MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe9b603aa67c0d7a86888ae88afa001f467e5566c7b05ce62263d392aaf92037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe9b603aa67c0d7a86888ae88afa001f467e5566c7b05ce62263d392aaf92037
SHA3-384 hash: 7cc5ebff22e582fd0f70b0f33c6769cfb9f8885fba099c5159d79b554eefea641016bcb87ac097d806cc3e48e2a23751
SHA1 hash: a3b1eba985e71937d61d5efcaa35b36579746a1c
MD5 hash: 34756465782ec294556a57aa2ddd2bf9
humanhash: montana-alaska-single-fillet
File name:install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'469'952 bytes
First seen:2021-12-05 23:04:24 UTC
Last seen:2021-12-06 00:56:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7dd6fa75115d9909f747434e40fff68 (173 x RedLineStealer, 10 x DCRat, 1 x CoinMiner.XMRig)
ssdeep 24576:SWNtPL4Ywf1k6aluhc4GdnGC0m1Qx86TQfSkEaHNYK337oy3NVzLJh:pTjdoH2uhc4GnGCl1Qe6hNaRU6NVJh
Threatray 8'852 similar samples on MalwareBazaar
TLSH T15765336D45C0B21CC0AA91B5EA3CAF5E184CBC5AA4F5F35E583C88F794140EBF4649BE
Reporter JaffaCakes118
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
install.exe
Verdict:
Malicious activity
Analysis date:
2021-12-05 23:04:17 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/1a9027a2-9d12-488a-ae2d-a8ccb6cdf008

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211535/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Sending a TCP request to an infection source
Stealing user critical data
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/964/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61ad45a247ed217c0132cf5f/reports/5b0ba490-707e-4908-80e2-a4e874b16fa6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dba4720-88bd-4ac4-a35c-43ed860e5395
Result
Threat name:
Phoenix Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901844
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Conti Backup Database
Sigma detected: Disable or Delete Windows Eventlog
Sigma detected: PowerShell SAM Copy
Sigma detected: Suspicious PowerShell Invocations - Generic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 534322 Sample: install.exe Startdate: 06/12/2021 Architecture: WINDOWS Score: 100 112 raw.githubusercontent.com 2->112 114 github.com 2->114 144 Antivirus detection for dropped file 2->144 146 Multi AV Scanner detection for dropped file 2->146 148 Multi AV Scanner detection for submitted file 2->148 150 12 other signatures 2->150 10 install.exe 15 7 2->10         started        15 RegHost.exe 13 2->15         started        17 RegHost.exe 2->17         started        signatures3 process4 dnsIp5 122 168.119.104.184, 22192, 49779 HETZNER-ASDE Germany 10->122 124 cdn.discordapp.com 162.159.134.233, 443, 49780 CLOUDFLARENETUS United States 10->124 104 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32+ 10->104 dropped 106 C:\Users\user\AppData\...\install.exe.log, ASCII 10->106 dropped 172 Detected unpacking (changes PE section rights) 10->172 174 Detected unpacking (overwrites its own PE header) 10->174 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->176 192 4 other signatures 10->192 19 svhost.exe 1 22 10->19         started        126 140.82.121.3, 443, 49796, 49797 GITHUBUS United States 15->126 128 185.199.111.133, 443, 49798, 49801 FASTLYUS Netherlands 15->128 134 2 other IPs or domains 15->134 178 Query firmware table information (likely to detect VMs) 15->178 180 Machine Learning detection for dropped file 15->180 182 Injects code into the Windows Explorer (explorer.exe) 15->182 184 Injects a PE file into a foreign processes 15->184 24 explorer.exe 15->24         started        26 bfsvc.exe 15->26         started        28 cmd.exe 15->28         started        36 2 other processes 15->36 130 raw.githubusercontent.com 17->130 132 github.com 17->132 186 Writes to foreign memory regions 17->186 188 Allocates memory in foreign processes 17->188 190 Modifies the context of a thread in another process (thread injection) 17->190 30 bfsvc.exe 17->30         started        32 cmd.exe 17->32         started        34 cmd.exe 17->34         started        38 2 other processes 17->38 file6 signatures7 process8 dnsIp9 116 github.com 140.82.121.4, 443, 49784, 49785 GITHUBUS United States 19->116 118 raw.githubusercontent.com 185.199.108.133, 443, 49786, 49789 FASTLYUS Netherlands 19->118 94 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 19->94 dropped 96 C:\Users\user\AppData\Roaming\...\7z.exe, PE32+ 19->96 dropped 98 C:\Users\user\AppData\Roaming\...\7z.dll, PE32+ 19->98 dropped 100 2 other files (none is malicious) 19->100 dropped 152 Query firmware table information (likely to detect VMs) 19->152 154 Machine Learning detection for dropped file 19->154 156 Contains functionality to inject code into remote processes 19->156 160 5 other signatures 19->160 40 bfsvc.exe 1 19->40         started        50 5 other processes 19->50 43 RegHost.exe 24->43         started        158 Hides threads from debuggers 26->158 46 conhost.exe 26->46         started        52 2 other processes 28->52 48 conhost.exe 30->48         started        55 2 other processes 32->55 57 2 other processes 34->57 59 2 other processes 36->59 file10 signatures11 process12 dnsIp13 162 Hides threads from debuggers 40->162 61 conhost.exe 40->61         started        136 raw.githubusercontent.com 43->136 138 github.com 43->138 164 Query firmware table information (likely to detect VMs) 43->164 166 Injects code into the Windows Explorer (explorer.exe) 43->166 168 Writes to foreign memory regions 43->168 170 4 other signatures 43->170 63 bfsvc.exe 43->63         started        67 cmd.exe 43->67         started        69 cmd.exe 43->69         started        78 2 other processes 43->78 140 192.168.2.1 unknown unknown 50->140 71 7z.exe 2 50->71         started        73 curl.exe 1 50->73         started        76 conhost.exe 50->76         started        80 2 other processes 50->80 102 C:\Users\user\AppData\...\RegData_Temp.exe, PE32+ 52->102 dropped file14 signatures15 process16 dnsIp17 108 \Device\ConDrv, ASCII 63->108 dropped 142 Hides threads from debuggers 63->142 82 conhost.exe 63->82         started        84 conhost.exe 67->84         started        86 7z.exe 67->86         started        88 conhost.exe 69->88         started        90 7z.exe 69->90         started        110 C:\Users\user\AppData\...\RegHost_Temp.exe, PE32+ 71->110 dropped 120 api.telegram.org 149.154.167.220, 443, 49781 TELEGRAMRU United Kingdom 73->120 92 RegHost.exe 78->92         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe9b603aa67c0d7a86888ae88afa001f467e5566c7b05ce62263d392aaf92037/
Threat name:
Win32.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2021-12-05 23:05:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72nwaovgpqgxvbuirluiv6qad5dh4vlgy6yfzzrcmpjzfkxzea3q._file
Verdict:
malicious
Similar samples:
0575a7431f07b940e6757d2cffbf1ec4fba829f173fc95a4df953a9ef10994c4
RedLineStealer
1ae23f0ef7e87606cbedc68a7c5bc45f995462d13cac3907a2a5f344e8cc3f2e
RedLineStealer
2f296b56bfd637fd96dd195bcd8e8d119ebaf9bbda1e7c992fcb2cf550008735
RedLineStealer
39f8595624535025d6a99bfe5e8619ee4ba1d5bc635d0432cebc885eac61b3ff
RedLineStealer
521bb81a2b272528789a3177acc21bfa98edbebe8ada0057092ac89e450111d7
RedLineStealer
7c3cb0e297c2089838fe775b2e79702c8ea97ab5c850788f5e091ae2bfa0d9b0
RedLineStealer
7e0150a3d7bbc38f40afa31e78a1e280954ccea8211f98f32e2c65ec96bde43c
RedLineStealer
9b5ed328b480c04906ccd41ce1a536cfa5607e51acf66fb21910b1859eb0a73f
RedLineStealer
e3007d101e7b91e6eec1ddfee567aabd01613faae772967a61aff14d460d9230
RedLineStealer
+ 8'842 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211205-22tlsadadl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/f122bf14-6eda-463a-b316-27740f7eb704/
SH256 hash:
fe9b603aa67c0d7a86888ae88afa001f467e5566c7b05ce62263d392aaf92037
MD5 hash:
34756465782ec294556a57aa2ddd2bf9
SHA1 hash:
a3b1eba985e71937d61d5efcaa35b36579746a1c
Link:
https://www.unpac.me/results/f122bf14-6eda-463a-b316-27740f7eb704/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fe9b603aa67c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe9b603aa67c0d7a86888ae88afa001f467e5566c7b05ce62263d392aaf92037

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fe9b603aa67c0d7a86888ae88afa001f467e5566c7b05ce62263d392aaf92037

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211535/

Comments