MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f431bf3113fbaa6b1056b830f3a804e96a3282e618fa65fded1ba1d4d4c73ce6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f431bf3113fbaa6b1056b830f3a804e96a3282e618fa65fded1ba1d4d4c73ce6
SHA3-384 hash: ac754b13a0fcbd4a8e2310b4d408251fcaaf4f38ee4d85bfbbf284586b1b4881dac27e85ce81e16adb71d030dc36db4d
SHA1 hash: 3c07cec6b24ca8b2186894d9d5d188d2ebf516cf
MD5 hash: b6853f9c7daf4e8e2e26f566561aa4c7
humanhash: illinois-leopard-fish-florida
File name:b6853f9c7daf4e8e2e26f566561aa4c7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'381'216 bytes
First seen:2022-08-24 06:05:47 UTC
Last seen:2022-08-24 06:31:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:X2WHnBXBZ1NNpWYdYa/ah6uzMEQd9JPTz0b8wZAePMWFNSq7M3NF5kiPXXrAvlMi:m25NNiy1WFkHmiPXXra1mImZvqv
Threatray 328 similar samples on MalwareBazaar
TLSH T1A2B5AEA5F70F2366DAA7C3318ADEDEB79720252440155EBFBF4EFD08F0621122DA1952
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.252.177.124:17129

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.252.177.124:17129 https://threatfox.abuse.ch/ioc/845075/

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
b6853f9c7daf4e8e2e26f566561aa4c7.exe
Verdict:
Malicious activity
Analysis date:
2022-08-24 06:06:32 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/f833029a-c5fd-4936-b160-3962ca600e7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300723/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.133887.2701.10425.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29880/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/6305c00ab6f2a6ec1d6104df/reports/47002666-4f8b-4a4d-987f-a141b3f8dbd3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e3a8153-1d5d-417d-8b32-6e7aaff64015
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1056749
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 689266 Sample: jSmuXFV4PI.exe Startdate: 24/08/2022 Architecture: WINDOWS Score: 100 27 Snort IDS alert for network traffic 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 4 other signatures 2->33 7 jSmuXFV4PI.exe 1 2->7         started        process3 signatures4 39 Found API chain indicative of debugger detection 7->39 41 Writes to foreign memory regions 7->41 43 Sample uses process hollowing technique 7->43 45 Injects a PE file into a foreign processes 7->45 10 AppLaunch.exe 1 7->10         started        13 AppLaunch.exe 7->13         started        15 conhost.exe 7->15         started        17 AppLaunch.exe 7->17         started        process5 signatures6 47 Injects a PE file into a foreign processes 10->47 19 AppLaunch.exe 5 10->19         started        23 conhost.exe 10->23         started        49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->49 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->51 53 Contains functionality to inject code into remote processes 13->53 process7 dnsIp8 25 5.252.177.124, 17129, 49739 MIVOCLOUDMD Moldova Republic of 19->25 35 Tries to harvest and steal browser information (history, passwords, etc) 19->35 37 Tries to steal Crypto Currency Wallets 19->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f431bf3113fbaa6b1056b830f3a804e96a3282e618fa65fded1ba1d4d4c73ce6/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-08-20 03:33:34 UTC
File Type:
PE (Exe)
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qy36mit7ovgwecwxayphkae5fvdfaxgdd5gl7pndoq5jvghhtta._file
Verdict:
malicious
Similar samples:
184e41a9fca98ca1a748e16b005d77fc5f07d708ba812846c445b56c170604d9
RedLineStealer
3af04df3edffa17a508bf6354f0221775dbc265eea73c9fd0a024dea65d3f82b
RedLineStealer
59292b957c1aa3f92eb26dcdf6bcd1c9db6d3cf950d57d346ce6e3c2f33005e3
RedLineStealer
5b3273f09ad5782f7a310f93799361caa312624ab75e7a09c445af4422ce467a
RedLineStealer
5d3383da6195abae123488da8bce81e373bfef7b64ad99931b20870cff06e1a9
RedLineStealer
67e93ed0c5dcb45ba6cba67ea269eca0f811cfebe9a4fcdc492ff340945ce281
RedLineStealer
91e9ff830bee00ed634284c3d3706fbc7f9cdc3d377a5ff1bb9dfccfb37ca204
RedLineStealer
a58b9011b1c8666023b4cdbe69d2956470b1353560851df89753d50eec9d9721
RedLineStealer
+ 318 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mama infostealer spyware
Link:
https://tria.ge/reports/220824-gtqvpshcap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine payload
Malware Config
C2 Extraction:
5.252.177.124:17129
Unpacked files
SH256 hash:
ed4d6561ee44648fcd79f7cc99ce7bba025468d5ecf8c8c36450a3c395cbf6ee
MD5 hash:
1cf76423e0791de146e1ccf7fb440c25
SHA1 hash:
57664ef5e90e49600656643992bb86d5c592b162
Link:
https://www.unpac.me/results/1f296895-375a-46ba-a432-fe02c413e0a1/
SH256 hash:
f431bf3113fbaa6b1056b830f3a804e96a3282e618fa65fded1ba1d4d4c73ce6
MD5 hash:
b6853f9c7daf4e8e2e26f566561aa4c7
SHA1 hash:
3c07cec6b24ca8b2186894d9d5d188d2ebf516cf
Link:
https://www.unpac.me/results/1f296895-375a-46ba-a432-fe02c413e0a1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f431bf3113fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f431bf3113fbaa6b1056b830f3a804e96a3282e618fa65fded1ba1d4d4c73ce6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300723/

Comments