MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e867b0089c8de42336fda26cb236f1560fade689995da8761637d45980f16986. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e867b0089c8de42336fda26cb236f1560fade689995da8761637d45980f16986
SHA3-384 hash: 1acfa841a4faea1fd63a67667611320122f538127910819e8bab040a837faab530e8a156f1f675d8b890dbdc569e482e
SHA1 hash: f853f764579db8f6ada129fe1838a40e8b75bd18
MD5 hash: 999fb390d347d57b892395f0a8fd160c
humanhash: triple-chicken-sweet-delta
File name:999fb390d347d57b892395f0a8fd160c
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'212'416 bytes
First seen:2022-12-03 03:56:50 UTC
Last seen:2022-12-03 05:28:40 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:qtncpVGPuBd3X3yNh3j8/f3/uI0pctTrFjKVs/ViWFZ8FWztvUHKx79P:/pUPuBdH3sBj8/P/vBJrFdtLtvUHCh
Threatray 2'293 similar samples on MalwareBazaar
TLSH T1944512513BC9C135D2AE153684BBD7792A6ABD710B30D0CBB7607CAD5A312C3BA39352
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter zbetcheckin
Tags:msi RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342134/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand.exe fingerprint packed shell32.dll
Link:
https://www.filescan.io/uploads/638ac910527933be940d3a60/reports/b32088a6-5b61-4dc3-a159-f43ce5e85cfa/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e867b0089c8de42336fda26cb236f1560fade689995da8761637d45980f16986
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126944
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks if UnHackMe application is installed (likely to disable it)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 759668 Sample: umua0kO1g7.msi Startdate: 03/12/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 msiexec.exe 94 30 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 33 C:\Windows\Installer\MSI42AC.tmp, PE32 8->33 dropped 35 C:\Windows\Installer\MSI1AB8.tmp, PE32 8->35 dropped 37 C:\Windows\Installer\MSI1825.tmp, PE32 8->37 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 HTEDFGVXC.exe 13->15         started        18 expand.exe 4 13->18         started        21 cmd.exe 13->21         started        23 2 other processes 13->23 file7 51 Checks if UnHackMe application is installed (likely to disable it) 15->51 53 Writes to foreign memory regions 15->53 55 Allocates memory in foreign processes 15->55 57 Injects a PE file into a foreign processes 15->57 25 AppLaunch.exe 2 15->25         started        29 C:\Users\user\...\HTEDFGVXC.exe (copy), PE32 18->29 dropped 31 C:\...\9360acb57a7fef43b18e428f3f33d057.tmp, PE32 18->31 dropped signatures8 process9 dnsIp10 39 194.62.42.182, 9697 ZEISS-ASRU Russian Federation 25->39 49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 25->49 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e867b0089c8de42336fda26cb236f1560fade689995da8761637d45980f16986/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-11-28 05:41:51 UTC
File Type:
Binary (Archive)
Extracted files:
120
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bt3ace4rxscgnx5ujwlenxrkyh23zujtfo2q5qwg7kftahrngda._file
Verdict:
malicious
Similar samples:
0b8c38f7dc8e7a4f96bec4dc103d96492e80da2c74e85fad4d7bb87003270dc5
RedLineStealer
0e54ac912d63167d1852e5748e20c5ed17aea2f8cf040d2d314977290269a4a5
RedLineStealer
5ebeb6f62bdcdd09c794670801e5cb7d3d26139945e0c9f0e43c246033117885
RedLineStealer
979633ef5386a4386d862a8643210676ec89394021b2513a69e5588ff5b49453
RedLineStealer
a2f37daa119ae896f8303f16cadd0845e1e30a6fe2b922f22b8a53b6c475ccf7
RedLineStealer
dbec57abc15cb077528aae8afe7bfbc5f8e16f819d04a35d85c0d09ea19c1867
RedLineStealer
+ 2'283 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/221203-ehx4jace62/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e867b0089c8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/e867b0089c8de42336fda26cb236f1560fade689995da8761637d45980f16986

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Microsoft Software Installer (MSI) msi e867b0089c8de42336fda26cb236f1560fade689995da8761637d45980f16986

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2442430/
Cape
Cape
https://www.capesandbox.com/analysis/342134/
  
URLhaus
https://urlhaus.abuse.ch/url/2442442/

Comments


Avatar
zbet commented on 2022-12-03 03:56:56 UTC

url : hxxps://rufussa.com/lander/rufus_msi/src/rufus-3.20.msi