MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
SHA3-384 hash: bcb7451caf10d7a57899ec54ac23ad65994ec05e39d5a8d7809dce416fc4939a40d12c3bdb3764861b94e41eac2f3a1c
SHA1 hash: fdb2e76b53e55f5083774349998815c598074e22
MD5 hash: e275365c0a8684b5dce1b5b626cb8649
humanhash: butter-maine-emma-pluto
File name:FIFA Football.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'839'912 bytes
First seen:2021-10-18 20:43:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 196608:dlUuy1BuQSR82yCz4M2p9G3ZkOoh+vbXrKDfjOg/JsXHo4ba+:414QSNyCsG3iOzqWhH/bD
Threatray 1'180 similar samples on MalwareBazaar
TLSH T11BA63392369F6432C3A516B5815C74A0BBB5E83AA4658C9E7F84335F7530FA2CC35F22
File icon (PE):PE icon
dhash icon 4810707161701068 (3 x RedLineStealer)
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FIFA Football.exe
Verdict:
Malicious activity
Analysis date:
2021-10-18 20:42:26 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/aeab3c86-54da-4b28-baa3-d4d1f67e9f7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198318/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for analyzing tools
Launching a service
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/38468e00-997c-417b-83da-be20bcae13b9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872662
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Drops PE files to the user root directory
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505090 Sample: FIFA Football.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 121 Found malware configuration 2->121 123 Antivirus detection for URL or domain 2->123 125 Multi AV Scanner detection for submitted file 2->125 127 5 other signatures 2->127 13 FIFA Football.exe 9 2->13         started        16 services32.exe 2->16         started        process3 file4 97 C:\Users\user\AppData\...\UpdateChecker.exe, PE32 13->97 dropped 99 C:\Users\user\AppData\...\Snakyheaded.exe, PE32+ 13->99 dropped 19 UpdateChecker.exe 15 8 13->19         started        24 Snakyheaded.exe 3 13->24         started        113 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->113 115 Writes to foreign memory regions 16->115 117 Allocates memory in foreign processes 16->117 119 2 other signatures 16->119 26 conhost.exe 16->26         started        signatures5 process6 dnsIp7 101 185.215.113.83, 49755, 60722 WHOLESALECONNECTIONSNL Portugal 19->101 103 c.drovtov.ru 81.177.141.85, 443, 49763, 49764 RTCOMM-ASRU Russian Federation 19->103 105 cdn.discordapp.com 162.159.133.233, 443, 49769 CLOUDFLARENETUS United States 19->105 91 C:\Users\user\AppData\Local\Temp\build.exe, PE32+ 19->91 dropped 129 Detected unpacking (changes PE section rights) 19->129 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->131 133 Query firmware table information (likely to detect VMs) 19->133 137 7 other signatures 19->137 28 build.exe 19->28         started        31 conhost.exe 19->31         started        135 Adds a directory exclusion to Windows Defender 26->135 33 cmd.exe 26->33         started        35 cmd.exe 26->35         started        file8 signatures9 process10 signatures11 155 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->155 157 Writes to foreign memory regions 28->157 159 Allocates memory in foreign processes 28->159 165 2 other signatures 28->165 37 conhost.exe 4 28->37         started        161 Drops PE files to the user root directory 31->161 163 Adds a directory exclusion to Windows Defender 31->163 41 conhost.exe 33->41         started        43 powershell.exe 33->43         started        45 powershell.exe 33->45         started        47 conhost.exe 35->47         started        49 taskkill.exe 35->49         started        process12 file13 93 C:\Users\user\services32.exe, PE32+ 37->93 dropped 143 Adds a directory exclusion to Windows Defender 37->143 51 cmd.exe 37->51         started        53 cmd.exe 1 37->53         started        56 cmd.exe 37->56         started        signatures14 process15 signatures16 58 services32.exe 51->58         started        61 conhost.exe 51->61         started        139 Uses schtasks.exe or at.exe to add and modify task schedules 53->139 141 Adds a directory exclusion to Windows Defender 53->141 63 powershell.exe 22 53->63         started        65 conhost.exe 53->65         started        67 powershell.exe 53->67         started        69 conhost.exe 56->69         started        71 schtasks.exe 56->71         started        process17 signatures18 145 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 58->145 147 Writes to foreign memory regions 58->147 149 Allocates memory in foreign processes 58->149 151 Creates a thread in another existing process (thread injection) 58->151 73 conhost.exe 58->73         started        process19 dnsIp20 107 github.com 140.82.121.4, 443, 49813 GITHUBUS United States 73->107 109 raw.githubusercontent.com 185.199.108.133, 443, 49814 FASTLYUS Netherlands 73->109 111 2 other IPs or domains 73->111 95 C:\Users\user\AppData\...\sihost32.exe, PE32+ 73->95 dropped 153 Adds a directory exclusion to Windows Defender 73->153 78 sihost32.exe 73->78         started        81 cmd.exe 73->81         started        file21 signatures22 process23 signatures24 167 Writes to foreign memory regions 78->167 169 Allocates memory in foreign processes 78->169 171 Creates a thread in another existing process (thread injection) 78->171 83 conhost.exe 78->83         started        173 Adds a directory exclusion to Windows Defender 81->173 85 conhost.exe 81->85         started        87 powershell.exe 81->87         started        89 powershell.exe 81->89         started        process25
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48/
Threat name:
Win32.Trojan.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 20:44:10 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0091825486c2d7cfdee49e98c6795be8d32a7f50a68e0d33542b1f047fb7ed7a
RedLineStealer
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
RedLineStealer
486792753b8bf6ae281a6fdb7783f482f288d6c783c603ebd8e31e6a0f354669
RedLineStealer
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
RedLineStealer
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
RedLineStealer
b94115f5638021ccf653c3de4c947632560d95d967d64b7b84860e813a8f692a
RedLineStealer
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
RedLineStealer
e5c7a8e3c41afa656fe8a0db72a99f86f93aa4085dd1860aa1dd67099ac228aa
RedLineStealer
+ 1'170 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/211018-zh62naefh3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Checks BIOS information in registry
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/117ae664-75d1-46c6-a27d-93d137899dc4/
SH256 hash:
f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
MD5 hash:
e275365c0a8684b5dce1b5b626cb8649
SHA1 hash:
fdb2e76b53e55f5083774349998815c598074e22
Link:
https://www.unpac.me/results/117ae664-75d1-46c6-a27d-93d137899dc4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f4f37faf7b52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198318/

Comments