MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5
SHA3-384 hash: 99928d78702202a215da1dd3644e6fb009b4917734a166bbc94e20c53a912e1cf4df68ab7445b0d5180769b01f5ce7b7
SHA1 hash: 3ecca1133b89e1032b8c77774089accf9ea2af85
MD5 hash: e6de6f3450a5dbfc9299a582e74ab242
humanhash: mississippi-seven-friend-black
File name:forderung.pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:271'360 bytes
First seen:2021-01-31 22:09:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f540b334cf25ba0cecf0cf422e7b7b47 (1 x RedLineStealer)
ssdeep 6144:yYfSmScE/8EsAc/cs1mJqvLMLK3Lxn5mHc0C+jMF:zSzcE/8Esh/cYmJqv4LK3LxvT+
Threatray 725 similar samples on MalwareBazaar
TLSH C444BF1132E0C072E15339354E25C2B24A7BB872B862E98F3FD6167A5F346D2DA2571F
Reporter neoxmorpheus1
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
forderung.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-31 22:08:21 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/bd7663aa-3789-4261-b711-cbbf6137915d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114390/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Launching a process
Creating a file
Sending an HTTP POST request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Sending a TCP request to an infection source
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594844
Signature
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346459 Sample: forderung.pdf.exe Startdate: 31/01/2021 Architecture: WINDOWS Score: 100 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected RedLine Stealer 2->35 37 5 other signatures 2->37 6 forderung.pdf.exe 15 3 2->6         started        process3 dnsIp4 21 tudara.ru 81.177.165.241, 443, 49722 RTCOMM-ASRU Russian Federation 6->21 23 192.168.2.1 unknown unknown 6->23 19 C:\Users\user\...\forderung.pdf.exe.log, ASCII 6->19 dropped 39 Detected unpacking (overwrites its own PE header) 6->39 41 Writes to foreign memory regions 6->41 43 Sample uses process hollowing technique 6->43 45 Injects a PE file into a foreign processes 6->45 11 AddInProcess32.exe 6->11         started        14 AddInProcess32.exe 14 23 6->14         started        17 AddInProcess32.exe 6->17         started        file5 signatures6 process7 dnsIp8 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->49 25 api.ip.sb 14->25 27 WHOIS.RIPE.NET 193.0.6.135, 43, 49734 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 14->27 29 3 other IPs or domains 14->29 51 Tries to harvest and steal browser information (history, passwords, etc) 14->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5/
Threat name:
Win32.Trojan.CoinminerX
Create hunting rule
Status:
Malicious
First seen:
2021-01-31 22:10:06 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0fd0591e79669d6016acff95109efd434cc39498d83f4ebdaac67c96091e4fa9
RedLineStealer
1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769
RedLineStealer
30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4
RedLineStealer
3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a
RedLineStealer
4c4ee69bd58db589d202dcfb5872fb970e4367547e4ba90f57d9db502daa1c65
RedLineStealer
52e864374ebb34727b88f278970946520a53383c0b7e85dbbc664b45329616e3
RedLineStealer
5fd83f2a0ab55a807929ded55e138b988f873280876ae15fde0332732b38e2da
RedLineStealer
6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b
RedLineStealer
72bc51445d960d638c96f46057b76b5200ed88009ef44d767e870e56d7c562aa
RedLineStealer
c93d6c966b427a7fbc632d2f6b39a09df059b56e0c4e4a307b0318c4198219c5
RedLineStealer
+ 715 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210131-a1vd3mj52n/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5
MD5 hash:
e6de6f3450a5dbfc9299a582e74ab242
SHA1 hash:
3ecca1133b89e1032b8c77774089accf9ea2af85
Link:
https://www.unpac.me/results/42096c23-540c-4dc9-8eae-5005d6fbb534/
SH256 hash:
98804c5984d8e2ba87d6dd90d7c4eea6afcbd28eeceb320885a5045f04c81e00
MD5 hash:
3b78574778f8af9a0c7dd6b5fd3a96e8
SHA1 hash:
18fff9492facdc067fd6bdc6dcfc777b2da8e6a6
Link:
https://www.unpac.me/results/42096c23-540c-4dc9-8eae-5005d6fbb534/
SH256 hash:
e77f9ca4eb19b1c37d49b39b03618ce1f33a635eff1da4691a449637a05fc186
MD5 hash:
b2e828a595587fe97cb06cc7f3c95f3b
SHA1 hash:
d47b57dcc86d4c6cd812d59bbfc3f853cc26f98c
Link:
https://www.unpac.me/results/42096c23-540c-4dc9-8eae-5005d6fbb534/
SH256 hash:
77b81da54fdeef036c0f80675f1a2aae465b11d4e464ac07766a47bebfe9988d
MD5 hash:
bc37445994167a4da8b10d2f85d0a319
SHA1 hash:
e2286a7c75f25f2f97c22e1043abeaa9b96e6a91
Link:
https://www.unpac.me/results/42096c23-540c-4dc9-8eae-5005d6fbb534/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/114390/

Comments