MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf89b4a3ed5662649d245f4e21ec171f8c7c14b4156040443d2d580f6d9fb6f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash: bf89b4a3ed5662649d245f4e21ec171f8c7c14b4156040443d2d580f6d9fb6f6
SHA3-384 hash: 0432150870e9e1e5e3c98641a1b1b3646f6faf4d39474ed03246a28d5673fa7e0014c75a51d04c569c25184bf415a55f
SHA1 hash: 3b68dc28e3f52e9c14d3d858f492328260e03d38
MD5 hash: dbc3444b430d10b8ded18b89bf07ffc8
humanhash: nineteen-july-carolina-william
File name:bf89b4a3ed5662649d245f4e21ec171f8c7c14b415604.exe
Download: download sample
Signature RedLineStealer
File size:3'557'888 bytes
First seen:2022-01-13 21:26:29 UTC
Last seen:2022-01-13 23:16:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 49152:1YK9f/jrhELPcPvpwpa5DSdAYTkeXt/e3+AgAWNjnhxsL+LqEQX/wXmboqcR159R:X9XWLP7a5+qYtJpAWpno++c2bfiGOD
Threatray 925 similar samples on MalwareBazaar
TLSH T144F533321758EB0DC22F26F449473817E5890192E3FD31F3AFB6642AE6750B6DBE5188
Reporter @abuse_ch
Tags:exe RedLineStealer


Twitter
@abuse_ch
RedLineStealer C2:
2.56.56.131:81

Intelligence


File Origin
# of uploads :
2
# of downloads :
319
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bf89b4a3ed5662649d245f4e21ec171f8c7c14b415604.exe
Verdict:
Malicious activity
Analysis date:
2022-01-13 21:31:42 UTC
Tags:
trojan rat redline

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
DNS request
–°reating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552919 Sample: bf89b4a3ed5662649d245f4e21e... Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 85 stratum-ravencoin.flypool.org 2->85 87 636f99c9511e45f08e5601b5ca39b470.pacloudflare.com 2->87 89 Found malware configuration 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 Yara detected RedLine Stealer 2->93 95 4 other signatures 2->95 12 bf89b4a3ed5662649d245f4e21ec171f8c7c14b415604.exe 2->12         started        15 ghjrytoi.exe 2->15         started        signatures3 process4 signatures5 121 Writes to foreign memory regions 12->121 123 Allocates memory in foreign processes 12->123 125 Injects a PE file into a foreign processes 12->125 17 AppLaunch.exe 15 7 12->17         started        22 WerFault.exe 23 9 12->22         started        127 Antivirus detection for dropped file 15->127 129 Multi AV Scanner detection for dropped file 15->129 24 cmd.exe 15->24         started        process6 dnsIp7 77 2.56.56.131, 49759, 81 GBTCLOUDUS Netherlands 17->77 79 github.com 140.82.121.4, 443, 49766 GITHUBUS United States 17->79 83 2 other IPs or domains 17->83 69 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 17->69 dropped 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->97 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->99 101 Tries to harvest and steal browser information (history, passwords, etc) 17->101 103 Tries to steal Crypto Currency Wallets 17->103 26 build.exe 4 17->26         started        81 192.168.2.1 unknown unknown 22->81 105 Encrypted powershell cmdline option found 24->105 30 conhost.exe 24->30         started        32 powershell.exe 24->32         started        34 powershell.exe 24->34         started        file8 signatures9 process10 file11 71 C:\Users\user\AppData\Roaming\ghjrytoi.exe, PE32+ 26->71 dropped 117 Antivirus detection for dropped file 26->117 119 Multi AV Scanner detection for dropped file 26->119 36 cmd.exe 26->36         started        38 cmd.exe 1 26->38         started        41 cmd.exe 26->41         started        signatures12 process13 signatures14 43 ghjrytoi.exe 36->43         started        46 conhost.exe 36->46         started        107 Encrypted powershell cmdline option found 38->107 109 Uses schtasks.exe or at.exe to add and modify task schedules 38->109 48 powershell.exe 22 38->48         started        50 conhost.exe 38->50         started        52 powershell.exe 38->52         started        54 conhost.exe 41->54         started        56 schtasks.exe 41->56         started        process15 file16 73 C:\Users\user\AppData\...\sihost64.exe, PE32+ 43->73 dropped 75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 43->75 dropped 58 sihost64.exe 43->58         started        61 cmd.exe 43->61         started        process17 signatures18 111 Antivirus detection for dropped file 58->111 113 Multi AV Scanner detection for dropped file 58->113 115 Encrypted powershell cmdline option found 61->115 63 conhost.exe 61->63         started        65 powershell.exe 61->65         started        67 powershell.exe 61->67         started        process19
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2022-01-13 21:27:26 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
73d3f6222e1d61e12b63d5346330e3b62d1d3968ee0ddc4ec0e590ac94842bbf
MD5 hash:
e2791904ee1ec7d49046446fadb3d8fa
SHA1 hash:
f46a6e48c9d41cae6b0e8942b2233bcb138a4706
SH256 hash:
bf89b4a3ed5662649d245f4e21ec171f8c7c14b4156040443d2d580f6d9fb6f6
MD5 hash:
dbc3444b430d10b8ded18b89bf07ffc8
SHA1 hash:
3b68dc28e3f52e9c14d3d858f492328260e03d38

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:MALWARE_Win_RedLine
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.56.56.131:81 https://threatfox.abuse.ch/ioc/294753

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments