MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c31d6090687230bebcc417d6827c9f5df5cdd1be6fe3678252fee9a176f540a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c31d6090687230bebcc417d6827c9f5df5cdd1be6fe3678252fee9a176f540a1
SHA3-384 hash: 9010c620a81bc3edc61e6f1b92a9d76913fff9970396817350c2449dd082445cca73ea0dd919bda325bfef7ba26590f3
SHA1 hash: 60c24e02f044c1db0f5e8ac5f86da2703dd63118
MD5 hash: 651a0549991ed52a00ee1f2af43a8aaa
humanhash: robert-maryland-emma-massachusetts
File name:setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:294'728 bytes
First seen:2022-05-10 18:32:22 UTC
Last seen:2022-05-10 19:55:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 37075d76b38d26f2938b5bde6ff65b0a (1 x RedLineStealer)
ssdeep 6144:Jya+zyotBM1GBnMFAOnCcridBYCsXdfutIh9:lqyotoFYcrksZutq9
Threatray 67 similar samples on MalwareBazaar
TLSH T12154AE04B4D68432D9B2113006E486B95F3DFAA55B6099EFB3E40FBE4F305A0AE355BD
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
No threats detected
Analysis date:
2022-05-10 18:31:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4901ca1-0928-4fb8-81fc-1eb9562f8d09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269520/
Detection(s):
SecuriteInfo.com.Variant.Lazy.180585.14322.23104.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17013/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware overlay packed packed
Link:
https://www.filescan.io/uploads/627aaff9be0219041a8ee90c/reports/0c12cb41-1f24-43f4-91f5-28098f6e5130/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2bd7bdbd-f955-46f3-b4ac-bf6c1c101149
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991313
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Add file from suspicious location to autostart registry
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 623816 Sample: setup.exe Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 9 other signatures 2->58 10 setup.exe 1 2->10         started        process3 signatures4 70 Contains functionality to inject code into remote processes 10->70 72 Writes to foreign memory regions 10->72 74 Allocates memory in foreign processes 10->74 76 Injects a PE file into a foreign processes 10->76 13 AppLaunch.exe 15 7 10->13         started        18 conhost.exe 10->18         started        process5 dnsIp6 48 95.217.225.59, 40037, 49750 HETZNER-ASDE Germany 13->48 50 jetij87d.beget.tech 5.101.153.251, 49762, 80 BEGET-ASRU Russian Federation 13->50 42 C:\Users\user\AppData\Local\Temp\test.exe, PE32 13->42 dropped 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->78 80 May check the online IP address of the machine 13->80 82 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->82 84 4 other signatures 13->84 20 test.exe 1 13->20         started        file7 signatures8 process9 signatures10 60 Antivirus detection for dropped file 20->60 62 Multi AV Scanner detection for dropped file 20->62 64 Machine Learning detection for dropped file 20->64 66 3 other signatures 20->66 23 AppLaunch.exe 20 20->23         started        28 conhost.exe 20->28         started        process11 dnsIp12 44 api.telegram.org 149.154.167.220, 443, 49777, 49778 TELEGRAMRU United Kingdom 23->44 46 ipinfo.io 34.117.59.81, 49776, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->46 38 C:\Users\user\AppData\Local\...\OneDrive.exe, PE32+ 23->38 dropped 40 C:\Users\user\AppData\Local\...\Secur32.dll, PE32+ 23->40 dropped 68 Uses cmd line tools excessively to alter registry or file data 23->68 30 reg.exe 1 1 23->30         started        32 reg.exe 1 1 23->32         started        file13 signatures14 process15 process16 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c31d6090687230bebcc417d6827c9f5df5cdd1be6fe3678252fee9a176f540a1/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 18:33:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15581c22b60eae59d0e5e7c8a50f3d96d5d561dc417ef670098bb07226aca9b4
RedLineStealer
3ee9814c18b0d55b57844adc047e61f7c94283904788e03d1a02e2941bd01058
RedLineStealer
aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e
RedLineStealer
abf0a7d34d6187eea645643b45c99eeb12778ef1ad803d56caebe96b05aca52e
RedLineStealer
cf2198177383fac5199447ba3f6e34bd8c38432c6f7c73ef829055c4d28938ad
RedLineStealer
cf3233845da04579c378f45a79eabd92db919c802662dc885259e11792cd6cad
RedLineStealer
+ 57 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220510-w66h9ahgcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.217.225.59:40037
Unpacked files
SH256 hash:
c31d6090687230bebcc417d6827c9f5df5cdd1be6fe3678252fee9a176f540a1
MD5 hash:
651a0549991ed52a00ee1f2af43a8aaa
SHA1 hash:
60c24e02f044c1db0f5e8ac5f86da2703dd63118
Link:
https://www.unpac.me/results/5ee682d5-8eba-401a-b198-f1d10bdd7e03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c31d6090687230bebcc417d6827c9f5df5cdd1be6fe3678252fee9a176f540a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c31d6090687230bebcc417d6827c9f5df5cdd1be6fe3678252fee9a176f540a1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/269520/

Comments