MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd846b528e6a12e60880c323105375c7c341101d9b62f6e5f2a35fc94c1d8c19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd846b528e6a12e60880c323105375c7c341101d9b62f6e5f2a35fc94c1d8c19
SHA3-384 hash: b74b11001047ecec14a8c10f30f717775ad1bd99911f0e91b70b1af7677babc06ef7a44fa48790b54fadc7da44c88107
SHA1 hash: 3c23b1adcdd26cfe03195e979b2fafee9448e794
MD5 hash: 665e0b2e45738f990a9c88f170065abc
humanhash: bacon-network-ink-alaska
File name:665e0b2e45738f990a9c88f170065abc
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'269'568 bytes
First seen:2022-03-04 09:34:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ef5a1609acde7ac4cccff9c67e8fbff (1 x RedLineStealer)
ssdeep 24576:3JTDxOu5rm2fqWo0ZJfR6A/h05nn0GXgTtnYEmR:ZHgu5KZWoeOAuZ0GXgZYEw
Threatray 244 similar samples on MalwareBazaar
TLSH T122453362F3041E8CE37A9EBD955344361D06DC3B971ECD9EC2AE1736BD53D0AC1AA284
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247314/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Stealer.lc.2574.11916.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0343be91-8361-4633-a9b2-54a29c2cdcfc
Result
Threat name:
BitCoin Miner RedLine SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950673
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 583154 Sample: ZDVEeAF8Bu Startdate: 04/03/2022 Architecture: WINDOWS Score: 100 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 6 other signatures 2->66 8 ZDVEeAF8Bu.exe 15 7 2->8         started        13 services32.exe 2->13         started        process3 dnsIp4 46 hannacleld.xyz 5.188.226.246, 49779, 80 GCOREAT Russian Federation 8->46 48 cdn.discordapp.com 162.159.134.233, 443, 49825 CLOUDFLARENETUS United States 8->48 50 2 other IPs or domains 8->50 40 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 8->40 dropped 42 C:\Users\user\AppData\...\ZDVEeAF8Bu.exe.log, ASCII 8->42 dropped 74 Detected unpacking (changes PE section rights) 8->74 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->76 78 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->78 86 7 other signatures 8->86 15 fl.exe 4 8->15         started        80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 file5 signatures6 process7 file8 44 C:\Windows\System32\services32.exe, PE32+ 15->44 dropped 52 Antivirus detection for dropped file 15->52 54 Multi AV Scanner detection for dropped file 15->54 56 Machine Learning detection for dropped file 15->56 58 Adds a directory exclusion to Windows Defender 15->58 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        signatures9 process10 signatures11 68 Uses schtasks.exe or at.exe to add and modify task schedules 19->68 70 Adds a directory exclusion to Windows Defender 19->70 26 powershell.exe 21 19->26         started        28 conhost.exe 19->28         started        30 powershell.exe 19->30         started        72 Drops executables to the windows directory (C:\Windows) and starts them 22->72 32 conhost.exe 22->32         started        34 services32.exe 22->34         started        36 conhost.exe 24->36         started        38 schtasks.exe 1 24->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd846b528e6a12e60880c323105375c7c341101d9b62f6e5f2a35fc94c1d8c19/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-03-04 03:25:51 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
479e5e3f4b38759f6a9b5f16565ce5e416ca3609f6b138b87ae2ac3740edac5c
RedLineStealer
48176fd5dc0e6fdc6c0319189f298bbd1eec3059b8fe2c58c5d2b18cb9cae756
RedLineStealer
5521e6f534557e3b61b5d9d02b332707f21190d2ee56756308fe36e20e72c4df
RedLineStealer
92658a69d2939c08c0b2e75389b34b787da9c32c38742827f8bd85ccb549efc9
RedLineStealer
b0d747fcff4576bf28d31bc2e7d681c5c08310ef212c96e63b7e60db6d015ec7
RedLineStealer
bef679a7a5813bf427d09590de7d2f483f8607c44172738aaee3760262eb29a8
RedLineStealer
d65fdc8389357ba633919c9a52c6d6ae0568343676be45e33652ad41d665e935
RedLineStealer
f4036a8affaa6f227d3fce3a98b5b9bb752cd434f04587ea4105c58fc96404e2
RedLineStealer
f7708c99c5e08993335b8a6ee65062535d8b2e5298fbecc62a5601817a3d9b2f
RedLineStealer
+ 234 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@franko_lzt discovery infostealer spyware stealer vmprotect
Link:
https://tria.ge/reports/220304-lkcnyafgek/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
hannacleld.xyz:80
Unpacked files
SH256 hash:
8f878bf0fc73dfe2958385dd9283342a988c30ef2e2d03ac1007c53448b37a10
MD5 hash:
c037e2967dd7fe145562035e1c5d95e8
SHA1 hash:
d6c811aeeaa4182ea2885fa2e4feabdc3dfa7723
Link:
https://www.unpac.me/results/ada44343-2675-4138-9dda-195b5f89e869/
SH256 hash:
bd846b528e6a12e60880c323105375c7c341101d9b62f6e5f2a35fc94c1d8c19
MD5 hash:
665e0b2e45738f990a9c88f170065abc
SHA1 hash:
3c23b1adcdd26cfe03195e979b2fafee9448e794
Link:
https://www.unpac.me/results/ada44343-2675-4138-9dda-195b5f89e869/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bd846b528e6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd846b528e6a12e60880c323105375c7c341101d9b62f6e5f2a35fc94c1d8c19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research
Rule name:SUSP_Reversed_Base64_Encoded_EXE_RID3291
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe bd846b528e6a12e60880c323105375c7c341101d9b62f6e5f2a35fc94c1d8c19

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/247314/
  
URLhaus
https://urlhaus.abuse.ch/url/2075649/

Comments


Avatar
zbet commented on 2022-03-04 09:34:28 UTC

url : hxxp://79.133.56.44/myblog/img/129.exe