MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970
SHA3-384 hash: cc15dd66f9d74385ac27eb41d8e22815fbf8af2f542d502547f702630f02b23294da12d0fa601ba9428250fa5d09fc96
SHA1 hash: 7fbacdb27457829215cd182eab0a4e4bb4379648
MD5 hash: 1544dbca0efc2c0105dd7d52a21a8891
humanhash: wisconsin-ohio-stream-ack
File name:1544dbca0efc2c0105dd7d52a21a8891.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:372'912 bytes
First seen:2024-04-26 00:40:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (98 x GuLoader, 53 x Formbook, 39 x VIPKeylogger)
ssdeep 6144:1fL+oqZLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLPLLLLLLLW:1fLwLLLLLLLLLLLLLLLLLLLLLLLLLLLu
TLSH T17084E1803F62CE15D9650A700B3585EB4F20BC571F6065BA2751FB8DB4F39A3EE0E9A1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 74f0d0c4c4c4c0d4 (2 x RemcosRAT, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.42.92.179:18418

Intelligence

File Origin
# of uploads :
1
# of downloads :
607
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970.exe
Verdict:
Malicious activity
Analysis date:
2024-04-26 00:41:38 UTC
Tags:
stealer redline meta metastealer
Link:
https://app.any.run/tasks/ec692b06-9e06-4d6c-bb5d-058ca755a894

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Adding a root certificate
Changing a file
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8659dba0-55d7-44b0-9496-070b2e8d947d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1431938
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs new ROOT certificates
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431938 Sample: f6FauZ2CEz.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 10 other signatures 2->44 9 f6FauZ2CEz.exe 7 2->9         started        process3 file4 32 C:\Users\user\temp.bat, DOS 9->32 dropped 34 C:\Users\user\start.vbs, ASCII 9->34 dropped 12 wscript.exe 1 9->12         started        process5 signatures6 64 Wscript starts Powershell (via cmd or directly) 12->64 66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->66 68 Suspicious execution chain found 12->68 15 cmd.exe 2 12->15         started        process7 signatures8 70 Suspicious powershell command line found 15->70 72 Wscript starts Powershell (via cmd or directly) 15->72 74 Very long command line found 15->74 76 2 other signatures 15->76 18 powershell.exe 15 15->18         started        21 powershell.exe 16 15->21         started        24 conhost.exe 15->24         started        process9 file10 46 Writes to foreign memory regions 18->46 48 Injects a PE file into a foreign processes 18->48 26 RegAsm.exe 6 24 18->26         started        30 C:\Users\user\QJHJap.ps1, Unicode 21->30 dropped 50 Found many strings related to Crypto-Wallets (likely being stolen) 21->50 52 Suspicious execution chain found 21->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 21->54 signatures11 process12 dnsIp13 36 5.42.92.179, 18418, 49730 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 26->36 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->56 58 Installs new ROOT certificates 26->58 60 Found many strings related to Crypto-Wallets (likely being stolen) 26->60 62 3 other signatures 26->62 signatures14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-04-26 00:41:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ubywcw737bwyi63vl6zqk5vboyot7aqqohhghqq2gbnsgzi3fya._file
Verdict:
unknown
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240426-a1rx1sge64/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
5.42.92.179:18418
Unpacked files
SH256 hash:
d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970
MD5 hash:
1544dbca0efc2c0105dd7d52a21a8891
SHA1 hash:
7fbacdb27457829215cd182eab0a4e4bb4379648
Link:
https://www.unpac.me/results/291c7d36-a0b2-479d-8eaa-6eb374ab9680/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5038b0adfdf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:GenericRedLineLike
Create hunting rule
Author:Still
Description:Matches RedLine-like stealer; may match its variants.
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:Windows_Generic_Threat_efdb9e81
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_40899c85
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d5038b0adfdfc36c23dbaafd982bb50bb0e9fc10838e731e10d182d91b28d970

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2817161/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments