MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05298ffd3da1eeaf8c65744a53d8f1c99129142f548b967925c20e824232ee33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05298ffd3da1eeaf8c65744a53d8f1c99129142f548b967925c20e824232ee33
SHA3-384 hash: e0e4e79e9ab00a2609af3eb70298b2a2544b4e475f32aef3b67403c129aa2c1a3a182044b6265331587f2a47fa732a4b
SHA1 hash: faa9eeda33d279eb8cc3ab87c724b1e07039177c
MD5 hash: e42cc9210e70fcd4d4eb547ed690f922
humanhash: march-indigo-princess-single
File name:e42cc9210e70fcd4d4eb547ed690f922.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:870'368 bytes
First seen:2021-11-26 10:08:59 UTC
Last seen:2021-11-26 11:56:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4e82a935080d6711f6a31131836298d (1 x RedLineStealer)
ssdeep 12288:lVDoJtMbxB0VaIqXxDXPsK2GlvaI6WCmcKCmuXCFDdmWX:roXsxB0Va1hDXPsK2GlSISmRuXCFDP
Threatray 139 similar samples on MalwareBazaar
TLSH T18A05BC60F8D077ABDEE7BF7C506E9C0442077D35192648AFF1587DAE92B2982AD03352
File icon (PE):PE icon
dhash icon d18c92b2b292cc11 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
116.202.110.68:48426 https://threatfox.abuse.ch/ioc/254828/

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e42cc9210e70fcd4d4eb547ed690f922.exe
Verdict:
Malicious activity
Analysis date:
2021-11-26 10:15:00 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/f436596d-3723-4d57-96c3-7825938588b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Doina.29139.26721.18827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Stealing user critical data
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed redline stealer
Link:
https://www.filescan.io/uploads/61a0b241f36138de3f3eadbc/reports/9190cb54-02b5-46ce-b71e-92b8662db104/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ClipBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a147fb12-bad9-450b-b0d9-c575ac72eae3
Result
Threat name:
BitCoin Miner RedLine Redline Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896598
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Redline Clipper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529081 Sample: ZZsOj1Py32.exe Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 99 Multi AV Scanner detection for submitted file 2->99 101 Yara detected Redline Clipper 2->101 103 Yara detected BitCoin Miner 2->103 105 6 other signatures 2->105 12 ZZsOj1Py32.exe 15 8 2->12         started        17 MicrosoftMediaPlayer.exe 2->17         started        process3 dnsIp4 93 116.202.110.68, 48426, 49759 HETZNER-ASDE Germany 12->93 95 162.159.130.233, 443, 49763 CLOUDFLARENETUS United States 12->95 97 2 other IPs or domains 12->97 87 C:\Users\user\AppData\Local\...\microme.exe, PE32+ 12->87 dropped 89 C:\Users\user\AppData\Local\...\clipper.exe, PE32 12->89 dropped 91 C:\Users\user\AppData\...\ZZsOj1Py32.exe.log, ASCII 12->91 dropped 149 Detected unpacking (changes PE section rights) 12->149 151 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->151 153 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->153 161 3 other signatures 12->161 19 microme.exe 12->19         started        22 clipper.exe 2 12->22         started        155 Multi AV Scanner detection for dropped file 17->155 157 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->157 159 Writes to foreign memory regions 17->159 163 3 other signatures 17->163 24 conhost.exe 17->24         started        file5 signatures6 process7 signatures8 107 Multi AV Scanner detection for dropped file 19->107 109 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->109 111 Writes to foreign memory regions 19->111 119 3 other signatures 19->119 26 conhost.exe 4 19->26         started        113 Antivirus detection for dropped file 22->113 115 Machine Learning detection for dropped file 22->115 117 Adds a directory exclusion to Windows Defender 24->117 30 cmd.exe 24->30         started        32 cmd.exe 24->32         started        process9 file10 85 C:\Users\user\MicrosoftMediaPlayer.exe, PE32+ 26->85 dropped 145 Drops PE files to the user root directory 26->145 147 Adds a directory exclusion to Windows Defender 26->147 34 cmd.exe 26->34         started        36 cmd.exe 1 26->36         started        39 cmd.exe 26->39         started        41 conhost.exe 30->41         started        43 powershell.exe 30->43         started        45 powershell.exe 30->45         started        47 conhost.exe 32->47         started        49 taskkill.exe 32->49         started        signatures11 process12 signatures13 51 MicrosoftMediaPlayer.exe 34->51         started        54 conhost.exe 34->54         started        131 Uses schtasks.exe or at.exe to add and modify task schedules 36->131 133 Adds a directory exclusion to Windows Defender 36->133 56 powershell.exe 22 36->56         started        58 conhost.exe 36->58         started        60 powershell.exe 36->60         started        62 conhost.exe 39->62         started        64 schtasks.exe 39->64         started        process14 signatures15 121 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 51->121 123 Writes to foreign memory regions 51->123 125 Allocates memory in foreign processes 51->125 127 Creates a thread in another existing process (thread injection) 51->127 66 conhost.exe 51->66         started        process16 file17 83 C:\Users\user\AppData\...\sihost32.exe, PE32+ 66->83 dropped 129 Adds a directory exclusion to Windows Defender 66->129 70 sihost32.exe 66->70         started        73 cmd.exe 66->73         started        signatures18 process19 signatures20 135 Multi AV Scanner detection for dropped file 70->135 137 Writes to foreign memory regions 70->137 139 Allocates memory in foreign processes 70->139 141 Creates a thread in another existing process (thread injection) 70->141 75 conhost.exe 70->75         started        143 Adds a directory exclusion to Windows Defender 73->143 77 conhost.exe 73->77         started        79 powershell.exe 73->79         started        81 powershell.exe 73->81         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05298ffd3da1eeaf8c65744a53d8f1c99129142f548b967925c20e824232ee33/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-26 07:22:13 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=auuy77j5uhxk7ddforffhwhrzgissfbpksfzm6jfyihieqrs5yzq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4
RedLineStealer
5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4
RedLineStealer
65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f
RedLineStealer
70abd0e56d64c9d19e81fc1f62f09b9644b00819c5a1feccfd185c168f4a2099
RedLineStealer
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
RedLineStealer
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
RedLineStealer
96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
RedLineStealer
c4e9742a6a418ee7366c594a4f1206d468f6147792407fcd9ac6b452369d88bb
RedLineStealer
d1b138a211d4b9ce4d825f82669ba211e585a87eec0e877a2b8ef87a9e43ccb6
RedLineStealer
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
RedLineStealer
+ 129 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:mimikatz family:redline discovery infostealer spyware stealer vmprotect
Link:
https://tria.ge/reports/211126-l6sx2sbgbk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
mimikatz is an open source tool to dump credentials on Windows
Mimikatz
RedLine
RedLine Payload
Unpacked files
SH256 hash:
f045117fb9ff8a862cb6513497877749feaad4285143d7c50b21244372bac174
MD5 hash:
f7162e7fa67f71cb7e20b8156c4fc024
SHA1 hash:
198782a8e3e55ff748158437c46d6fa14090714e
Link:
https://www.unpac.me/results/245d377b-7722-40b2-a0ea-a350c9a933f0/
SH256 hash:
05298ffd3da1eeaf8c65744a53d8f1c99129142f548b967925c20e824232ee33
MD5 hash:
e42cc9210e70fcd4d4eb547ed690f922
SHA1 hash:
faa9eeda33d279eb8cc3ab87c724b1e07039177c
Link:
https://www.unpac.me/results/245d377b-7722-40b2-a0ea-a350c9a933f0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/05298ffd3da1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05298ffd3da1eeaf8c65744a53d8f1c99129142f548b967925c20e824232ee33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209719/

Comments