MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5234d480c203df8e7f07086c0fb4c39a6a11909dfe2e5e33b98cb382d2e1964. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5234d480c203df8e7f07086c0fb4c39a6a11909dfe2e5e33b98cb382d2e1964
SHA3-384 hash: fad351d36880b8998d7c759a1e105e8e9ef13c27358d8c5659bb3b26503e8d45952497bbf3244b8f93afec2ec8a92388
SHA1 hash: 26cdecb54ede1f3292535546c6abba03028c40e2
MD5 hash: 30253c3d020e1b5acdf5eba6c558bc8c
humanhash: bravo-pip-connecticut-cup
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:369'664 bytes
First seen:2022-11-20 07:32:52 UTC
Last seen:2022-11-21 09:38:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 6144:tFDKW1Lgbdl0TBBvjc/saMR05cnEQdHfUF8IWDIsLvLFU/8GUDCvGzqyF6:t9h1Lk70TnvjcbY0523dHfItaI//1Rss
Threatray 3'581 similar samples on MalwareBazaar
TLSH T17B74F12575C1C1B3C4B7113084E6CB7A9A7A703107B9D5D7BBDD1B6A6E203E1A2362CE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://www.prevenzioneformazionelavoro.it/12/AnlzrTlnr23985.exe

Intelligence

File Origin
# of uploads :
676
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-20 07:34:30 UTC
Tags:
loader
Link:
https://app.any.run/tasks/9e767264-8d05-4870-afbd-dccca8603961

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/336337/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Running batch commands
DNS request
Creating a file in the %temp% directory
Creating a window
Changing a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6379d8302609334c72c18970/reports/811c5ca7-cf9c-40d4-9260-b5ae83df9799/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec3ef9f1-e0b5-470b-8817-ea7b0dd51258
Result
Threat name:
CryptOne, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117510
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected VMProtect packer
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Tries to detect virtualization through RDTSC time measurements
Yara detected CryptOne packer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 750222 Sample: file.exe Startdate: 20/11/2022 Architecture: WINDOWS Score: 100 77 chardhesha.xyz 2->77 79 api.ip.sb 2->79 81 5 other IPs or domains 2->81 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus detection for URL or domain 2->97 99 Antivirus detection for dropped file 2->99 101 10 other signatures 2->101 10 file.exe 4 2->10         started        13 explorer.exe 2->13         started        16 explorer.exe 2->16         started        signatures3 process4 file5 71 C:\Windows\Temp\16.exe, PE32 10->71 dropped 73 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->73 dropped 18 16.exe 1 9 10->18         started        23 conhost.exe 10->23         started        117 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->117 25 WerFault.exe 13->25         started        27 WerFault.exe 13->27         started        29 WerFault.exe 16->29         started        signatures6 process7 dnsIp8 83 94.26.226.51, 49707, 80 PTC-YEMENNETYE Russian Federation 18->83 85 blackhk1.beget.tech 5.101.153.227, 49708, 80 BEGET-ASRU Russian Federation 18->85 87 cityoftransformation.com 181.214.31.161 ASDETUKhttpwwwheficedcomGB Chile 18->87 63 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 18->63 dropped 65 C:\Users\user\AppData\...\explorer.exe, PE32+ 18->65 dropped 67 C:\Users\user\AppData\...\KF82ID0M7C6LB84.exe, PE32 18->67 dropped 69 4 other malicious files 18->69 dropped 103 Multi AV Scanner detection for dropped file 18->103 105 Drops PE files with benign system names 18->105 31 cmd.exe 1 18->31         started        33 KF82ID0M7C6LB84.exe 18->33         started        37 1I27MH8GBKE8H58.exe 4 18->37         started        39 4 other processes 18->39 file9 signatures10 process11 file12 41 explorer.exe 31->41         started        55 C:\Windows\Temp\swiftfix.exe, PE32 33->55 dropped 89 Machine Learning detection for dropped file 33->89 44 swiftfix.exe 33->44         started        57 C:\Windows\Temp\Lyla1911.exe, PE32 37->57 dropped 47 Lyla1911.exe 37->47         started        59 C:\Windows\Temp\top1.exe, PE32 39->59 dropped 61 C:\Users\user\AppData\Local\Temp\egwv.U, PE32 39->61 dropped 91 Antivirus detection for dropped file 39->91 93 Multi AV Scanner detection for dropped file 39->93 49 top1.exe 39->49         started        51 regsvr32.exe 39->51         started        signatures13 process14 file15 107 Antivirus detection for dropped file 41->107 109 Multi AV Scanner detection for dropped file 41->109 111 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 41->111 113 Tries to detect virtualization through RDTSC time measurements 41->113 53 WerFault.exe 20 9 41->53         started        75 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 44->75 dropped 115 Machine Learning detection for dropped file 44->115 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5234d480c203df8e7f07086c0fb4c39a6a11909dfe2e5e33b98cb382d2e1964/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 07:33:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2uru2samea67rz7qocdmb62mhgtkcgij37rolyz3tdftqljodfsa._file
Verdict:
malicious
Similar samples:
1616e34f3c32750dc17ff79b5bf26e98b9b5cc183424c5d4961e64f148ce5b5a
RedLineStealer
6bcf5705424ff9935c6dfd886e666af3cb2da930cfe82b0924b599f682b8f9bf
RedLineStealer
9ad275ee92086bd7851865d47f89253b32da528bd8e9b8df7797070291ea90d3
RedLineStealer
af60abc8f32a47fe154e7f5a9e6910200f944524f437f45686f53ad4c49b0098
RedLineStealer
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
RedLineStealer
cac59279f0105fd7c477abf07944c910a02735517efc7e4d10ae0669c336daeb
RedLineStealer
daaa0aa0dc9c10baf105b5aa376724f2cee7ea5b6d01372b2504b1157437c294
RedLineStealer
e10a201d8b7cb09109715199c099ef24618f50fe09d3c1c6e7abbab79a59d94b
RedLineStealer
+ 3'571 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer miner persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/221120-jdj4bsga7w/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Detectes Phoenix Miner Payload
RedLine
RedLine payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/90de6db5-6328-49f8-a3fe-882cee3d467a
Unpacked files
SH256 hash:
353e1bf0f0f4deb4203328160856d4e967a1fe36b4a5d126d799c1b7dee027c0
MD5 hash:
d5e60efb9108de74544c623538278585
SHA1 hash:
fc03eda03ca0510dfb26cf5ea1b3d4e6ff7567b7
Link:
https://www.unpac.me/results/d4a3d806-72c9-4e09-8517-5d24a2ba5a0d/
SH256 hash:
0f7187c2fafda5b10c249287afe82569c26ee00a32a6d3830c2f9e19d506d0a8
MD5 hash:
faa1eac0cb05ca092a03552e45b10e88
SHA1 hash:
c6d8e9b5d3567ba84cbea5b39319d57cbeefc782
Link:
https://www.unpac.me/results/d4a3d806-72c9-4e09-8517-5d24a2ba5a0d/
SH256 hash:
1cc3cfc91a757edd9c331aa9d96257fa7a1497067de730d4249367964f7e0084
MD5 hash:
e2e9627735dc5abe9225b3fc0872e6c3
SHA1 hash:
8045f88f7e321948e83c00100222b15b3efd90d7
Link:
https://www.unpac.me/results/d4a3d806-72c9-4e09-8517-5d24a2ba5a0d/
SH256 hash:
cf268ba2e1f6b270f0ae70150ddeef4e753c71d9d93986293b9c8f1ce65350fb
MD5 hash:
7a2446a60c1fdab6e93da4571a503aab
SHA1 hash:
40224e2ac716324f76e7e551c6d34f8e3e30dfef
Link:
https://www.unpac.me/results/d4a3d806-72c9-4e09-8517-5d24a2ba5a0d/
SH256 hash:
d5234d480c203df8e7f07086c0fb4c39a6a11909dfe2e5e33b98cb382d2e1964
MD5 hash:
30253c3d020e1b5acdf5eba6c558bc8c
SHA1 hash:
26cdecb54ede1f3292535546c6abba03028c40e2
Link:
https://www.unpac.me/results/d4a3d806-72c9-4e09-8517-5d24a2ba5a0d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5234d480c20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/336337/
  
URLhaus
https://urlhaus.abuse.ch/url/2426761/

Comments