MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 10 File information Comments

SHA256 hash:	d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473
SHA3-384 hash:	3a692b8ed32b761571e002f1d623c65c30981d095f54de8c939def02943534d15807d33ce4357232f1359a1298f0f8f3
SHA1 hash:	bc6076dd3684d56476c4424e8e7b42d0a7e29d64
MD5 hash:	287d2d8c6dc43061b992fd4767cac641
humanhash:	alanine-north-papa-fifteen
File name:	287d2d8c6dc43061b992fd4767cac641.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	5'104'128 bytes
First seen:	2024-03-24 20:55:21 UTC
Last seen:	2024-03-24 22:21:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dbcf2a4deb216c4be49068990ac64d93 (1 x RedLineStealer)
ssdeep	49152:CunOIh/VejoF8vwF/nluLRPct4whtfVKevv7m9gcQYPbH51a7zc60GtD:f/Veo8YF/nXMPbjAg60GtD
TLSH	T10D369D41E3DCC4E1E0B205B8596DA321EEB1BCB51F3195CF2284BE1E6B31BC56975B22
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1671786831336767 (1 x RedLineStealer, 1 x CobaltStrike, 1 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.233.133.152:35515

Intelligence

File Origin

# of uploads :

# of downloads :

554

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473.exe

Verdict:

Malicious activity

Analysis date:

2024-03-24 20:58:07 UTC

Tags:

evasion stealer redline

Link:

https://app.any.run/tasks/7ce036fd-293a-4850-a378-649b2631e2b0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Running batch commands

Launching a process

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm crypto dllhost evasive explorer fingerprint hacktool infdefaultinstall keylogger lolbin pcalua remote rundll32 scriptrunner setupapi shell32

Link:

https://www.filescan.io/uploads/66009365e267e4ac5088c878/reports/257d30be-88fa-441b-acca-2363b3d353cf/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1a62f46a-3462-43c7-a3d7-85dff703056c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1414772

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Detected unpacking (creates a PE file in dynamic memory)

Drops large PE files

Drops PE files to the document folder of the user

Found malware configuration

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

66%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-03-21 09:14:54 UTC

File Type:

PE (Exe)

Extracted files:

496

AV detection:

11 of 38 (28.95%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2mrraqwsbz7aebuspguuodw6jww564atptyrejkq4s64gvf2crzq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:newcrypt infostealer persistence spyware

Link:

https://tria.ge/reports/240324-zq1jvabc3z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.233.133.152:35515

Unpacked files

SH256 hash:

b22a57cd2a73faedd62ec25f094e830cebfe2c62f86b6dd3631ab3aac8ab432d

MD5 hash:

e3c0e47bdc3383c8461cbd829ce77a32

SHA1 hash:

1c436dd554d8c27d11d30f0a8f7de34626752a7f

Detections:

redline

Link:

https://www.unpac.me/results/bb679605-8172-4c18-9a27-ca288e95413e/

SH256 hash:

c62eec8b42d0b1fafde4215abb1bae3ba79cd567ae1d423280aabc8c64d0cd16

MD5 hash:

93c8407446d5e38d66646586912813c0

SHA1 hash:

9565d242f3ab9254d4f98aba9dbb5c6d5e41011b

Link:

https://www.unpac.me/results/bb679605-8172-4c18-9a27-ca288e95413e/

SH256 hash:

d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473

MD5 hash:

287d2d8c6dc43061b992fd4767cac641

SHA1 hash:

bc6076dd3684d56476c4424e8e7b42d0a7e29d64

Link:

https://www.unpac.me/results/bb679605-8172-4c18-9a27-ca288e95413e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d3231042d20e7e02069279a9470ede4daddf70137cf1122550e4bdc354ba1473

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Sandworm_ArguePatch_Apr_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	virustotal Create hunting rule
Author:	Tracel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::CopySid ADVAPI32.dll::EqualSid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAccessAllowedAce ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CreateRestrictedToken ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetKernelObjectSecurity
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle WINHTTP.dll::WinHttpCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::GetActiveProcessorCount KERNEL32.dll::GetActiveProcessorGroupCount ntdll.dll::NtQueryInformationProcess ntdll.dll::NtQueryInformationThread ntdll.dll::NtQuerySystemInformation
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::LoadLibraryW KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleInputW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleMode KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::GetSystemDirectoryW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::LookupAccountNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeNameW ADVAPI32.dll::LookupPrivilegeValueW
WIN_CRED_API	Can Manipute Windows Credentials	credui.dll::CredUIPromptForCredentialsW
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CertDuplicateCertificateContext ADVAPI32.dll::CryptAcquireContextW ADVAPI32.dll::CryptCreateHash ADVAPI32.dll::CryptGetHashParam ADVAPI32.dll::CryptHashData
WIN_HTTP_API	Uses HTTP services	WINHTTP.dll::WinHttpConnect WINHTTP.dll::WinHttpGetProxyForUrl WINHTTP.dll::WinHttpOpen WINHTTP.dll::WinHttpOpenRequest WINHTTP.dll::WinHttpQueryDataAvailable WINHTTP.dll::WinHttpQueryHeaders
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegCreateKeyW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegGetValueW ADVAPI32.dll::RegLoadKeyW
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ControlService ADVAPI32.dll::GetServiceDisplayNameW ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceConfigW ADVAPI32.dll::QueryServiceConfig2W
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowW USER32.dll::FindWindowExW USER32.dll::LockWorkStation

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample