MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba1d4c519566f6e1e5cfb4e5650847a3d5086b3327685000a78cb2010633fd0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba1d4c519566f6e1e5cfb4e5650847a3d5086b3327685000a78cb2010633fd0d
SHA3-384 hash: 6680a4382f4540bf7e7d08f2b57427d84ab64a288b67e4df557a5118a59986300f98df298eec8fa2291d02a739414de1
SHA1 hash: 624d98234bb68b887940414ee8765925aad6b6b5
MD5 hash: 39c117ace849f637797628c0d42d3cb2
humanhash: hot-west-nevada-high
File name:sE3PiwL1fx.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'467'407 bytes
First seen:2021-06-18 02:11:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22e7125b95acf497b07e79559bdc556c (2 x CoinMiner, 1 x RedLineStealer, 1 x DCRat)
ssdeep 49152:mW3yaykSUuEXu5WrTDVASDQHwucjb02fCzMPGpM:mWiNkSUtDVAS0HDol/
Threatray 63 similar samples on MalwareBazaar
TLSH 48B5239B666063E7F057237898D6AA06B3F034464727D2EB4220D6766F13BD06D3DB23
Reporter ShinigamiOwl
Tags:backdoor exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
389
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
@lovelyvain.exe
Verdict:
No threats detected
Analysis date:
2021-06-13 20:37:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d3802a5-338d-4b1a-afc7-c66999103a37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166706/
Detection(s):
PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1a54a3a-bd7d-443e-a59c-99319fc2a503
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804060
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436471 Sample: sE3PiwL1fx.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Antivirus detection for dropped file 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 4 other signatures 2->52 7 sE3PiwL1fx.exe 12 2->7         started        process3 file4 30 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 7->30 dropped 32 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 7->32 dropped 10 cmd.exe 2 7->10         started        13 cmd.exe 1 7->13         started        process5 signatures6 54 Uses cmd line tools excessively to alter registry or file data 10->54 15 lovelyvain.exe 15 29 10->15         started        19 7z.exe 2 10->19         started        22 7z.exe 3 10->22         started        26 14 other processes 10->26 24 conhost.exe 13->24         started        process7 dnsIp8 34 188.120.236.34, 14256, 49719, 49726 THEFIRST-ASRU Russian Federation 15->34 36 api.ip.sb 15->36 38 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->38 40 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->40 42 Tries to harvest and steal browser information (history, passwords, etc) 15->42 44 Tries to steal Crypto Currency Wallets 15->44 28 C:\Users\user\AppData\...\lovelyvain.exe, PE32 19->28 dropped file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba1d4c519566f6e1e5cfb4e5650847a3d5086b3327685000a78cb2010633fd0d/
Threat name:
Win64.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-15 10:58:09 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xiouyumvm33odzopwtswkcchupkqq2zte5ufaafhrszacbrt7ugq._file
Verdict:
malicious
Similar samples:
13cbfcca93b6700d7a32d6db67417a27a6ab366a305cd54cc74d5172bb0e6d0f
RedLineStealer
1ec41e2112e0e611ed284218b07159a3d935d093c2a8e2709673b9ca67a13c03
RedLineStealer
2738373f0b008beb61553747e56cb623befa5e44a43b322cc4b74e7508ec24cb
RedLineStealer
5be6e545412f81d95e255012405473ab48b5d4251131e4fb0b2156f8e3798266
RedLineStealer
84243ed89d2df4bf4299db31c40259766f2299c821bb8ca5f76629da44ef07c7
RedLineStealer
97be28d22f758b206925ddb8c1da20a3766d88b532c25c239bc67567d0a89497
RedLineStealer
ce6942ba556becceed8e49f6caed8edc7a6ac8a3dc8e9878a373e9fc870565f4
RedLineStealer
db30e7a45705a8bf2071bd51b70157cace17faaf34aef2bcbd3266fa0ecce874
RedLineStealer
db6ea7c28cf52dc010de1c2a01f77f784248df0f6936ded3c0d1272b178470ed
RedLineStealer
e37ee735ba2c075bb3ca8ab6a4cbc047600b146c093aa43cc7c7a771b393d487
RedLineStealer
+ 53 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer
Link:
https://tria.ge/reports/210618-flp7cmyeqx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Sets file to hidden
RedLine
RedLine Payload
Unpacked files
SH256 hash:
ba1d4c519566f6e1e5cfb4e5650847a3d5086b3327685000a78cb2010633fd0d
MD5 hash:
39c117ace849f637797628c0d42d3cb2
SHA1 hash:
624d98234bb68b887940414ee8765925aad6b6b5
Link:
https://www.unpac.me/results/11bd641f-4e2e-42e8-affc-1fc75fe6f096/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba1d4c519566f6e1e5cfb4e5650847a3d5086b3327685000a78cb2010633fd0d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ba1d4c519566f6e1e5cfb4e5650847a3d5086b3327685000a78cb2010633fd0d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/166706/

Comments