MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06b83e0f30baffd3bacfcd00b6c75c9e6fa90156aad429bcedfa0559a2d4fdb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06b83e0f30baffd3bacfcd00b6c75c9e6fa90156aad429bcedfa0559a2d4fdb8
SHA3-384 hash: cd2d34ffb13ca0e38e88c0f6d84ef2ad81baa31baf382a374ad8e4923c4a1412b0db63a0700ebba814c0f204a0727484
SHA1 hash: b1831eb9719ee0719578fe8283286c01ee4fd6e6
MD5 hash: dd6b0757811c10eb5ca6a12cb2abb247
humanhash: cold-asparagus-lion-leopard
File name:06B83E0F30BAFFD3BACFCD00B6C75C9E6FA90156AAD42.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:193'536 bytes
First seen:2021-05-13 11:35:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:ISv2YVjy3QWHyf5tyddrzuLVR2P0neGR6/IZG:UYWyPyjzuz36
Threatray 98 similar samples on MalwareBazaar
TLSH F9143925739C9A21EABC4E706471623D07F5ADC72021E6978ED0BC9E3E3B78179446F2
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
89.108.64.199:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.108.64.199:80 https://threatfox.abuse.ch/ioc/40214/

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06B83E0F30BAFFD3BACFCD00B6C75C9E6FA90156AAD42.exe
Verdict:
Malicious activity
Analysis date:
2021-05-13 11:39:13 UTC
Tags:
trojan rat redline evasion
Link:
https://app.any.run/tasks/b723417f-821b-4141-9408-ef3eb429d7a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156108/
Detection(s):
Win.Packed.Generickdz-9851688-0
Create hunting rule

Win.Packed.Coins-9854091-0
Create hunting rule

Win.Packed.Generickdz-9854095-0
Create hunting rule

Win.Packed.Bulz-9858728-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/780945
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 413342 Sample: 06B83E0F30BAFFD3BACFCD00B6C... Startdate: 13/05/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 7 other signatures 2->74 10 06B83E0F30BAFFD3BACFCD00B6C75C9E6FA90156AAD42.exe 15 37 2->10         started        process3 dnsIp4 44 dylarache.site 89.108.64.199, 49744, 49748, 49749 AS-REGRU Russian Federation 10->44 46 tlgur.com 104.21.234.240, 443, 49751 CLOUDFLARENETUS United States 10->46 48 api.ip.sb 10->48 36 C:\Users\user\AppData\Local\Temp\Operon.exe, PE32 10->36 dropped 38 06B83E0F30BAFFD3BA...A90156AAD42.exe.log, ASCII 10->38 dropped 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->86 88 Tries to harvest and steal browser information (history, passwords, etc) 10->88 90 Tries to steal Crypto Currency Wallets 10->90 15 Operon.exe 14 3 10->15         started        file5 signatures6 process7 dnsIp8 56 lc.magicnow24.ru 217.107.34.191, 443, 49756, 49764 RTCOMM-ASRU Russian Federation 15->56 58 mm.hellomir.ru 15->58 60 Multi AV Scanner detection for dropped file 15->60 62 Machine Learning detection for dropped file 15->62 64 Writes to foreign memory regions 15->64 66 2 other signatures 15->66 19 AddInProcess32.exe 14 3 15->19         started        signatures9 process10 dnsIp11 40 38xl.pycharm3.ru 19->40 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->76 78 May check the online IP address of the machine 19->78 80 Injects a PE file into a foreign processes 19->80 23 AddInProcess32.exe 2 19->23         started        27 AddInProcess32.exe 19->27         started        signatures12 process13 dnsIp14 42 lc.magicnow24.ru 23->42 82 Injects a PE file into a foreign processes 23->82 29 AddInProcess32.exe 3 23->29         started        32 AddInProcess32.exe 23->32         started        signatures15 process16 dnsIp17 50 109.234.38.207, 49774, 80 VDSINA-ASRU Russian Federation 29->50 52 icanhazip.com 104.22.19.188, 49768, 80 CLOUDFLARENETUS United States 29->52 54 192.168.2.1 unknown unknown 29->54 34 WerFault.exe 29->34         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06b83e0f30baffd3bacfcd00b6c75c9e6fa90156aad429bcedfa0559a2d4fdb8/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 23:46:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a24d4dzqxl75howpzualnr24tzx2sakwvlkctphn7icvtiwu7w4a._file
Verdict:
malicious
Similar samples:
2d2245656d3de9fae14a2bf020cd06746b0f686da867f4abfdae1ab460cd0696
RedLineStealer
366a2bb9cd9744440a23a0c7dc89c486225b3349fe889fd8cef759616efa58f6
RedLineStealer
6d0083394a549c135820010343353dcfa2929aeaa83f72a50ec60a7263f4ec90
RedLineStealer
7efcf84512a68dc4df74df202f718c5251f8ccf1d07feb443ccd2c6735f57f90
RedLineStealer
8333bdd5e1560584a0302e2fe63cf9d81ebe5b48e7e2b74dc27d5ce14b46e0bf
RedLineStealer
a9289a16ff39127e2cb155b02300338f78c0c29f6ef5b78a95d91f3ea0e0a57e
RedLineStealer
b6e1829df84ee9fcfc296dc516e2eb88170bc1bab71ba9097c88db7e54f23672
RedLineStealer
bd28f49dd48812d50933045e1729935f665881db3184bd9c61700364d598a62c
RedLineStealer
df1be1b4ebc10d7a9228aa7778050ce6e51d827553a4d78f1008458ea32905f6
RedLineStealer
ea342f618a8caa17bae45cd0a55cd404451dd0e589886ae00eb5fc9ff59e79cc
RedLineStealer
+ 88 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@iokenoff discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210513-hcxt2q3lq6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
dylarache.site:80
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/156108/

Comments