MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf48264ec1ae636f92543b873e455d9c56a8c1f274746caa6357aaccf1b42096. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf48264ec1ae636f92543b873e455d9c56a8c1f274746caa6357aaccf1b42096
SHA3-384 hash: 93b9fc73ae1a674a70331420feb14ef4b3d083dc08784305553632a9f44e4b66ebe2eb2747a499bc6621cd9c38fc3c7f
SHA1 hash: 540a161cc64b0bec795a74bda4f913d1e75c80be
MD5 hash: fba6cb33a68d5525c95cec4142aa25ff
humanhash: mirror-saturn-asparagus-october
File name:fba6cb33a68d5525c95cec4142aa25ff.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:855'432 bytes
First seen:2021-12-21 12:36:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:4GK2dUdo0UWdPUzQAdaNXy6lmRNukDYj6yjI8fu:fyf1/Nha8kDsf
Threatray 3'264 similar samples on MalwareBazaar
TLSH T17B05EE1F29E38A94FD72077656E7BB024BF750DA032B07F8F705A5E04EFA5605B00A99
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.206.227.27:65531

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.206.227.27:65531 https://threatfox.abuse.ch/ioc/279899/

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fba6cb33a68d5525c95cec4142aa25ff.exe
Verdict:
Malicious activity
Analysis date:
2021-12-21 12:40:05 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/7e1dec3c-be10-422b-9f7d-dedb00b369d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215651/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/61c1ca73ec6c6c14a9e783b4/reports/db04c14a-bab7-4080-a24c-28b0a1633fc0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ce779b9-b68c-4f22-8b92-a461387de2da
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910929
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543407 Sample: 1ExhcUGgoC.exe Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 80 Found malware configuration 2->80 82 Yara detected BitCoin Miner 2->82 84 Yara detected RedLine Stealer 2->84 86 2 other signatures 2->86 11 1ExhcUGgoC.exe 3 2->11         started        14 services32.exe 2->14         started        process3 signatures4 124 Writes to foreign memory regions 11->124 126 Injects a PE file into a foreign processes 11->126 16 RegAsm.exe 15 7 11->16         started        128 Antivirus detection for dropped file 14->128 130 Multi AV Scanner detection for dropped file 14->130 132 Machine Learning detection for dropped file 14->132 134 Adds a directory exclusion to Windows Defender 14->134 21 cmd.exe 14->21         started        process5 dnsIp6 74 5.206.227.27, 49765, 65531 DOTSIPT Portugal 16->74 76 dl.uploadgram.me 176.9.247.226, 443, 49782 HETZNER-ASDE Germany 16->76 68 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 16->68 dropped 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->88 90 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->90 92 Tries to harvest and steal browser information (history, passwords, etc) 16->92 94 Tries to steal Crypto Currency Wallets 16->94 23 fl.exe 4 16->23         started        96 Adds a directory exclusion to Windows Defender 21->96 28 conhost.exe 21->28         started        30 powershell.exe 21->30         started        32 powershell.exe 21->32         started        file7 signatures8 process9 dnsIp10 78 192.168.2.1 unknown unknown 23->78 70 C:\Windows\System32\services32.exe, PE32+ 23->70 dropped 104 Antivirus detection for dropped file 23->104 106 Multi AV Scanner detection for dropped file 23->106 108 Machine Learning detection for dropped file 23->108 110 Adds a directory exclusion to Windows Defender 23->110 34 cmd.exe 23->34         started        37 cmd.exe 1 23->37         started        39 cmd.exe 23->39         started        file11 signatures12 process13 signatures14 98 Drops executables to the windows directory (C:\Windows) and starts them 34->98 41 services32.exe 34->41         started        45 conhost.exe 34->45         started        100 Uses schtasks.exe or at.exe to add and modify task schedules 37->100 102 Adds a directory exclusion to Windows Defender 37->102 47 powershell.exe 21 37->47         started        49 conhost.exe 37->49         started        51 powershell.exe 37->51         started        53 conhost.exe 39->53         started        55 schtasks.exe 39->55         started        process15 file16 72 C:\Windows\System32\...\sihost32.exe, PE32+ 41->72 dropped 120 Drops executables to the windows directory (C:\Windows) and starts them 41->120 122 Adds a directory exclusion to Windows Defender 41->122 57 sihost32.exe 41->57         started        60 cmd.exe 41->60         started        signatures17 process18 signatures19 112 Antivirus detection for dropped file 57->112 114 Multi AV Scanner detection for dropped file 57->114 116 Machine Learning detection for dropped file 57->116 118 Adds a directory exclusion to Windows Defender 60->118 62 conhost.exe 60->62         started        64 powershell.exe 60->64         started        66 powershell.exe 60->66         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf48264ec1ae636f92543b873e455d9c56a8c1f274746caa6357aaccf1b42096/
Threat name:
ByteCode-MSIL.Trojan.StealerPacker
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 12:37:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5ecmtwbvzrw7esuhodt4rk5trlkrqpsor2gzktdk6vmz4nuecla._file
Verdict:
malicious
Similar samples:
158d30a43656ba2b6d7eec494fad8aa7ae861b0132f24065d2cc42d9396e0ef1
RedLineStealer
168cf1b514dcd2935f60fd9be6317d2eb3ab32908f3a46d6b7f339109044e8ec
RedLineStealer
3c820da115d083116a24d73cc715283f26b5f4cae406e79e8faf088c682a172e
RedLineStealer
56132bf8c1be4feeeb6aec15656688659ee0c9861f94519da8b94ced1801f2b2
RedLineStealer
775edf3f9d355adaf2efca7c4a6c9285a48e502dd6ab8fbf87c819553c5d84be
RedLineStealer
7d1359fe0f873e03ccb58b534f660d0e4b92d049ce953e7b5a584acf97b8499a
RedLineStealer
87ea5b44c32c9e73e8c3184acc98d9a5bd0f00870fd98e15d93abf08ef1135b4
RedLineStealer
88ac18f302d48e99ddc66cfef6b803043466c236b7b6cc4e94e54e9ba6db0379
RedLineStealer
aa5d64ea27f3815042af53f0bc229a7c8dd1f3cd090c1e21eae2a016136f20b8
RedLineStealer
+ 3'254 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1703452349 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211221-ptgwsseccp/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
5.206.227.27:65531
Unpacked files
SH256 hash:
bcb551d4476a3f5759ad442adb77c8301dd553d6c024fe194d5edfb19de4042b
MD5 hash:
3790729ae63f0954e708b16e7ebf49e7
SHA1 hash:
ea12dabdbae0733282669b5ccdc624831c1f0af0
Link:
https://www.unpac.me/results/69b04155-cadd-4f5c-82e8-08219efccba8/
SH256 hash:
cf48264ec1ae636f92543b873e455d9c56a8c1f274746caa6357aaccf1b42096
MD5 hash:
fba6cb33a68d5525c95cec4142aa25ff
SHA1 hash:
540a161cc64b0bec795a74bda4f913d1e75c80be
Link:
https://www.unpac.me/results/69b04155-cadd-4f5c-82e8-08219efccba8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf48264ec1ae636f92543b873e455d9c56a8c1f274746caa6357aaccf1b42096

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe cf48264ec1ae636f92543b873e455d9c56a8c1f274746caa6357aaccf1b42096

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1828051/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215651/

Comments