MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c34f4d1ea21e7248fc8ba8679713d87d35d5f02ab8fc0cf14bed0f1e7eb87492. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c34f4d1ea21e7248fc8ba8679713d87d35d5f02ab8fc0cf14bed0f1e7eb87492
SHA3-384 hash: 8df46793ea6befb2a71b4441ca32812d9d3e1574473c6fa994d97143079977f14b50d68ea04b682b7e599158403d4e8d
SHA1 hash: 94c1622ec10d94f92b39e93f68937d44ff1b2f38
MD5 hash: a54bc56c0c211b1e6bc1e35967c537f2
humanhash: happy-network-march-nebraska
File name:a54bc56c0c211b1e6bc1e35967c537f2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:137'728 bytes
First seen:2021-09-06 12:38:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 1536:b3UdGehqEn8nPigThq3pOCRhLEY5AE4T2a4Yn:LUwehr8nPigTY3xRhLEY5AuCn
Threatray 1 similar samples on MalwareBazaar
TLSH T1EED35F32EC030C26DB8F393EEC8F56DB19DD4A901B2ABB421059145D5A3CD7AC5FAE12
dhash icon d4e869aaaaaa4d20 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a54bc56c0c211b1e6bc1e35967c537f2.exe
Verdict:
Malicious activity
Analysis date:
2021-09-06 12:43:10 UTC
Tags:
trojan rat redline evasion stealer
Link:
https://app.any.run/tasks/aad21092-a8b1-4b57-b9ad-e9d27e58e89b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185662/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.112979.9864.17025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Creating a file in the %temp% directory
Creating a window
Deleting a recently created file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Replacing files
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Connection attempt to an infection source
Sending a TCP request to an infection source
Query of malicious DNS domain
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b792035-476c-4f3a-952e-0abe8b0420f0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845993
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478425 Sample: 7ErW9gaqY2.exe Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 87 Antivirus detection for URL or domain 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 Yara detected RedLine Stealer 2->91 93 4 other signatures 2->93 7 7ErW9gaqY2.exe 15 9 2->7         started        12 WinHoster.exe 2->12         started        14 WinHoster.exe 2->14         started        process3 dnsIp4 69 iplogger.org 88.99.66.31, 443, 49702, 49703 HETZNER-ASDE Germany 7->69 71 gavenetwork.bar 172.67.141.201, 443, 49698 CLOUDFLARENETUS United States 7->71 47 C:\Users\user\AppData\Roaming\5420070.exe, PE32 7->47 dropped 49 C:\Users\user\AppData\Roaming\4748218.exe, PE32 7->49 dropped 51 C:\Users\user\AppData\Roaming\3404514.exe, PE32 7->51 dropped 53 3 other malicious files 7->53 dropped 95 Detected unpacking (changes PE section rights) 7->95 97 May check the online IP address of the machine 7->97 16 5420070.exe 7->16         started        20 4748218.exe 14 26 7->20         started        22 2968966.exe 7->22         started        25 2 other processes 7->25 file5 signatures6 process7 dnsIp8 55 95.181.157.102, 40915, 49717 MSKHOSTRU Russian Federation 16->55 57 api.ip.sb 16->57 73 Detected unpacking (changes PE section rights) 16->73 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->75 77 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->77 79 Tries to harvest and steal browser information (history, passwords, etc) 16->79 27 conhost.exe 16->27         started        59 185.177.125.94, 49716, 57832 WORLDSTREAMNL Netherlands 20->59 61 api.ip.sb 20->61 81 Tries to steal Crypto Currency Wallets 20->81 29 conhost.exe 20->29         started        63 get-europe-group.bar 172.67.164.50, 443, 49705 CLOUDFLARENETUS United States 22->63 65 192.168.2.1 unknown unknown 22->65 37 C:\ProgramData\64\vcruntime140.dll, PE32 22->37 dropped 39 C:\ProgramData\64\sqlite3.dll, PE32 22->39 dropped 41 C:\ProgramData\64\softokn3.dll, PE32 22->41 dropped 45 4 other files (none is malicious) 22->45 dropped 83 Multi AV Scanner detection for dropped file 22->83 31 WerFault.exe 22->31         started        67 mremote-support.xyz 104.21.84.5, 443, 49704, 49719 CLOUDFLARENETUS United States 25->67 43 C:\Users\user\AppData\...\WinHoster.exe, PE32 25->43 dropped 85 Performs DNS queries to domains with low reputation 25->85 33 WinHoster.exe 25->33         started        35 WerFault.exe 25->35         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c34f4d1ea21e7248fc8ba8679713d87d35d5f02ab8fc0cf14bed0f1e7eb87492/
Threat name:
ByteCode-MSIL.Packed.Confuser
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 09:49:54 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynhu2hvcdzzer7elvbtzoe6ypu25l4bkxd6az4kl5uhr47vyosja._file
Verdict:
malicious
Similar samples:
da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210906-pvl7xabah2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
c34f4d1ea21e7248fc8ba8679713d87d35d5f02ab8fc0cf14bed0f1e7eb87492
MD5 hash:
a54bc56c0c211b1e6bc1e35967c537f2
SHA1 hash:
94c1622ec10d94f92b39e93f68937d44ff1b2f38
Link:
https://www.unpac.me/results/bd5dff71-7ba3-4aed-9384-5fdbcf6083e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c34f4d1ea21e7248fc8ba8679713d87d35d5f02ab8fc0cf14bed0f1e7eb87492

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c34f4d1ea21e7248fc8ba8679713d87d35d5f02ab8fc0cf14bed0f1e7eb87492

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549205/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185662/

Comments