MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03c770bfc70f92e979e48b46b0604c3254796123e48af7d611017af862321bea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03c770bfc70f92e979e48b46b0604c3254796123e48af7d611017af862321bea
SHA3-384 hash: 32fa9570a209b1e75365147ab8f815b202f98e31c65f176ae13a5ee852ecc75763ccad32ded1fdfd7e0572122dc99fee
SHA1 hash: 0dbf0ae92b3ec7c9ad8d2cfcb8fcbd609fc4ef6e
MD5 hash: 81baed00ee2dad5154e1e3321ea6c0d4
humanhash: red-zebra-cardinal-diet
File name:81BAED00EE2DAD5154E1E3321EA6C0D4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'142'929 bytes
First seen:2021-06-02 17:26:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 24576:89btxEOgADixb2fDWWr3VdaHSARDMDz83mYZoFDprTwZREItHq3Xg:8NNg+sMDpr3HzAupYZoygYHq3Xg
Threatray 211 similar samples on MalwareBazaar
TLSH F1350133B9D98E76C561197014F5EF76C070BE31060086976ADC8E6B39EF1C8EA6639C
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
93.114.128.190:49966

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.114.128.190:49966 https://threatfox.abuse.ch/ioc/69462/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
81BAED00EE2DAD5154E1E3321EA6C0D4.exe
Verdict:
Malicious activity
Analysis date:
2021-06-02 17:36:25 UTC
Tags:
autoit trojan rat redline
Link:
https://app.any.run/tasks/3bf68ac1-e4ec-46d0-b3e2-4d05065fcbfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164143/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/796179
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 428582 Sample: tT1XWdxOYv.exe Startdate: 02/06/2021 Architecture: WINDOWS Score: 92 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected RedLine Stealer 2->52 54 Machine Learning detection for sample 2->54 10 tT1XWdxOYv.exe 7 2->10         started        process3 signatures4 56 Contains functionality to register a low level keyboard hook 10->56 13 cmd.exe 1 10->13         started        process5 signatures6 58 Submitted sample is a known malware sample 13->58 60 Obfuscated command line found 13->60 62 Uses ping.exe to sleep 13->62 64 Uses ping.exe to check the status of other devices and networks 13->64 16 cmd.exe 3 13->16         started        19 conhost.exe 13->19         started        process7 signatures8 44 Obfuscated command line found 16->44 46 Uses ping.exe to sleep 16->46 21 Virtuoso.exe.com 16->21         started        23 PING.EXE 1 16->23         started        26 findstr.exe 1 16->26         started        process9 dnsIp10 29 Virtuoso.exe.com 1 21->29         started        40 127.0.0.1 unknown unknown 23->40 36 C:\Users\user\AppData\...\Virtuoso.exe.com, Targa 26->36 dropped file11 process12 dnsIp13 42 AGdeifesiWHjUjfojgeHSwU.AGdeifesiWHjUjfojgeHSwU 29->42 38 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 29->38 dropped 66 Writes to foreign memory regions 29->66 68 Injects a PE file into a foreign processes 29->68 34 RegAsm.exe 29->34         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03c770bfc70f92e979e48b46b0604c3254796123e48af7d611017af862321bea/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-31 11:22:42 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=apdxbp6hb6jos6perndlaycmgjkhsyjd4sfppvqraf5pqyrsdpva._file
Verdict:
suspicious
Similar samples:
01e0e8312ba9622a57dfbf40615513bf2a01c38d9fba806e1bc9c08364b2041f
RedLineStealer
03110bdd6c0d0f027422de86d47ce39cfb8cae70c04a616cbb8c325c03853ef6
RedLineStealer
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
RedLineStealer
9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92
RedLineStealer
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
RedLineStealer
de92c18843a74125a6adbfdcffe97c597d88ae21a8cdc560aa10b33870f6a472
RedLineStealer
e31da697e1f30aca20cb88b09a69ed60bdbba9b3c4da0e67e2654ecb541964f2
RedLineStealer
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
RedLineStealer
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
RedLineStealer
f87674db0a46d9903b10a9103dd2cad5b0d1ff7cccaaec2cc47231d5fc32007d
RedLineStealer
+ 201 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:zalupochka discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210602-fe5gj3d7ys/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
93.114.128.190:49966
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03c770bfc70f92e979e48b46b0604c3254796123e48af7d611017af862321bea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164143/

Comments