MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f569190bd616be12793f40be4e0410daceee75eda14748e5816fef2544faefc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f569190bd616be12793f40be4e0410daceee75eda14748e5816fef2544faefc2
SHA3-384 hash: 4f531cc329f493c7a839de6f3bf6f50200363ca674882196186c7a5868059cb0dbb2a9ba3da1f6bafb887e5824079b4f
SHA1 hash: 7b339be3c856ab3f07372ffa445b21b0d659b9fe
MD5 hash: 027a472cf22cba23c4e0ef56dd1b5717
humanhash: twelve-east-whiskey-quiet
File name:file.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'756'542 bytes
First seen:2023-04-04 05:10:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:IBJW6yowIrh4gaSqo0nyzY4KhNSVoithuKjSGIPugH7z:yc6TwEhLxvuUVoyknPuUz
Threatray 5 similar samples on MalwareBazaar
TLSH T1718522027ED194B2D162293646A97A20EA3D7D312F79CEEF63E4565DDA302C1C7307B2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-04-04 05:13:49 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/c23b059b-b266-4d88-96b0-e8b512792242

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379843/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76421/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/642bb166497fb6f23efd3d09/reports/234bf819-4f5c-4ea3-94ee-5cbcd13dd89c/overview
Verdict:
Malicious
Labled as:
S-1b09bef6
Link:
https://www.hybrid-analysis.com/sample/f569190bd616be12793f40be4e0410daceee75eda14748e5816fef2544faefc2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/961cb3db-c4bc-4e4a-ae2c-87833e15db92
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207702
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
DNS related to crypt mining pools
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 840617 Sample: file.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 100 95 xmr-eu1.nanopool.org 2->95 97 pastebin.com 2->97 111 Snort IDS alert for network traffic 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Antivirus detection for URL or domain 2->115 117 16 other signatures 2->117 12 file.exe 10 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 file5 91 C:\Users\user\AppData\Local\...\Testx64.exe, PE32 12->91 dropped 93 C:\Users\user\AppData\Local\...\Testx32.exe, PE32 12->93 dropped 21 Testx32.exe 1 12->21         started        24 Testx64.exe 1 12->24         started        26 conhost.exe 15->26         started        28 chcp.com 15->28         started        30 conhost.exe 17->30         started        32 chcp.com 17->32         started        34 conhost.exe 19->34         started        36 chcp.com 19->36         started        38 6 other processes 19->38 process6 signatures7 119 Multi AV Scanner detection for dropped file 21->119 121 Machine Learning detection for dropped file 21->121 123 Writes to foreign memory regions 21->123 125 Sample uses process hollowing technique 21->125 40 AppLaunch.exe 1 21->40         started        43 WerFault.exe 21->43         started        46 conhost.exe 21->46         started        48 AppLaunch.exe 21->48         started        127 Allocates memory in foreign processes 24->127 129 Injects a PE file into a foreign processes 24->129 50 AppLaunch.exe 5 24->50         started        52 WerFault.exe 24 9 24->52         started        54 conhost.exe 24->54         started        process8 dnsIp9 133 Injects a PE file into a foreign processes 40->133 56 AppLaunch.exe 40->56         started        61 conhost.exe 40->61         started        105 192.168.2.1 unknown unknown 43->105 107 91.193.43.63, 49711, 81 ITFPL Belgium 50->107 109 api.ip.sb 50->109 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->135 137 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->137 139 Tries to harvest and steal browser information (history, passwords, etc) 50->139 141 Tries to steal Crypto Currency Wallets 50->141 signatures10 process11 dnsIp12 99 github.com 140.82.121.3, 443, 49713, 49714 GITHUBUS United States 56->99 101 raw.githubusercontent.com 185.199.108.133, 443, 49716, 49717 FASTLYUS Netherlands 56->101 103 pastebin.com 172.67.34.170, 443, 49712 CLOUDFLARENETUS United States 56->103 83 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 56->83 dropped 85 C:\ProgramData\Dllhost\dllhost.exe, PE32 56->85 dropped 87 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 56->87 dropped 89 C:\ProgramData\HostData\logs.uce, ASCII 56->89 dropped 143 Sample is not signed and drops a device driver 56->143 63 cmd.exe 56->63         started        66 cmd.exe 56->66         started        68 cmd.exe 56->68         started        file13 signatures14 process15 signatures16 145 Encrypted powershell cmdline option found 63->145 147 Uses schtasks.exe or at.exe to add and modify task schedules 63->147 70 powershell.exe 63->70         started        73 conhost.exe 63->73         started        75 conhost.exe 66->75         started        77 schtasks.exe 66->77         started        79 conhost.exe 68->79         started        process17 signatures18 131 Query firmware table information (likely to detect VMs) 70->131 81 wermgr.exe 70->81         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f569190bd616be12793f40be4e0410daceee75eda14748e5816fef2544faefc2/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 05:11:08 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vursc6wc27be6j7ic7e4baq3lho45pnufdurzmbn7xskrh257ba._file
Verdict:
malicious
Similar samples:
6df58f4dde905b78e0ce80d0bb41792004f9ac39efec4acbfb4f54c342ac6dcb
RedLineStealer
6f17df45dd876aaedc0551c4acd7f22d26195fecff94c86aa38f68a823e4ed1b
RedLineStealer
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
RedLineStealer
f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:fm infostealer spyware
Link:
https://tria.ge/reports/230404-ft9r5seg9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
91.193.43.63:81
Unpacked files
SH256 hash:
48b3f68166cff2fab0bc2e83f98d1ff133d98f0da0a6397de158fdd40272f539
MD5 hash:
0a3a115e0bfe80f23b2a561c31180aa4
SHA1 hash:
196aa315e8e438f911ea1cfc9a0ca5da5f31c3fc
Link:
https://www.unpac.me/results/af552f67-ba81-46e6-b2cf-f399286aa66f/
SH256 hash:
f56cab37d108cedc25eb996955e1090181f8331a2f07506f2f9e35c3fb55c5c1
MD5 hash:
ba118f23ab57247ffb8aa852b748babc
SHA1 hash:
c3df36f696b0321a2c3d502a7a51b22c4e0649b3
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/af552f67-ba81-46e6-b2cf-f399286aa66f/
Parent samples :
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
6f17df45dd876aaedc0551c4acd7f22d26195fecff94c86aa38f68a823e4ed1b
f569190bd616be12793f40be4e0410daceee75eda14748e5816fef2544faefc2
SH256 hash:
8220e73d95b8981b2c0abfabebf4a02a549c84c7a074e69920939554faf05354
MD5 hash:
de66a78a7da9118b703216b78cd0d31b
SHA1 hash:
cf5806d8f8851a63e39c2b1ecdd020727c210dc9
Link:
https://www.unpac.me/results/af552f67-ba81-46e6-b2cf-f399286aa66f/
SH256 hash:
f569190bd616be12793f40be4e0410daceee75eda14748e5816fef2544faefc2
MD5 hash:
027a472cf22cba23c4e0ef56dd1b5717
SHA1 hash:
7b339be3c856ab3f07372ffa445b21b0d659b9fe
Link:
https://www.unpac.me/results/af552f67-ba81-46e6-b2cf-f399286aa66f/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f569190bd616/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f569190bd616be12793f40be4e0410daceee75eda14748e5816fef2544faefc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379843/

Comments