MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf0b6e7c79d0507e85ebad255973e90fa1ee1b6ae2eb408c4866aeb9322a9e5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf0b6e7c79d0507e85ebad255973e90fa1ee1b6ae2eb408c4866aeb9322a9e5c
SHA3-384 hash: 86572eb2df9a6d1ae8ccd6e4ea03c29b17a2da783ebb3ffbe1c0d36d038cacba1d0ff2b77f86c0059f758e24de15a2c4
SHA1 hash: 7fb5c8773210dd2f4c3ad1c32c94ae49fc5b0fe4
MD5 hash: 3c9ce581ee50de2ca3ad5f73b5666424
humanhash: carolina-colorado-xray-twenty
File name:3c9ce581ee50de2ca3ad5f73b5666424
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'177'536 bytes
First seen:2021-07-26 23:11:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 196608:Dl1mUx80SPa4QDb7v0k/r9ZtLjT31NMHBaRpxBfU0/EZb7S/1E:7s0T4ys4DJTFqH6f3mb7
Threatray 1'384 similar samples on MalwareBazaar
TLSH T182A6331FD6EC95E1CC3807B5AADFD3F7976A3021AB0945D702CEE62D2B221C4142B6D9
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3c9ce581ee50de2ca3ad5f73b5666424
Verdict:
No threats detected
Analysis date:
2021-07-26 23:17:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de446768-c397-401b-a208-55ecf78c739a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174212/
Detection(s):
Win.Malware.Bulz-9880537-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Deleting a recently created file
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Launching a process
Forced system process termination
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Modifying a system file
Query of malicious DNS domain
Stealing user critical data
Downloading the file
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e7bd741-72da-44c2-823c-c131fcc1f135
Result
Threat name:
SERVHELPER RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822052
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a new user with administrator rights
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 454464 Sample: lrN1WnbxDc Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 109 raw.githubusercontent.com 2->109 111 aasouv636d.cn 2->111 121 Multi AV Scanner detection for submitted file 2->121 123 Yara detected RedLine Stealer 2->123 125 Yara detected Powershell download and execute 2->125 127 11 other signatures 2->127 13 lrN1WnbxDc.exe 1 4 2->13         started        16 cmd.exe 2->16         started        19 cmd.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 file5 103 C:\Users\user\AppData\Local\...\redline_.exe, PE32 13->103 dropped 105 C:\Users\user\AppData\Local\...\clr_soft.exe, PE32+ 13->105 dropped 23 cmd.exe 1 13->23         started        117 Adds a new user with administrator rights 16->117 26 conhost.exe 16->26         started        28 net.exe 16->28         started        30 net.exe 19->30         started        32 conhost.exe 19->32         started        34 net.exe 21->34         started        36 net.exe 21->36         started        38 net.exe 21->38         started        40 3 other processes 21->40 signatures6 process7 signatures8 129 Adds a new user with administrator rights 23->129 42 clr_soft.exe 4 23->42         started        45 redline_.exe 15 32 23->45         started        49 conhost.exe 23->49         started        51 net1.exe 30->51         started        53 net1.exe 34->53         started        55 net1.exe 36->55         started        57 net1.exe 38->57         started        process9 dnsIp10 131 Machine Learning detection for dropped file 42->131 133 Bypasses PowerShell execution policy 42->133 135 Queries memory information (via WMI often done to detect virtual machines) 42->135 137 Tries to detect virtualization through RDTSC time measurements 42->137 59 powershell.exe 47 42->59         started        113 verecalina.xyz 141.136.0.96, 49742, 49756, 49759 NANO-ASLV Latvia 45->113 115 api.ip.sb 45->115 107 C:\Users\user\AppData\...\redline_.exe.log, ASCII 45->107 dropped 139 Detected unpacking (changes PE section rights) 45->139 141 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->141 143 Query firmware table information (likely to detect VMs) 45->143 145 7 other signatures 45->145 63 conhost.exe 45->63         started        file11 signatures12 process13 file14 97 C:\Windows\Branding\mediasvc.png, PE32+ 59->97 dropped 99 C:\Windows\Branding\mediasrv.png, PE32+ 59->99 dropped 101 C:\Users\user\AppData\...\fqsvq3e5.cmdline, UTF-8 59->101 dropped 147 Detected SERVHELPER 59->147 149 Uses cmd line tools excessively to alter registry or file data 59->149 151 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 59->151 153 2 other signatures 59->153 65 reg.exe 59->65         started        68 cmd.exe 59->68         started        70 cmd.exe 59->70         started        72 8 other processes 59->72 signatures15 process16 file17 119 Creates a Windows Service pointing to an executable in C:\Windows 65->119 75 cmd.exe 68->75         started        77 cmd.exe 70->77         started        95 C:\Users\user\AppData\Local\...\fqsvq3e5.dll, PE32 72->95 dropped 79 cvtres.exe 72->79         started        81 conhost.exe 72->81         started        83 conhost.exe 72->83         started        85 2 other processes 72->85 signatures18 process19 process20 87 net.exe 75->87         started        89 net.exe 77->89         started        process21 91 net1.exe 87->91         started        93 net1.exe 89->93         started       
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 23:12:07 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2142824c415eb4f05facc471942840e5065aa41b322f36dac198d30d00e8b6fc
RedLineStealer
b3f483f00e80c0777858e6795f9f13bce726ff8265ef3e8cd3602cf1711247a2
RedLineStealer
bef2bb96ec31839165995390f078e8758fd11ab3a646c62b1c346d99d04e7f31
RedLineStealer
c2748f872784ed3b7b9b2c51993d861a5283d3ca17579d367149031b2e479d82
RedLineStealer
cfdb155368f72aed83e715260f1dd63922a25ce4e6d558941f94cb4a06357994
RedLineStealer
fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e
RedLineStealer
+ 1'374 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210726-yg8c8eeqej/
Behaviour
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Unpacked files
SH256 hash:
bf0b6e7c79d0507e85ebad255973e90fa1ee1b6ae2eb408c4866aeb9322a9e5c
MD5 hash:
3c9ce581ee50de2ca3ad5f73b5666424
SHA1 hash:
7fb5c8773210dd2f4c3ad1c32c94ae49fc5b0fe4
Link:
https://www.unpac.me/results/96891c4c-a0f6-4b5d-ad86-999c3a381cb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf0b6e7c79d0507e85ebad255973e90fa1ee1b6ae2eb408c4866aeb9322a9e5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe bf0b6e7c79d0507e85ebad255973e90fa1ee1b6ae2eb408c4866aeb9322a9e5c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1483498/
Cape
Cape
https://www.capesandbox.com/analysis/174212/

Comments


Avatar
zbet commented on 2021-07-26 23:11:06 UTC

url : hxxp://37.0.11.8/USA/skla.exe