MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
SHA3-384 hash: 084bb868f6ec53019c70edca985345ad9b28805f74fa207779ed4657f6ab96537ff111b532aba7a46806c8b19ae8e615
SHA1 hash: dc7eb94b05555fb17ed5ab80258bbd4935f8fd9f
MD5 hash: b96129c8bba4b443876c3be7d4e5aed3
humanhash: texas-oscar-seven-item
File name:B96129C8BBA4B443876C3BE7D4E5AED3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'417'281 bytes
First seen:2021-07-30 22:36:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:Z5+hF5JSvHen60WTzkOiCaf8dLAPqGtYrRqnxiz8lVHTIioOFZQ+f:Z5aF5wvHi6tzkxUeHYQnxiqZ7f
Threatray 227 similar samples on MalwareBazaar
TLSH T15CB523207BEFA9F9E09B36311880637573E5E3185B5090DFA7A02506FD122E5C6FA1DB
File icon (PE):PE icon
dhash icon 6192a6a6a6a6c401 (17 x RedLineStealer, 11 x PythonStealer, 9 x DCRat)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.14.49.109:21295

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.14.49.109:21295 https://threatfox.abuse.ch/ioc/164974/

Intelligence

File Origin
# of uploads :
1
# of downloads :
578
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Phoenix Mod Menu.rar
Verdict:
No threats detected
Analysis date:
2021-07-28 16:35:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a47eedc-5e4f-4141-8187-5c3ff4bf9688

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175378/
Detection(s):
Win.Malware.Slcbg-9872083-0
Create hunting rule

Win.Trojan.Generic-9874371-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76ab81b8-54cb-4948-a12a-05815112a1c6
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824728
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Disables security and backup related services
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected BatToExe compiled binary
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457140 Sample: 5U0CPNKZI6.exe Startdate: 31/07/2021 Architecture: WINDOWS Score: 100 114 cdn.discordapp.com 2->114 140 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->140 142 Antivirus detection for dropped file 2->142 144 Multi AV Scanner detection for submitted file 2->144 146 6 other signatures 2->146 14 5U0CPNKZI6.exe 7 2->14         started        signatures3 process4 file5 96 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 14->96 dropped 98 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 14->98 dropped 166 Contains functionality to register a low level keyboard hook 14->166 18 cmd.exe 2 14->18         started        signatures6 process7 process8 20 build.exe 15 40 18->20         started        25 7z.exe 2 18->25         started        27 conhost.exe 18->27         started        29 8 other processes 18->29 dnsIp9 116 45.14.49.109, 21295, 49741, 49743 ITGLOBAL-NL Netherlands 20->116 118 45.137.190.166, 49745, 49746, 80 BITWEB-ASRU Russian Federation 20->118 120 2 other IPs or domains 20->120 76 C:\Users\user\AppData\Local\Temp\clip.exe, PE32+ 20->76 dropped 78 C:\Users\user\AppData\Local\Temp\mine.exe, PE32+ 20->78 dropped 148 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->148 150 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->150 152 Tries to harvest and steal browser information (history, passwords, etc) 20->152 154 Tries to steal Crypto Currency Wallets 20->154 31 mine.exe 9 20->31         started        34 clip.exe 20->34         started        37 setup.exe 25->37         started        39 clo.exe 25->39         started        41 extd.exe 25->41         started        43 5 other processes 25->43 156 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->156 80 C:\Users\user\AppData\Local\...\build.exe, PE32 29->80 dropped file10 signatures11 process12 dnsIp13 100 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 31->100 dropped 46 cmd.exe 3 31->46         started        102 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 34->102 dropped 48 cmd.exe 34->48         started        104 C:\Windows\Client.exe, PE32 37->104 dropped 106 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 37->106 dropped 108 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 37->108 dropped 132 Multi AV Scanner detection for dropped file 37->132 134 Machine Learning detection for dropped file 37->134 136 Disables security and backup related services 37->136 138 Injects a PE file into a foreign processes 39->138 50 conhost.exe 39->50         started        52 clo.exe 39->52         started        122 162.159.129.233 CLOUDFLARENETUS United States 43->122 124 cdn.discordapp.com 43->124 126 cdn.discordapp.com 43->126 110 C:\Users\user\AppData\Local\...\setup.exe, PE32 43->110 dropped 112 C:\Users\user\AppData\Local\Temp\...\clo.exe, PE32 43->112 dropped file14 signatures15 process16 process17 54 welldone.exe 46->54         started        58 setup.exe 46->58         started        60 sys.exe 46->60         started        62 7 other processes 46->62 dnsIp18 82 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 54->82 dropped 158 Multi AV Scanner detection for dropped file 54->158 160 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->160 162 Machine Learning detection for dropped file 54->162 65 MicrosoftApi.exe 54->65         started        84 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 58->84 dropped 86 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 58->86 dropped 164 Disables security and backup related services 58->164 68 cmd.exe 58->68         started        88 C:\...\WinruntimedhcpNetcommon.exe, PE32 60->88 dropped 128 cdn.discordapp.com 162.159.134.233 CLOUDFLARENETUS United States 62->128 90 C:\Users\user\AppData\Local\...\welldone.exe, PE32+ 62->90 dropped 92 C:\Users\user\AppData\Local\Temp\...\sys.exe, PE32 62->92 dropped 94 C:\Users\user\AppData\Local\...\setup.exe, PE32 62->94 dropped file19 signatures20 process21 signatures22 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->130 70 net.exe 68->70         started        72 conhost.exe 68->72         started        process23 process24 74 net1.exe 70->74         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 16:50:42 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akchgwewgy5ov2auq27ck5iyet4cwoc52s3bka2y76nwrq3mohra._file
Verdict:
malicious
Similar samples:
14754f307601049ba389cf7b9536db2049193b31f05330c7b6d4cb5cd8fa081f
RedLineStealer
3d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
RedLineStealer
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
RedLineStealer
55d33f116ca5cbd1e8bbf9151c2f457f7f045c8b00b7980cada01d20e9bd29c6
RedLineStealer
5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572
RedLineStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
RedLineStealer
cbc3b5b5bb5bb659f000bf19de99582e19df5f5fbd721e0951d2d2fa93780808
RedLineStealer
ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397
RedLineStealer
+ 217 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@bat9nya discovery infostealer spyware stealer suricata upx
Link:
https://tria.ge/reports/210730-gyyfv16r56/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
45.14.49.109:21295
Unpacked files
SH256 hash:
d3edf3aae4abc58ab7eededca130896439901cd1653fdad3a6e6fa3825b1b7ac
MD5 hash:
e0dc5ca46a83f11605ed8913bec2589e
SHA1 hash:
68c984ddfe4ef292115dc425ff7cda9d486a576d
Link:
https://www.unpac.me/results/9b843585-a1d2-4756-bd03-51549bf5e672/
SH256 hash:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
MD5 hash:
b96129c8bba4b443876c3be7d4e5aed3
SHA1 hash:
dc7eb94b05555fb17ed5ab80258bbd4935f8fd9f
Link:
https://www.unpac.me/results/9b843585-a1d2-4756-bd03-51549bf5e672/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175378/

Comments