MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc32960a5086c544352213357c9282a408bda484da273e5148b4018826e8459f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc32960a5086c544352213357c9282a408bda484da273e5148b4018826e8459f
SHA3-384 hash: 0014a0441b633fbe0fdc8f1bc976c8b90a0315ccfcc60c79140b24e2cd3b18a467e53db51440a7a9a49415b24c6e7404
SHA1 hash: 8742da4f1493641f054dd118af4d3da68fe33cc1
MD5 hash: 8e30ebd41575c10a454c9b78457e1b11
humanhash: angel-wolfram-april-idaho
File name:8e30ebd41575c10a454c9b78457e1b11.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'320'837 bytes
First seen:2023-05-03 00:00:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:2TbBv5rUyXVr40Xkz3aHHemwcdT+TUuGA0qQVwsm6daZWc:IBJ00kz3YjwcIDN+M6dvc
Threatray 11 similar samples on MalwareBazaar
TLSH T18F55120379D195B2C4621D336A75AB21A93DBD201F26CEDF23D06A6EDD321C1CB317A6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
135.181.7.171:81

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
8e30ebd41575c10a454c9b78457e1b11.exe
Verdict:
Malicious activity
Analysis date:
2023-05-03 00:02:45 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/825299cb-9f7c-49c6-ad29-61fe7b686ee6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386167/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82255/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cmd.exe greyware overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6451a43f961a21dc785c8019/reports/1f60bafd-a33f-4594-845b-24751873df17/overview
Verdict:
Malicious
Labled as:
BScope.Trojan.VBS
Link:
https://www.hybrid-analysis.com/sample/fc32960a5086c544352213357c9282a408bda484da273e5148b4018826e8459f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Conti
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bb20312-cee1-4444-a074-e23d52d5eb21
Result
Threat name:
MinerDownloader, RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1225055
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 858018 Sample: 7aqYJ5Mnxz.exe Startdate: 03/05/2023 Architecture: WINDOWS Score: 100 99 pastebin.com 2->99 125 Snort IDS alert for network traffic 2->125 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 16 other signatures 2->131 12 7aqYJ5Mnxz.exe 11 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 87 C:\Users\user\AppData\Local\...\yl55pp7.exe, PE32 12->87 dropped 89 C:\Users\user\AppData\...\qahakghct1ltry.exe, PE32 12->89 dropped 21 cmd.exe 1 12->21         started        24 winlogson.exe 15->24         started        26 conhost.exe 15->26         started        28 chcp.com 15->28         started        30 conhost.exe 17->30         started        32 chcp.com 17->32         started        34 conhost.exe 19->34         started        36 conhost.exe 19->36         started        38 5 other processes 19->38 process6 signatures7 135 Encrypted powershell cmdline option found 21->135 137 Uses schtasks.exe or at.exe to add and modify task schedules 21->137 40 yl55pp7.exe 1 21->40         started        43 qahakghct1ltry.exe 1 21->43         started        45 conhost.exe 21->45         started        47 cmd.exe 1 21->47         started        139 Antivirus detection for dropped file 24->139 141 Multi AV Scanner detection for dropped file 24->141 143 Machine Learning detection for dropped file 24->143 process8 signatures9 145 Antivirus detection for dropped file 40->145 147 Machine Learning detection for dropped file 40->147 149 Writes to foreign memory regions 40->149 151 Sample uses process hollowing technique 40->151 49 RegSvcs.exe 1 40->49         started        52 RegSvcs.exe 40->52         started        54 WerFault.exe 40->54         started        153 Contains functionality to inject code into remote processes 43->153 155 Allocates memory in foreign processes 43->155 157 Injects a PE file into a foreign processes 43->157 56 RegSvcs.exe 14 5 43->56         started        59 WerFault.exe 22 9 43->59         started        process10 dnsIp11 113 Writes to foreign memory regions 49->113 115 Injects a PE file into a foreign processes 49->115 61 AppLaunch.exe 49->61         started        66 conhost.exe 49->66         started        101 135.181.7.171, 49716, 81 HETZNER-ASDE Germany 56->101 103 api.ip.sb 56->103 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->117 119 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->119 121 Tries to harvest and steal browser information (history, passwords, etc) 56->121 123 Tries to steal Crypto Currency Wallets 56->123 105 192.168.2.1 unknown unknown 59->105 signatures12 process13 dnsIp14 107 github.com 140.82.121.3, 443, 49710, 49711 GITHUBUS United States 61->107 109 raw.githubusercontent.com 185.199.110.133, 443, 49712, 49714 FASTLYUS Netherlands 61->109 111 pastebin.com 104.20.67.143, 443, 49709 CLOUDFLARENETUS United States 61->111 91 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 61->91 dropped 93 C:\ProgramData\Dllhost\dllhost.exe, PE32 61->93 dropped 95 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 61->95 dropped 97 C:\ProgramData\HostData\logs.uce, ASCII 61->97 dropped 159 Sample is not signed and drops a device driver 61->159 68 cmd.exe 61->68         started        71 cmd.exe 61->71         started        73 cmd.exe 61->73         started        file15 signatures16 process17 signatures18 133 Encrypted powershell cmdline option found 68->133 75 conhost.exe 68->75         started        77 powershell.exe 68->77         started        79 conhost.exe 71->79         started        81 schtasks.exe 71->81         started        83 conhost.exe 73->83         started        85 schtasks.exe 73->85         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc32960a5086c544352213357c9282a408bda484da273e5148b4018826e8459f/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2023-05-03 00:01:10 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qzjmcsqq3cuinjccm2xzeucuqel3jee3itt4ukiwqayqjxiiwpq._file
Verdict:
malicious
Similar samples:
274dfd3f3ff0da31cb2163147a83b9fa22bc73b271f15f13e0d8c40ed6ab7ed6
RedLineStealer
6df58f4dde905b78e0ce80d0bb41792004f9ac39efec4acbfb4f54c342ac6dcb
RedLineStealer
6f17df45dd876aaedc0551c4acd7f22d26195fecff94c86aa38f68a823e4ed1b
RedLineStealer
7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315
RedLineStealer
82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
RedLineStealer
b3363dfa7a54e375c98d4934c85bf995738822c8c3899280c3076876fca74db3
RedLineStealer
e40fead052850b5d2c4ef6d699c15af82eaee437784b0f359abf5dcc78852b8a
RedLineStealer
f9a34a14c69e1c21529800bbdf4b9d7f357d3105e41acfb0aaca1b9d22122893
RedLineStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:red infostealer spyware
Link:
https://tria.ge/reports/230503-aawtaaeg5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
Malware Config
C2 Extraction:
135.181.7.171:81
Unpacked files
SH256 hash:
47c6e59711f00b9ab034f7197b691885e1a107788015a22541898b6b000b2623
MD5 hash:
af14fbc348865553af4d0f4b2de9d549
SHA1 hash:
e5a0187baec408aa22b2742c7f8945c79a6a4934
Link:
https://www.unpac.me/results/8a122518-c422-43be-b457-0282c7d14aad/
SH256 hash:
58c13ce5d90316dcc21547ef60c96150833e63a9af21f318abe85649ef38af2a
MD5 hash:
64aa9824f9ca9ca476aedaabf76a4238
SHA1 hash:
05d359f525c92331e9705bf1a59629d3db5a80f1
Link:
https://www.unpac.me/results/8a122518-c422-43be-b457-0282c7d14aad/
SH256 hash:
f7affcbec42be10a452ecc5caf9ae79d69ce87e9b2b1ed0e6a751a38c701c4e4
MD5 hash:
7b12142c56cba6f8869aae6ae3a73e5b
SHA1 hash:
d2ca258de81307b71c75db1952f56ca3b960b135
Link:
https://www.unpac.me/results/8a122518-c422-43be-b457-0282c7d14aad/
SH256 hash:
62844a072fbd7e8a68fd90b7917cbfa562e515f0fbc508b7a34120f9adb808ea
MD5 hash:
5d67c8edbd3055dcc8e82bb103bdc52b
SHA1 hash:
73c001f4a83b110ebbf77cbaefebe133a6a60758
Link:
https://www.unpac.me/results/8a122518-c422-43be-b457-0282c7d14aad/
SH256 hash:
fc32960a5086c544352213357c9282a408bda484da273e5148b4018826e8459f
MD5 hash:
8e30ebd41575c10a454c9b78457e1b11
SHA1 hash:
8742da4f1493641f054dd118af4d3da68fe33cc1
Link:
https://www.unpac.me/results/8a122518-c422-43be-b457-0282c7d14aad/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc32960a5086/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc32960a5086c544352213357c9282a408bda484da273e5148b4018826e8459f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386167/

Comments