MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b
SHA3-384 hash: c4b7442114a1c81720a0c54b6cda40cc064e2a5ecf3b0934b733aa5b405f47dfa7ee646deb9298624f6e90fc3ea73a83
SHA1 hash: 4cb5c5c325b68296160dc2f04ee367ec22e69c8a
MD5 hash: 055a242e51f597dc52c16903c1dfe934
humanhash: charlie-lemon-kentucky-equal
File name:Bandicam 2022.bin
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'577'439 bytes
First seen:2022-07-18 18:34:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e1888d3e3e34368cefc07e8f747b2817 (9 x RedLineStealer, 1 x Formbook, 1 x ArkeiStealer)
ssdeep 24576:T00t1yK38+vYHY4rHkXCTM5Eda5f6dbaCAvw6/PDroDzVLemiUludaxvl3RuQ55n:Bv38vE49x6nDroDzVQGl3r
TLSH T12FC51B136A8B0E75DDD23BB461CB633AA734ED30CA3A9B7FB608C53559532C46C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter KdssSupport
Tags:exe RedLineStealer


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Bandicam 2022.exe
Verdict:
Malicious activity
Analysis date:
2022-07-18 17:56:58 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/28345130-c83f-41f2-a71a-3161fb76df86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291675/
Detection(s):
Win.Trojan.Zeus-9956395-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26654/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye
Link:
https://www.filescan.io/uploads/62d5a7dd0e298a94f3dac74b/reports/1b9ac966-2461-4d28-a4e3-6c9d7109f366/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Certishell
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bbcdb02a-0fcf-4730-ae2b-3112fd1fe0df
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036098
Signature
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668588 Sample: Bandicam 2022.bin Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 6 other signatures 2->40 9 Bandicam 2022.exe 1 2->9         started        process3 signatures4 50 Writes to foreign memory regions 9->50 52 Injects a PE file into a foreign processes 9->52 12 AppLaunch.exe 15 7 9->12         started        17 conhost.exe 9->17         started        process5 dnsIp6 28 213.226.123.155, 2014, 49757 E-STYLEISP-ASRU Russian Federation 12->28 30 store5.gofile.io 31.14.70.246, 443, 49780 LINKER-ASFR Virgin Islands (BRITISH) 12->30 32 file114.gofile.io 141.95.207.173, 443, 49781 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 12->32 26 C:\Users\user\AppData\Local\...\Installer.exe, PE32+ 12->26 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 60 Tries to steal Crypto Currency Wallets 12->60 19 Installer.exe 3 12->19         started        file7 signatures8 process9 signatures10 42 Antivirus detection for dropped file 19->42 44 Multi AV Scanner detection for dropped file 19->44 46 Machine Learning detection for dropped file 19->46 48 Encrypted powershell cmdline option found 19->48 22 powershell.exe 21 19->22         started        process11 process12 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b/
Threat name:
Win32.Spyware.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-07-18 18:38:18 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kpz762w3rboizpuwmhjr7dwjhbso6nppkmzworofa4rz7bixqfq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion exploit infostealer spyware
Link:
https://tria.ge/reports/220718-w8brnaecaq/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Modifies file permissions
Downloads MZ/PE file
Executes dropped EXE
Possible privilege escalation attempt
Stops running service(s)
Modifies security service
RedLine
RedLine payload
Malware Config
C2 Extraction:
213.226.123.155:2014
Unpacked files
SH256 hash:
3b8d3e92ddb62af7c21cd68c8bf94c84830f6a340e7746ed0d4787d9ecad4643
MD5 hash:
b91f5ca1dd905087b2d7738467e1ff7e
SHA1 hash:
c47331895408f6436f63827c0162dc41f976e1fa
Link:
https://www.unpac.me/results/23ca0c75-4ac4-49ae-90f0-e7c9a9127abf/
SH256 hash:
f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b
MD5 hash:
055a242e51f597dc52c16903c1dfe934
SHA1 hash:
4cb5c5c325b68296160dc2f04ee367ec22e69c8a
Link:
https://www.unpac.me/results/23ca0c75-4ac4-49ae-90f0-e7c9a9127abf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f29f9ffb56dc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f29f9ffb56dc42e465f4b30e98fc7649c32779af7a999b3a2e28391cfc28bc0b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/291675/

Comments