MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be2d3b6889b9ca8882be65aff3224179df54c0599b2fad90bdb55e211024472e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be2d3b6889b9ca8882be65aff3224179df54c0599b2fad90bdb55e211024472e
SHA3-384 hash: 89a24865a9a8c8c63acf2a0a8de7c057bf0fee3d6fca173dbe4c38832710f22a680d15ce1c1b69047992e21ac98d6cab
SHA1 hash: 9bbc377eeb1f58002cfea817f78efa91b16e85ec
MD5 hash: 2a96b4fac36efb0df7930f7fe19b9b6a
humanhash: potato-carbon-nine-colorado
File name:2A96B4FAC36EFB0DF7930F7FE19B9B6A.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:316'416 bytes
First seen:2021-08-09 21:05:37 UTC
Last seen:2021-08-09 21:38:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:nJJh6BbCqA4w//xQwRti4LT8yf6905sd1MvfN2FjGVr51VXNmfV8XBJ3dAQ:fkXAD2qDLKDyfN2ZgrTV9mfVSXdA
Threatray 1'072 similar samples on MalwareBazaar
TLSH T13C64BF89B61C799FC75BD5718EA45CA4BB503C3A1B0BD24FA053369D9A3C487CF311A2
dhash icon 4810707161701068 (3 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
80.89.229.97:7479

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.89.229.97:7479 https://threatfox.abuse.ch/ioc/166340/

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
baloney.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 13:09:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e49c00e4-afad-4fa7-8247-a055dbed5a1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177765/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.56030.29646.26799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Launching a process
Creating a file
Running batch commands
Creating a window
Connection attempt
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Deleting a recently created file
Reading critical registry keys
Creating a process with a hidden window
Creating a file in the system32 directory
Sending a UDP request
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f129aeac-3b1d-4179-9ee8-35bc4464d1bb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829722
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462150 Sample: xab1f1cjw4.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 130 Multi AV Scanner detection for dropped file 2->130 132 Multi AV Scanner detection for submitted file 2->132 134 Yara detected RedLine Stealer 2->134 136 5 other signatures 2->136 11 xab1f1cjw4.exe 3 7 2->11         started        14 services32.exe 2->14         started        process3 file4 92 C:\Users\user\AppData\...\XVisualStudio.exe, PE32 11->92 dropped 94 C:\Users\user\AppData\...\WindowsDefender.exe, PE32+ 11->94 dropped 96 C:\Users\user\AppData\...\xab1f1cjw4.exe.log, ASCII 11->96 dropped 17 WindowsDefender.exe 5 11->17         started        20 XVisualStudio.exe 15 33 11->20         started        23 notepad.exe 11->23         started        140 Multi AV Scanner detection for dropped file 14->140 142 Adds a directory exclusion to Windows Defender 14->142 25 cmd.exe 14->25         started        27 cmd.exe 14->27         started        signatures5 process6 dnsIp7 110 Antivirus detection for dropped file 17->110 112 Multi AV Scanner detection for dropped file 17->112 114 Adds a directory exclusion to Windows Defender 17->114 29 cmd.exe 17->29         started        31 cmd.exe 1 17->31         started        100 80.89.229.97, 49740, 49744, 7479 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 20->100 102 api.ip.sb 20->102 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->116 118 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->118 120 Tries to harvest and steal browser information (history, passwords, etc) 20->120 122 Tries to steal Crypto Currency Wallets 20->122 34 conhost.exe 20->34         started        36 svchost32.exe 25->36         started        40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        44 powershell.exe 27->44         started        46 powershell.exe 27->46         started        signatures8 process9 dnsIp10 48 svchost32.exe 29->48         started        52 conhost.exe 29->52         started        146 Uses schtasks.exe or at.exe to add and modify task schedules 31->146 148 Adds a directory exclusion to Windows Defender 31->148 54 powershell.exe 23 31->54         started        56 conhost.exe 31->56         started        58 powershell.exe 31->58         started        104 sanctam.net 185.65.135.248, 49745, 58899 ESAB-ASSE Sweden 36->104 106 bitbucket.org 104.192.141.1, 443, 49746 AMAZON-02US United States 36->106 90 C:\Windows\System32\...\sihost32.exe, PE32+ 36->90 dropped 150 Drops executables to the windows directory (C:\Windows) and starts them 36->150 file11 signatures12 process13 file14 88 C:\Windows\System32\services32.exe, PE32+ 48->88 dropped 124 Antivirus detection for dropped file 48->124 126 Multi AV Scanner detection for dropped file 48->126 128 Drops executables to the windows directory (C:\Windows) and starts them 48->128 60 services32.exe 48->60         started        65 cmd.exe 48->65         started        67 cmd.exe 48->67         started        signatures15 process16 dnsIp17 108 192.168.2.1 unknown unknown 60->108 98 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 60->98 dropped 144 Adds a directory exclusion to Windows Defender 60->144 69 cmd.exe 60->69         started        72 cmd.exe 60->72         started        74 conhost.exe 65->74         started        76 schtasks.exe 65->76         started        78 conhost.exe 67->78         started        80 choice.exe 67->80         started        file18 signatures19 process20 signatures21 138 Adds a directory exclusion to Windows Defender 69->138 82 conhost.exe 69->82         started        84 powershell.exe 69->84         started        86 conhost.exe 72->86         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be2d3b6889b9ca8882be65aff3224179df54c0599b2fad90bdb55e211024472e/
Threat name:
ByteCode-MSIL.Trojan.Cryptos
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 00:49:48 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xywtw2ejxhfirav6mwx7gisbphpvjqcztmx23ef5wvpccebei4xa._file
Verdict:
malicious
Similar samples:
035746e04151155cd17968d895bc7ec8d03f2b50c26e569102999d39bd1dd179
RedLineStealer
05f8f63c8d350131b7d462363a1f69e73964604e5db4ce982f81a6db4c871faa
RedLineStealer
2040517dac0b553d4a589bb8c14ca4329022e0ce5e5d0ef0f2c08a2deb10fb5b
RedLineStealer
215fe6cb15f087bb8c0b5e33437317cb94bd8902bd3027aeadcda78329518441
RedLineStealer
4c92945b41865ea662871ee5268fe3dfc6bc1a5c6b9ed80ba53e95277ebcef51
RedLineStealer
89c9046a348ed0ab75a03129ec74c7eacf1f3c6f5053ffbbcc81428bc250d601
RedLineStealer
a9413d0e72606171e933d573c31949d552662e4bb62461b12840ab6c8e008c6e
RedLineStealer
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
RedLineStealer
c44f4f19f854e3a7312d262f8225024d3eb235fc580f4175ab923a4acd0231ff
RedLineStealer
d75cee4ea85555892eb1a911e13bd1bb866042e0dc38d3e83ab3b251fc7d7c5d
RedLineStealer
+ 1'062 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@dashyknight discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210809-53nbnzkvte/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
80.89.229.97:7479
Unpacked files
SH256 hash:
4396193acc868eca8d73fec6d327b1f3ba7aefb63eddd08eb107bb9cd8ed568f
MD5 hash:
6df9ac4b4966b0873341516be88a928d
SHA1 hash:
787e27f2b663c0b96ba1d5625d639c600c3d22c5
Link:
https://www.unpac.me/results/b750093f-ab5b-41c6-827c-e9b75503c40a/
SH256 hash:
639824ecfdb0f6c8fdc7589d80c01a435400b6118735165c503714615f8dd6cd
MD5 hash:
044ea4b85761fdb858ac6dc759aa9b48
SHA1 hash:
041f98726799deef358e8f6f2b22c7604f981b09
Link:
https://www.unpac.me/results/b750093f-ab5b-41c6-827c-e9b75503c40a/
SH256 hash:
be2d3b6889b9ca8882be65aff3224179df54c0599b2fad90bdb55e211024472e
MD5 hash:
2a96b4fac36efb0df7930f7fe19b9b6a
SHA1 hash:
9bbc377eeb1f58002cfea817f78efa91b16e85ec
Link:
https://www.unpac.me/results/b750093f-ab5b-41c6-827c-e9b75503c40a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be2d3b6889b9ca8882be65aff3224179df54c0599b2fad90bdb55e211024472e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177765/

Comments