MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa0fbb296de3208283f4d28a43bc59736bf2b4d0c4e97cd6b0f925a8492bdad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa0fbb296de3208283f4d28a43bc59736bf2b4d0c4e97cd6b0f925a8492bdad2
SHA3-384 hash: 12686a2860c1f759b19a0210404bf0f9d6d3b04a1ed803400e675d38ae4a4b9e7ace17f84d979e4ebc997c8acc7ca708
SHA1 hash: 60474bfddd19e5b77d069634779aae1a25c7bf3a
MD5 hash: 1e4b55d15b9dfafcc4361d35088575a3
humanhash: football-wyoming-lion-pennsylvania
File name:Software.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:224'768 bytes
First seen:2022-11-14 08:34:09 UTC
Last seen:2022-11-14 10:42:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea931bc21ede436bf268fa9ffe43108a (7 x RedLineStealer, 1 x RecordBreaker)
ssdeep 6144:ldDpTBe1NQ1mwyB3k1mwyB3IxwZLHat3c2RHB8Jsn9KnAMOWN15nEr:ldDpTBe1NQ1mwyB3k1mwyB3Ixia1bHBQ
Threatray 25 similar samples on MalwareBazaar
TLSH T1B9249E2731208031CC95D9F619F2D57B8CAEAB554FD8C1CB10DC01AB1A7FBA7496E62B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tcains1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Software1.rar
Verdict:
Malicious activity
Analysis date:
2022-11-12 21:47:26 UTC
Tags:
redline
Link:
https://app.any.run/tasks/e38b4070-2bac-4339-bb9b-02a96c958711

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/333658/
Detection(s):
SecuriteInfo.com.Trojan.PWS.StealerNET.125.24841.32429.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6371fdb64dc24c6f80b80453/reports/ecee55bd-5932-4db4-82c2-0d99a93495a3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72b40809-e983-4460-b0d5-8eec77fdad03
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1112716
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Go Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745414 Sample: Software.exe Startdate: 14/11/2022 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic 2->31 33 Multi AV Scanner detection for domain / URL 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 8 other signatures 2->37 7 Software.exe 1 2->7         started        process3 signatures4 45 Contains functionality to inject code into remote processes 7->45 47 Writes to foreign memory regions 7->47 49 Allocates memory in foreign processes 7->49 51 Injects a PE file into a foreign processes 7->51 10 vbc.exe 15 7 7->10         started        15 conhost.exe 7->15         started        process5 dnsIp6 27 195.201.122.190, 40127, 49712 HETZNER-ASDE Germany 10->27 29 cdn.discordapp.com 162.159.134.233, 443, 49715 CLOUDFLARENETUS United States 10->29 21 C:\Users\user\AppData\Local\Temp\5555.exe, PE32+ 10->21 dropped 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->53 55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->55 57 Tries to harvest and steal browser information (history, passwords, etc) 10->57 59 Tries to steal Crypto Currency Wallets 10->59 17 5555.exe 1 10->17         started        file7 signatures8 process9 dnsIp10 23 youtube-ui.l.google.com 172.217.168.46, 443, 49718 GOOGLEUS United States 17->23 25 www.youtube.com 17->25 39 Antivirus detection for dropped file 17->39 41 Multi AV Scanner detection for dropped file 17->41 43 Tries to harvest and steal browser information (history, passwords, etc) 17->43 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa0fbb296de3208283f4d28a43bc59736bf2b4d0c4e97cd6b0f925a8492bdad2/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-13 09:41:38 UTC
File Type:
PE (Exe)
AV detection:
16 of 25 (64.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ih3wkln4mqifa7u2kfehpczonv7fngqytuxzvvq7es2qsjl3lja._file
Verdict:
malicious
Similar samples:
050505c077b590adaa0dde0669639616828ffd3e5ced0cba3a94d3c13633195d
RedLineStealer
06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f
RedLineStealer
185162ce404a5fa9310340b9c39516ab09073c1460dfc1dd066541c1756563a4
RedLineStealer
3e755f19a2b5cff69e104ab1058776f00fb63defb5de012e7be20371cfd77598
RedLineStealer
4450df031fa2a81d17c5278b0542aabe3b05c0ad0d7e103c1fe8121b61a9ec65
RedLineStealer
8a22dcb984e86c2d1ba6c2bca10a3b4af294239e87bee03467242f872c3e0b98
RedLineStealer
be607f4670ec8ae8808e6c46603344dcd3d0e58c7e2c7644cf6a360e60f92ce7
RedLineStealer
d576e059f376adc56b3ad3e62b5a808c26b6f70dfc50e10e4cd3b6eacfc5a2ea
RedLineStealer
e882307e9daa68c915a83adb7a7a0e0e8d9c137c6544c964dc3f05f0f7af64a7
RedLineStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:millionbaks infostealer spyware stealer
Link:
https://tria.ge/reports/221114-kgz5dsfh33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
195.201.122.190:40127
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ddf9c437-b643-463f-878e-e0475601dbb1
Unpacked files
SH256 hash:
f83c63b695883848eebeb453cb0f73ace8928f0156ad1ab8ec8f8e63d9aee4c7
MD5 hash:
281e2b243e70d212e53d6431cdace93a
SHA1 hash:
153b5c5450b84e83775a84f80d104a0b48d819ff
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/959e3656-0278-4405-8e6f-0e6306f2f796/
SH256 hash:
fa0fbb296de3208283f4d28a43bc59736bf2b4d0c4e97cd6b0f925a8492bdad2
MD5 hash:
1e4b55d15b9dfafcc4361d35088575a3
SHA1 hash:
60474bfddd19e5b77d069634779aae1a25c7bf3a
Link:
https://www.unpac.me/results/959e3656-0278-4405-8e6f-0e6306f2f796/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa0fbb296de3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa0fbb296de3208283f4d28a43bc59736bf2b4d0c4e97cd6b0f925a8492bdad2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fa0fbb296de3208283f4d28a43bc59736bf2b4d0c4e97cd6b0f925a8492bdad2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/333658/

Comments