MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffd613adee9a323bcadae6dc192ab9a7606169623b3bf139443ba046c8ec144f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffd613adee9a323bcadae6dc192ab9a7606169623b3bf139443ba046c8ec144f
SHA3-384 hash: 59b946a9d7b6977d30211695e6415149ea69ef56a3f638f880be7f386cb47cf660fb4f2f0bcc68b4cc579bd666d4851c
SHA1 hash: 306137fec351dfb7991620bb644e891b87106363
MD5 hash: 231da61d2ab3e7f30525efc6b89d7d50
humanhash: vegan-april-seven-undress
File name:231da61d2ab3e7f30525efc6b89d7d50
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'086'784 bytes
First seen:2022-04-02 17:28:19 UTC
Last seen:2022-04-02 19:05:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dcd3ebbef25b28fb0aa22ee1d7658c44 (8 x RedLineStealer)
ssdeep 98304:QpM4gDjAZ9sOI//kbLK3LCPynzMDIjBIcM1sa/FMYgir4U/6YgjLN:Qp4fA/sDHkK7CoMoILp9Mc0y1gjh
Threatray 81 similar samples on MalwareBazaar
TLSH T1E31623326399A1C5D4D6DC33C637FE92B1B143AF9B02E8F46AC16AC138324E5D217A57
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
369
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39417353.30234.12526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Sending a TCP request to an infection source
Stealing user critical data
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12407/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/624887e19253b276b7ced517/reports/fea63cb3-8867-414b-97c3-76ad6e9e35e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03432252-4b78-4bf0-9179-bbf9afc2720d
Result
Threat name:
Phoenix Miner RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969437
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 601924 Sample: 8o8703dHid Startdate: 02/04/2022 Architecture: WINDOWS Score: 100 109 easyproducts.org 2->109 137 Multi AV Scanner detection for domain / URL 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 Antivirus detection for URL or domain 2->141 143 9 other signatures 2->143 11 8o8703dHid.exe 1 2->11         started        14 RegHost.exe 1 2->14         started        signatures3 process4 signatures5 145 Writes to foreign memory regions 11->145 147 Allocates memory in foreign processes 11->147 149 Tries to detect virtualization through RDTSC time measurements 11->149 16 AppLaunch.exe 15 7 11->16         started        21 conhost.exe 11->21         started        151 Injects code into the Windows Explorer (explorer.exe) 14->151 153 Modifies the context of a thread in another process (thread injection) 14->153 155 Injects a PE file into a foreign processes 14->155 23 explorer.exe 14->23         started        25 bfsvc.exe 1 14->25         started        27 conhost.exe 14->27         started        process6 dnsIp7 105 141.95.227.187, 49771, 6238 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 16->105 107 cdn.discordapp.com 162.159.134.233, 443, 49780 CLOUDFLARENETUS United States 16->107 93 C:\Users\user\AppData\Local\Temp\a.exe, PE32+ 16->93 dropped 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->127 129 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->129 131 Tries to harvest and steal browser information (history, passwords, etc) 16->131 133 Tries to steal Crypto Currency Wallets 16->133 29 a.exe 1 5 16->29         started        34 RegHost.exe 23->34         started        36 curl.exe 23->36         started        38 curl.exe 23->38         started        42 6 other processes 23->42 135 Hides threads from debuggers 25->135 40 conhost.exe 25->40         started        file8 signatures9 process10 dnsIp11 115 185.137.234.33, 49782, 49783, 49784 SELECTELRU Russian Federation 29->115 97 C:\Users\user\AppData\...\RegModule.exe, PE32+ 29->97 dropped 99 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 29->99 dropped 101 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 29->101 dropped 103 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 29->103 dropped 161 Injects code into the Windows Explorer (explorer.exe) 29->161 163 Writes to foreign memory regions 29->163 165 Allocates memory in foreign processes 29->165 44 explorer.exe 2 29->44         started        46 bfsvc.exe 1 29->46         started        49 conhost.exe 29->49         started        167 Modifies the context of a thread in another process (thread injection) 34->167 169 Injects a PE file into a foreign processes 34->169 117 easyproducts.org 36->117 51 conhost.exe 36->51         started        119 easyproducts.org 38->119 53 conhost.exe 38->53         started        121 easyproducts.org 42->121 123 easyproducts.org 42->123 125 3 other IPs or domains 42->125 55 conhost.exe 42->55         started        57 conhost.exe 42->57         started        59 conhost.exe 42->59         started        61 2 other processes 42->61 file12 signatures13 process14 signatures15 63 RegHost.exe 44->63         started        66 curl.exe 1 44->66         started        69 curl.exe 1 44->69         started        73 10 other processes 44->73 159 Hides threads from debuggers 46->159 71 conhost.exe 46->71         started        process16 dnsIp17 171 Injects code into the Windows Explorer (explorer.exe) 63->171 173 Writes to foreign memory regions 63->173 175 Allocates memory in foreign processes 63->175 177 2 other signatures 63->177 75 bfsvc.exe 63->75         started        79 conhost.exe 63->79         started        111 easyproducts.org 193.233.48.63 NETIS-ASRU Russian Federation 66->111 81 conhost.exe 66->81         started        83 conhost.exe 69->83         started        113 192.168.2.1 unknown unknown 73->113 85 conhost.exe 73->85         started        87 conhost.exe 73->87         started        89 conhost.exe 73->89         started        91 6 other processes 73->91 signatures18 process19 file20 95 \Device\ConDrv, ASCII 75->95 dropped 157 Hides threads from debuggers 75->157 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffd613adee9a323bcadae6dc192ab9a7606169623b3bf139443ba046c8ec144f/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2022-04-02 00:34:48 UTC
File Type:
PE (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77lbhlpotizdxsw243obskvzu5qgc2lchm57cokehoqenshmcrhq._file
Verdict:
malicious
Similar samples:
0b6311976a5d7d94c5bf373e982e9e03ea64cb4869b9399fb1f90c122cb2ced2
RedLineStealer
24cf5566094b9c99b75303995b503b3285531d1313658f318a931424c9ef46d3
RedLineStealer
4109d37d472fafa83b2c8303afd3fe9c25d58e763d706ae8f660a9f150971665
RedLineStealer
d19c22fa99afdf39746a775736de31f8e39748287ee38f33e9fb3912129991de
RedLineStealer
f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91
RedLineStealer
fc739b3b8bd5157690d248132ee974ad3d62292959d99cc68c44b2d61cb3907d
RedLineStealer
fdb9272c85d1af641c164085e524b70517beb4fdf5cf764ba56df3bebf14e2c7
RedLineStealer
+ 71 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer persistence spyware trojan upx
Link:
https://tria.ge/reports/220402-v2jy1sgfe7/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Malware Config
C2 Extraction:
141.95.227.187:6238
Unpacked files
SH256 hash:
44e7ce9dd87b8b10d3ba3c8c1a65ec1898d6a70f5a1223b20d42286c1471b430
MD5 hash:
a7993ebf354da330481fc352f76c5f0b
SHA1 hash:
e44d6cf33d07bd894b24ae49cc52f1e34aa0df76
Link:
https://www.unpac.me/results/b915c6da-f596-4447-b3b9-ea38daae24de/
SH256 hash:
cd0278cb841dc67e964baa804b7258bb0c951017ef6688e9e8026190d9fda9db
MD5 hash:
c1a7df2507c8b7178b70055ec59d59b7
SHA1 hash:
901f654a64a0a4a6b96742cdca81ab85bb187ba7
Link:
https://www.unpac.me/results/b915c6da-f596-4447-b3b9-ea38daae24de/
SH256 hash:
ffd613adee9a323bcadae6dc192ab9a7606169623b3bf139443ba046c8ec144f
MD5 hash:
231da61d2ab3e7f30525efc6b89d7d50
SHA1 hash:
306137fec351dfb7991620bb644e891b87106363
Link:
https://www.unpac.me/results/b915c6da-f596-4447-b3b9-ea38daae24de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffd613adee9a323bcadae6dc192ab9a7606169623b3bf139443ba046c8ec144f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ffd613adee9a323bcadae6dc192ab9a7606169623b3bf139443ba046c8ec144f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2128422/
Cape
Cape
https://www.capesandbox.com/analysis/260210/

Comments


Avatar
zbet commented on 2022-04-02 17:28:27 UTC

url : hxxp://37.120.222.60/mysite/catimages/244.exe