a462b16538e0a3daeb2fc0eaf

SHA1 hash:

c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

SH256 hash:

b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

MD5 hash:

c6a6e03f77c313b267498515488c5740

SHA1 hash:

3d49fc2784b9450962ed6b82b46e9c3c957d7c15

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

SH256 hash:

b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

MD5 hash:

80e44ce4895304c6a3a831310fbf8cd0

SHA1 hash:

36bd49ae21c460be5753a904b4501f1abca53508

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

SH256 hash:

9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

MD5 hash:

1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1 hash:

0b9519763be6625bd5abce175dcc59c96d100d4c

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

SH256 hash:

5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

MD5 hash:

ec0504e6b8a11d5aad43b296beeb84b2

SHA1 hash:

91b5ce085130c8c7194d66b2439ec9e1c206497c

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

SH256 hash:

3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

MD5 hash:

0d7ad4f45dc6f5aa87f606d0331c6901

SHA1 hash:

48df0911f0484cbe2a8cdd5362140b63c41ee457

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

SH256 hash:

2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

MD5 hash:

adb29e6b186daa765dc750128649b63d

SHA1 hash:

160cbdc4cb0ac2c142d361df138c537aa7e708c9

Detections:

INDICATOR_TOOL_UAC_NSISUAC

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

Parent samples :

f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
6e22c0f2732195063cb4984c6520c3b85e1236e967f8bb05b3c1b35139d2917b
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
dbde8a4bd71bb1fbc0511cdb657dfeffdaedc513aa425f856043532a7cba6fce
ac142a8087949b5ad4e3a503ca37609845112c4f7e0cd1376669c9d5c8f5cdf2
15d4dbafb6fb1770507db7769b2df6f3857da0ad3203a71c5f82a99688dac2b3
b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4
4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0
df61dc2d24f2e475e0a8971c5d21c1c48e9505be67714aafb4afd670aad297e3
60b1aa37a4ac40d5c5adf2de28782976934731408b6c2e89511e1bc5947d5bbd
f7ae58f22cbdeb69318f6cb3ff3757a9888e8731febd66e85ee9938f874705c9
fbfe2108631e3ccaa8db2f5c4439009c7a5a53136481b422236eefe2e48b690f
340b93c76e6f489982a23d2e04df0ad05a03c3d744ecb5badc3c041eca945af2
34a5c9c0106b37687fbdd51a60a026d06e7301ec40b1f7fb49384d8fe748e9e6
503c9fae00b047a77059de8e9ff6dddb6d2584f18ccf6480d69d395c65492ad4

SH256 hash:

1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

MD5 hash:

466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1 hash:

eb607467009074278e4bd50c7eab400e95ae48f7

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

SH256 hash:

b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4

MD5 hash:

eb48500860ece87bc7a169118c929fb3

SHA1 hash:

bb20b2598d5ac31d36717f316fc733c4f8df9a9c

Link:

https://www.unpac.me/results/262c3ed4-f8ac-46fb-ac59-b36899104f5e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b96862087581/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	GenericRedLineLike Create hunting rule
Author:	Still
Description:	Matches RedLine-like stealer; may match its variants.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_MetaStealer Create hunting rule
Author:	ditekSHen
Description:	Detects MetaStealer infostealer

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	NSIS_April_2024 Create hunting rule
Author:	NDA0N
Description:	Detects NSIS installers

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Generic_Threat_efdb9e81 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Donutloader_f40e3759 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Generic_40899c85 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_RedLineStealer_6dfafd7b Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/3828ade1-b0c5-4583-8493-d30a5aed9420

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::SetFileSecurityW
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileExW KERNEL32.dll::MoveFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample