MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3ba9a825428217385269ea89f960774e87f64e150d157f7e672601a374b3079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3ba9a825428217385269ea89f960774e87f64e150d157f7e672601a374b3079
SHA3-384 hash: 707b8f60b8f260a0c07b51013c107d7571c5e3acd7b5b49aee241230fdee49968cf827ca74be6faafa094acab5ac957c
SHA1 hash: 9c3deb837263798ee0e129d3affe4e6092ccf829
MD5 hash: 65bb7e813f371e452166a2a894ee5e01
humanhash: hotel-violet-diet-tennessee
File name:@belzibart_protected.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'215'720 bytes
First seen:2021-11-15 18:36:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 113 x njrat, 80 x RedLineStealer)
ssdeep 24576:6vNkvW/WIkjrkHgLwvfO/3da1aVsfGzKOnhDAN4gEN9Bcih0dXJko:6vaEWzEALtMVh6MN4gEN3cpt2o
TLSH T172453331BC65FC62E84B22F3A2E51DC1E944CD394ECF9A67598A6E11143A1051FAFC3E
Reporter FirehaK
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
@belzibart_protected.exe
Verdict:
Malicious activity
Analysis date:
2021-11-15 18:30:34 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/24ab9d6f-0bf4-485c-94ff-01d6f46ecb49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205991/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a UDP request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Creating a process with a hidden window
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6192a8d1a00afa9663a89463/reports/f526adbc-33bf-437b-a084-409a3a5940a3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/299d1128-59d2-4172-9d8e-61958f72f1fd
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889738
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 522207 Sample: @belzibart_protected.exe Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 69 Antivirus / Scanner detection for submitted sample 2->69 71 Yara detected BitCoin Miner 2->71 73 Yara detected RedLine Stealer 2->73 75 4 other signatures 2->75 10 @belzibart_protected.exe 15 7 2->10         started        15 services32.exe 2->15         started        process3 dnsIp4 55 85.208.184.233, 49776, 64930 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 10->55 57 cdn.discordapp.com 162.159.129.233, 443, 49779 CLOUDFLARENETUS United States 10->57 59 192.168.2.1 unknown unknown 10->59 51 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 10->51 dropped 53 C:\Users\...\@belzibart_protected.exe.log, ASCII 10->53 dropped 91 Detected unpacking (changes PE section rights) 10->91 93 Detected unpacking (overwrites its own PE header) 10->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->95 103 4 other signatures 10->103 17 fl.exe 10->17         started        97 Writes to foreign memory regions 15->97 99 Allocates memory in foreign processes 15->99 101 Creates a thread in another existing process (thread injection) 15->101 20 conhost.exe 5 15->20         started        file5 signatures6 process7 file8 61 Multi AV Scanner detection for dropped file 17->61 63 Writes to foreign memory regions 17->63 65 Allocates memory in foreign processes 17->65 67 Creates a thread in another existing process (thread injection) 17->67 23 conhost.exe 4 17->23         started        47 C:\Users\user\AppData\...\sihost32.exe, PE32+ 20->47 dropped 26 sihost32.exe 20->26         started        signatures9 process10 file11 49 C:\Users\user\AppData\...\services32.exe, PE32+ 23->49 dropped 29 cmd.exe 1 23->29         started        31 cmd.exe 1 23->31         started        83 Multi AV Scanner detection for dropped file 26->83 85 Writes to foreign memory regions 26->85 87 Allocates memory in foreign processes 26->87 89 Creates a thread in another existing process (thread injection) 26->89 34 conhost.exe 2 26->34         started        signatures12 process13 signatures14 36 services32.exe 29->36         started        39 conhost.exe 29->39         started        105 Uses schtasks.exe or at.exe to add and modify task schedules 31->105 41 conhost.exe 31->41         started        43 schtasks.exe 1 31->43         started        process15 signatures16 77 Writes to foreign memory regions 36->77 79 Allocates memory in foreign processes 36->79 81 Creates a thread in another existing process (thread injection) 36->81 45 conhost.exe 2 36->45         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3ba9a825428217385269ea89f960774e87f64e150d157f7e672601a374b3079/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 18:37:05 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2o5jvasufaqxhbjgt2uj7fqhotuh6zhbkdivp57gojqbun2lgb4q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/211115-w9gdjabbf3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
d3ba9a825428217385269ea89f960774e87f64e150d157f7e672601a374b3079
MD5 hash:
65bb7e813f371e452166a2a894ee5e01
SHA1 hash:
9c3deb837263798ee0e129d3affe4e6092ccf829
Link:
https://www.unpac.me/results/73ecec06-b355-4c59-9709-c868cc386cf6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3ba9a825428217385269ea89f960774e87f64e150d157f7e672601a374b3079

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
boba
Cape
Cape
https://www.capesandbox.com/analysis/205991/

Comments