MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc508271ff66cec5515c8527bf4766aac1a0135f093e3f1462074d98ae8fc41f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc508271ff66cec5515c8527bf4766aac1a0135f093e3f1462074d98ae8fc41f
SHA3-384 hash: 441937f11245ba00bbd36d0f41530c2fa97b53cf8b1454a2e7d30d32f80f603a657a5e334e4036254bad61b40d5d3151
SHA1 hash: 8825abde4f3a1b1e2a65397d0eb8cb827ff1bf45
MD5 hash: 29c2098ac51b57bcd8375efe7151f719
humanhash: mississippi-nine-delaware-florida
File name:29c2098ac51b57bcd8375efe7151f719.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:567'808 bytes
First seen:2022-03-27 22:30:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:ENVBpM3u12NJYBIeKX7oOQS03ULaHNqrxlKIQNocwyCQ7EqdRtI:EriNebOkEaHNYK3Q8Eqd7I
Threatray 1'972 similar samples on MalwareBazaar
TLSH T1EBC423E38A5CBB61D38E81F0361E5B4A9A269405BCF47287F391DD41177C2C4E963C9B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
107.172.191.148:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.172.191.148:80 https://threatfox.abuse.ch/ioc/456118/

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258250/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed racealer
Link:
https://www.filescan.io/uploads/6240e5ab9253b276b78899cd/reports/0042d4b0-3ca0-41f9-91b5-fe73c92b25fa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1b983e0-6d8c-401f-afae-1891c8a34ef8
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965408
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: File Created with System Process Name
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Redline Clipper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 597889 Sample: bvOGvz01O9.exe Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 70 store3.gofile.io 2->70 72 store1.gofile.io 2->72 74 4 other IPs or domains 2->74 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 9 other signatures 2->104 11 bvOGvz01O9.exe 1 2->11         started        14 MoUSO.exe 2->14         started        signatures3 process4 signatures5 122 Writes to foreign memory regions 11->122 124 Allocates memory in foreign processes 11->124 126 Injects a PE file into a foreign processes 11->126 16 AppLaunch.exe 15 9 11->16         started        21 conhost.exe 11->21         started        process6 dnsIp7 64 107.172.191.148, 49762, 80 AS-COLOCROSSINGUS United States 16->64 66 api.ip.sb 16->66 68 cdn.discordapp.com 162.159.134.233, 443, 49785, 49792 CLOUDFLARENETUS United States 16->68 54 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 16->54 dropped 56 C:\Users\user\AppData\Local\Temp\debug.exe, PE32 16->56 dropped 58 C:\Users\user\AppData\Local\...\Defender.exe, PE32 16->58 dropped 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->90 92 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 16->94 96 2 other signatures 16->96 23 svhost.exe 14 30 16->23         started        28 Defender.exe 1 16->28         started        30 debug.exe 16->30         started        file8 signatures9 process10 dnsIp11 76 rentry.co 107.189.8.5, 443, 49834, 49840 PONYNETUS United States 23->76 78 store1.gofile.io 31.14.70.242, 443, 49835, 49844 LINKER-ASFR Virgin Islands (BRITISH) 23->78 80 3 other IPs or domains 23->80 62 C:\ProgramData\...\RuntimeBroker.exe, PE32 23->62 dropped 106 Antivirus detection for dropped file 23->106 108 Detected unpacking (changes PE section rights) 23->108 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->110 118 2 other signatures 23->118 32 cmd.exe 23->32         started        35 RuntimeBroker.exe 23->35         started        112 Multi AV Scanner detection for dropped file 28->112 114 Machine Learning detection for dropped file 28->114 116 Writes to foreign memory regions 28->116 120 3 other signatures 28->120 37 AppLaunch.exe 3 28->37         started        40 conhost.exe 28->40         started        file12 signatures13 process14 file15 82 Obfuscated command line found 32->82 84 Adds a directory exclusion to Windows Defender 32->84 42 conhost.exe 32->42         started        44 chcp.com 32->44         started        46 powershell.exe 32->46         started        48 powershell.exe 32->48         started        86 Multi AV Scanner detection for dropped file 35->86 88 Machine Learning detection for dropped file 35->88 60 C:\Users\user\AppData\Local\cache\MoUSO.exe, PE32 37->60 dropped 50 schtasks.exe 37->50         started        signatures16 process17 process18 52 conhost.exe 50->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc508271ff66cec5515c8527bf4766aac1a0135f093e3f1462074d98ae8fc41f/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 03:16:14 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xriie4p7m3hmkuk4qut36r3gvla2ae27be7d6fdca5gzrlupyqpq._file
Verdict:
malicious
Similar samples:
0b926d83304be97f8be46f1a3a6ba9ed72ea8c4940cc7b2fd486fb3356303cb3
RedLineStealer
2e7ee3774e24879f182958a43c44066a329a7a1f00bd2f17b5b4883fb5911c20
RedLineStealer
54ad90b2ab54e9171cf391f33bd7a39c0cbf6b12e83e5c2086c0bf7cf2e4f8c2
RedLineStealer
615bdcc0965d35255d99668380668e1811effaa80cc69c1c78f6a455be86c685
RedLineStealer
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
RedLineStealer
c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b
RedLineStealer
c09373b79e27f3e7d83ca9bf64c25d7a6952282ef7e19ab2adc98122e6b38899
RedLineStealer
dd469d067ee8f95f77fa9de6ae88c95e3a3d1b35c908c04eeba82a46316d1990
RedLineStealer
+ 1'962 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@visasuppteam infostealer spyware
Link:
https://tria.ge/reports/220327-2fcq5shhhq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
107.172.191.148:80
Unpacked files
SH256 hash:
986005163c022df926a01dba7eeb0e8c502461d02a9d397ff8ee53bb2fece3e9
MD5 hash:
24b1b6a1a54ea5118b79f81db1bd0b09
SHA1 hash:
c1e4a57169d3583823a40f071cde642ae5b4e73c
Link:
https://www.unpac.me/results/44650460-80c2-4c94-92da-622d4580ab11/
SH256 hash:
730e7e2d26ae622f4897c759c24f183d26df36d1bff49e118d7fbd4a58c8d686
MD5 hash:
34223fbe56a94e3c1a0b794d39296af5
SHA1 hash:
72e657c436b740469d70d259642a79a4b774d602
Link:
https://www.unpac.me/results/44650460-80c2-4c94-92da-622d4580ab11/
SH256 hash:
bc508271ff66cec5515c8527bf4766aac1a0135f093e3f1462074d98ae8fc41f
MD5 hash:
29c2098ac51b57bcd8375efe7151f719
SHA1 hash:
8825abde4f3a1b1e2a65397d0eb8cb827ff1bf45
Link:
https://www.unpac.me/results/44650460-80c2-4c94-92da-622d4580ab11/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc508271ff66cec5515c8527bf4766aac1a0135f093e3f1462074d98ae8fc41f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258250/

Comments