MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1f713eed337b5689345785e07be5d7136f34c0195efdee8ac2230144c57e604. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1f713eed337b5689345785e07be5d7136f34c0195efdee8ac2230144c57e604
SHA3-384 hash: 56999fc4a90ce27ae85597f1c225ec1cf2d06bd1a7796ee4c9e62acf48f6526da57feffebbc7b1fbff469b18e238c2e3
SHA1 hash: 7ff23c0484c18b458272e52b11e7a31f82374c4a
MD5 hash: c297a44fbe7664500b78bac74e5c1251
humanhash: seven-ink-shade-georgia
File name:SecuriteInfo.com.W32.AIDetect.malware2.25291.15010
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:485'976 bytes
First seen:2022-08-21 10:36:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 061883e1e55867694b74c303ab443add (5 x RedLineStealer, 3 x RecordBreaker, 1 x N-W0rm)
ssdeep 12288:sXpBQsa4h7v22sEpbRT0AZC/DE8utmBuXNy9:oxa4tRT0A/7XNg
Threatray 5'517 similar samples on MalwareBazaar
TLSH T1D1A46C6078E08272DDF230BA06ECB531446DA4F007661AD797C80FFED6646D1BB3669B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.25291.15010
Verdict:
No threats detected
Analysis date:
2022-08-21 10:38:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb20320a-07d9-4efe-abb8-bd6e7bde5359

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300011/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.25291.15010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29537/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63020ad8c9bbd9909783c2c9/reports/b621766d-dfa7-4d43-bc6d-b83449b6f769/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/15476826-9c9c-48ef-9a45-6ba95fef6bc1
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055022
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 687535 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 21/08/2022 Architecture: WINDOWS Score: 100 76 in.appcenter.ms 2->76 78 coinsurf.com 2->78 90 Snort IDS alert for network traffic 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 9 other signatures 2->96 10 SecuriteInfo.com.W32.AIDetect.malware2.25291.exe 1 2->10         started        13 gigacvi 2 2->13         started        signatures3 process4 signatures5 104 Contains functionality to inject code into remote processes 10->104 106 Writes to foreign memory regions 10->106 108 Allocates memory in foreign processes 10->108 110 Injects a PE file into a foreign processes 10->110 15 MSBuild.exe 10->15         started        18 WerFault.exe 23 9 10->18         started        20 conhost.exe 10->20         started        22 conhost.exe 13->22         started        process6 signatures7 128 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->128 130 Maps a DLL or memory area into another process 15->130 132 Checks if the current machine is a virtual machine (disk enumeration) 15->132 134 Creates a thread in another existing process (thread injection) 15->134 24 explorer.exe 8 15->24 injected process8 dnsIp9 84 185.215.113.58, 49725, 49727, 80 WHOLESALECONNECTIONSNL Portugal 24->84 86 45.138.74.104, 49728, 80 HOSTGLOBALPLUS-ASRU Russian Federation 24->86 88 static.asyncvoid.net 188.114.96.3, 443, 49726 CLOUDFLARENETUS European Union 24->88 68 C:\Users\user\AppData\Roaming\gigacvi, PE32 24->68 dropped 70 C:\Users\user\AppData\Local\Temp619.exe, PE32 24->70 dropped 72 C:\Users\user\AppData\Local\Temp\D251.exe, PE32 24->72 dropped 74 C:\Users\user\AppData\Local\Temp\B1E7.exe, PE32 24->74 dropped 112 System process connects to network (likely due to code injection or exploit) 24->112 114 Benign windows process drops PE files 24->114 116 Injects code into the Windows Explorer (explorer.exe) 24->116 118 2 other signatures 24->118 29 E619.exe 1 24->29         started        32 D251.exe 1 24->32         started        34 B1E7.exe 4 24->34         started        37 9 other processes 24->37 file10 signatures11 process12 file13 120 Machine Learning detection for dropped file 29->120 122 Writes to foreign memory regions 29->122 124 Allocates memory in foreign processes 29->124 39 MSBuild.exe 29->39         started        44 WerFault.exe 29->44         started        46 conhost.exe 29->46         started        126 Injects a PE file into a foreign processes 32->126 48 MSBuild.exe 2 32->48         started        50 WerFault.exe 10 32->50         started        52 conhost.exe 32->52         started        56 C:\Users\user\AppData\Local\...\Update.exe, PE32 34->56 dropped 54 Update.exe 7 34->54         started        signatures14 process15 dnsIp16 80 89.208.104.46, 49730, 80 PSKSET-ASRU Russian Federation 39->80 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 39->58 dropped 60 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 39->60 dropped 62 C:\Users\user\AppData\LocalLow\mozglue.dll, PE32 39->62 dropped 66 4 other files (none is malicious) 39->66 dropped 98 Tries to harvest and steal browser information (history, passwords, etc) 39->98 100 DLL side loading technique detected 39->100 102 Tries to steal Crypto Currency Wallets 39->102 82 192.168.2.1 unknown unknown 44->82 64 C:\Users\user\AppData\Local\...\Update.exe, PE32 54->64 dropped file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1f713eed337b5689345785e07be5d7136f34c0195efdee8ac2230144c57e604/
Threat name:
Win32.Trojan.SpywareX
Create hunting rule
Status:
Malicious
First seen:
2022-08-21 10:37:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6h3rh3wtg62wre2fpbpapps5oe3pgtabsxx552fmeiybitcx4yca._file
Verdict:
malicious
Similar samples:
049ae382c00f3cbd42e9108966c445234ed5bccce0913dae44c313295879a6c2
RedLineStealer
0d5f72de2638164abf4e3c913cc91721e5c011fb85f7ccb81c86f8d17712b2d6
RedLineStealer
1a1a1fc106492d46570f3031f05ccc27dd23b8266df4208d648923a7b684d1af
RedLineStealer
5cd575c5fa62c375ac8f979a0231f39b1779122a277ce4a5c2faa9f5e69e1d11
RedLineStealer
6cb9da274bb4ffc27b53ac639f8ed1cbcddf990b8cd622c298863aa162eb2f50
RedLineStealer
7968a4ce56f635c65b0f2bbdc8d72364a58eab71642ec195cb4fd579a134fca7
RedLineStealer
7ed50d6cf6c9904f2392e39ac88e5e024c21746d794b9dca4b51cbbbd444df4a
RedLineStealer
b247929c0dacbb6bbf61af984da9386a64139fa70e9ec9c77aeb339e2ae53fb0
RedLineStealer
c7946da08940de7da39c9bcd1417e1926616d7953974ef5f24aacc6de9b362c9
RedLineStealer
f5f0060d8e6b44619fdcf74db5cc5d6e50be365cf7c92b32325e3a91d622a1f9
RedLineStealer
+ 5'507 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220821-mnsp1abag5/
Unpacked files
SH256 hash:
e0ac29fd752891c431c435cb77eeb872754ebfce2a740c2ca7fe3842ba9f4e08
MD5 hash:
65f77be3192eb5465f6d48b94f483f74
SHA1 hash:
2034211ad10f7e87a200763f280c913b2fc1a050
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/99454c4d-827a-4925-a9f6-eba4ce3b9566/
Parent samples :
b99300d00050e4a8b2b0873723a9783b172776ba8cb7500d65e6d93bc3d37147
e3dc41ce8a7e58f579b5b682d536c24fb4348899b6d332bf96a290eb93beac82
7968a4ce56f635c65b0f2bbdc8d72364a58eab71642ec195cb4fd579a134fca7
f1f713eed337b5689345785e07be5d7136f34c0195efdee8ac2230144c57e604
e68eb5c847f58f8a3322208932734601f1c8909f529e5d64aec129e095f02ad3
SH256 hash:
f1f713eed337b5689345785e07be5d7136f34c0195efdee8ac2230144c57e604
MD5 hash:
c297a44fbe7664500b78bac74e5c1251
SHA1 hash:
7ff23c0484c18b458272e52b11e7a31f82374c4a
Link:
https://www.unpac.me/results/99454c4d-827a-4925-a9f6-eba4ce3b9566/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f1f713eed337b5689345785e07be5d7136f34c0195efdee8ac2230144c57e604

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f1f713eed337b5689345785e07be5d7136f34c0195efdee8ac2230144c57e604

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2275071/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300011/

Comments