MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be1b5944f22b04374338b38f5abb922a0ea51a01305e2fdf5ef6c34a3dc026a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be1b5944f22b04374338b38f5abb922a0ea51a01305e2fdf5ef6c34a3dc026a5
SHA3-384 hash: 4fe9c7798b2803fc1fbcc311b01907238e62a846426c19cd520801282a367ee431bd16cd665df6022c7629411b2c2420
SHA1 hash: 1db64b8b094a80b1f883548075ddd231b3b62919
MD5 hash: 464dbd22a765addf4236976b72c3a055
humanhash: gee-california-cup-hotel
File name:464dbd22a765addf4236976b72c3a055.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'847'560 bytes
First seen:2022-04-15 15:35:48 UTC
Last seen:2022-04-20 10:22:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a498eee87e4d89512a84502f500181f (138 x AveMariaRAT, 57 x RedLineStealer, 7 x CoinMiner)
ssdeep 49152:+xDxT29Cf5EpYvntLVEbeVonOkZK1bF3lRm8vhFNS:Mf5EAn3EbeVoUbTRo
Threatray 690 similar samples on MalwareBazaar
TLSH T11E85BED38752010AE0AAB07A901E6D2D71B6063147CFFC77BB8CAAF5A31B2D0555EB53
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.189.167.123:37360

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.189.167.123:37360 https://threatfox.abuse.ch/ioc/520213/

Intelligence

File Origin
# of uploads :
2
# of downloads :
367
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
464dbd22a765addf4236976b72c3a055.exe
Verdict:
Malicious activity
Analysis date:
2022-04-15 15:37:50 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/cf7ca596-982c-4e16-ad83-742d354b8955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264005/
Detection(s):
Win.Packed.Lazy-9943719-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13979/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/625990e3ffe27d5119dbe474/reports/bc19a8eb-6e5c-4e75-92c5-b5fbc1c67a02/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7dff1922-5f34-422f-9086-d00488f9ca56
Result
Threat name:
BitCoin Miner RedLine SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977459
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609946 Sample: ChuS86YDQv.exe Startdate: 15/04/2022 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 6 other signatures 2->85 11 ChuS86YDQv.exe 1 2->11         started        14 services32.exe 2 2->14         started        process3 signatures4 119 Writes to foreign memory regions 11->119 121 Allocates memory in foreign processes 11->121 123 Injects a PE file into a foreign processes 11->123 16 AppLaunch.exe 15 7 11->16         started        21 conhost.exe 11->21         started        125 Antivirus detection for dropped file 14->125 127 Multi AV Scanner detection for dropped file 14->127 129 Machine Learning detection for dropped file 14->129 131 Adds a directory exclusion to Windows Defender 14->131 23 cmd.exe 14->23         started        process5 dnsIp6 75 185.189.167.123, 37360, 49722 SELECTELRU Russian Federation 16->75 77 dl.uploadgram.me 176.9.247.226, 443, 49725 HETZNER-ASDE Germany 16->77 69 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 16->69 dropped 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->87 89 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->89 91 Tries to harvest and steal browser information (history, passwords, etc) 16->91 93 Tries to steal Crypto Currency Wallets 16->93 25 fl.exe 4 16->25         started        95 Adds a directory exclusion to Windows Defender 23->95 29 conhost.exe 23->29         started        31 powershell.exe 23->31         started        33 powershell.exe 23->33         started        file7 signatures8 process9 file10 71 C:\Windows\System32\services32.exe, PE32+ 25->71 dropped 103 Antivirus detection for dropped file 25->103 105 Multi AV Scanner detection for dropped file 25->105 107 Machine Learning detection for dropped file 25->107 109 Adds a directory exclusion to Windows Defender 25->109 35 cmd.exe 25->35         started        38 cmd.exe 1 25->38         started        40 cmd.exe 1 25->40         started        signatures11 process12 signatures13 97 Drops executables to the windows directory (C:\Windows) and starts them 35->97 42 services32.exe 35->42         started        46 conhost.exe 35->46         started        99 Uses schtasks.exe or at.exe to add and modify task schedules 38->99 101 Adds a directory exclusion to Windows Defender 38->101 48 powershell.exe 23 38->48         started        50 conhost.exe 38->50         started        52 powershell.exe 38->52         started        54 conhost.exe 40->54         started        56 schtasks.exe 1 40->56         started        process14 file15 73 C:\Windows\System32\...\sihost32.exe, PE32+ 42->73 dropped 133 Drops executables to the windows directory (C:\Windows) and starts them 42->133 135 Adds a directory exclusion to Windows Defender 42->135 58 sihost32.exe 42->58         started        61 cmd.exe 42->61         started        signatures16 process17 signatures18 111 Antivirus detection for dropped file 58->111 113 Multi AV Scanner detection for dropped file 58->113 115 Machine Learning detection for dropped file 58->115 117 Adds a directory exclusion to Windows Defender 61->117 63 conhost.exe 61->63         started        65 powershell.exe 61->65         started        67 powershell.exe 61->67         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be1b5944f22b04374338b38f5abb922a0ea51a01305e2fdf5ef6c34a3dc026a5/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 20:36:21 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xynvsrhsfmcdoqzywohvvo4sfihkkgqbgbpc7x2663buupoae2sq._file
Verdict:
malicious
Similar samples:
0d406e492d0879dc501507c610332d8db948b5d8e2df05822cf74710f4063bbd
RedLineStealer
10ebaf2bf7ab361a6830a43e0c5f292c08c29d76866d499b3a91a547e8af5683
RedLineStealer
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
RedLineStealer
31766eecb30b54ce96546c75d37a133ee490b808e71b99c59b2e0cf703a27553
RedLineStealer
38cfb802b835e2f9129680bbcbe93248ad21659931b8230e9c2109b3b496a873
RedLineStealer
89ed0d6aa2b4dc137a6708847ca6e2504f52e23f1dfc6dd6057797610e7271d7
RedLineStealer
a6c03e7b69ffe6152468171e8669db1915efc0f225449dd2278f0c7e40e15ee2
RedLineStealer
b1a17ddd1eb03c2b95aa8f911f317ea0d7f4e89e7f4209242fc720c5a9e6d399
RedLineStealer
ef5200354d6df2685d659f47b6f98d53bb767f3b98f8622c2ee2061307ad8892
RedLineStealer
f3be41b2bc5802f2f66b6a88aff430c04fbf8f08c2e7cf1a0f23dd464138630f
RedLineStealer
+ 680 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@purple_dxxd infostealer spyware vmprotect
Link:
https://tria.ge/reports/220415-s1wv3sahh5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.189.167.123:37360
Unpacked files
SH256 hash:
ca12cd60ddeecafd3c078dc06a5c490dd980164e449c28dde04e630bbacd8cd7
MD5 hash:
d25462cb8025fe87b12d575dd3f1d2ea
SHA1 hash:
10684f785db5105ab7dae4b2b82ca8cac087bcfa
Link:
https://www.unpac.me/results/b6ecd3f0-17ce-4360-b483-6e061aa207bc/
SH256 hash:
be1b5944f22b04374338b38f5abb922a0ea51a01305e2fdf5ef6c34a3dc026a5
MD5 hash:
464dbd22a765addf4236976b72c3a055
SHA1 hash:
1db64b8b094a80b1f883548075ddd231b3b62919
Link:
https://www.unpac.me/results/b6ecd3f0-17ce-4360-b483-6e061aa207bc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be1b5944f22b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/be1b5944f22b04374338b38f5abb922a0ea51a01305e2fdf5ef6c34a3dc026a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264005/

Comments