MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07f2c932e734ffae4db69237c2410ada87cfa7e0c570bb054e6f365fc6ae84d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07f2c932e734ffae4db69237c2410ada87cfa7e0c570bb054e6f365fc6ae84d2
SHA3-384 hash: 8456968e09e94606ae9c52df02a7ce94487902bee66ee055814f8c15c2657d8c8cfc9536439a1f99cb9d08da3543c5b9
SHA1 hash: 7bfa80b2190bd84b4809a85a41079b10aeaf9275
MD5 hash: 257f60e58f3b3bcba9804226963ba420
humanhash: mirror-august-alpha-lamp
File name:257f60e58f3b3bcba9804226963ba420.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:123'904 bytes
First seen:2022-05-13 21:36:59 UTC
Last seen:2022-05-13 22:36:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9557b257bd6f6331d0ba99f598e7a852 (1 x RedLineStealer)
ssdeep 3072:GqHq+Pq1igYqEjvD/mEFvIfsM3UID0Zb0eQ+5Sw:GKri1FYqYDuXH0S6D
Threatray 5'089 similar samples on MalwareBazaar
TLSH T116C3AF0DD83F1655CED0017067194A8B5F8CBBA8BB04728FE2D60EBA1BA553C6D661FC
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.173.39.127:36168

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.173.39.127:36168 https://threatfox.abuse.ch/ioc/561718/

Intelligence

File Origin
# of uploads :
2
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Valoranrt hack (2).rar
Verdict:
Malicious activity
Analysis date:
2022-04-23 01:03:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e691469-f6e3-44b6-abaf-1752e42cba3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270521/
Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17604/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/627ecf9813f1480a3a1ab9aa/reports/8fc409f0-d09d-4d65-b7e5-a4b11e892280/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8b3f613c-954f-4cd7-9145-2e702ce07a70
Result
Threat name:
RedLine, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993910
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Xmrig
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626406 Sample: rL1641YKC4.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 93 pool.hashvault.pro 2->93 113 Snort IDS alert for network traffic 2->113 115 Sigma detected: Xmrig 2->115 117 Multi AV Scanner detection for domain / URL 2->117 119 18 other signatures 2->119 15 rL1641YKC4.exe 2->15         started        18 Windows Security.exe 2->18         started        20 svchost.exe 2->20         started        22 10 other processes 2->22 signatures3 process4 dnsIp5 149 Contains functionality to inject code into remote processes 15->149 151 Writes to foreign memory regions 15->151 153 Allocates memory in foreign processes 15->153 25 AppLaunch.exe 15 7 15->25         started        155 Injects a PE file into a foreign processes 18->155 30 Windows Security.exe 18->30         started        157 Changes security center settings (notifications, updates, antivirus, firewall) 20->157 32 MpCmdRun.exe 20->32         started        97 127.0.0.1 unknown unknown 22->97 99 192.168.2.1 unknown unknown 22->99 signatures6 process7 dnsIp8 101 185.173.39.127, 36168, 49740 ECO-ASRU Russian Federation 25->101 103 cj74223.tmweb.ru 5.23.50.132, 443, 49745 TIMEWEB-ASRU Russian Federation 25->103 87 C:\Users\user\AppData\Local\Temp\build.exe, PE32 25->87 dropped 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->129 131 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->131 133 Tries to harvest and steal browser information (history, passwords, etc) 25->133 135 Tries to steal Crypto Currency Wallets 25->135 34 build.exe 2 25->34         started        37 conhost.exe 25->37         started        39 cscript.exe 25->39         started        41 cmd.exe 30->41         started        43 conhost.exe 32->43         started        file9 signatures10 process11 signatures12 105 Antivirus detection for dropped file 34->105 107 Multi AV Scanner detection for dropped file 34->107 109 Detected unpacking (creates a PE file in dynamic memory) 34->109 111 3 other signatures 34->111 45 build.exe 5 3 34->45         started        49 build.exe 34->49         started        51 conhost.exe 41->51         started        process13 file14 91 C:\Users\user\...\Windows Security.exe, PE32 45->91 dropped 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->139 53 cmd.exe 1 45->53         started        56 cmd.exe 45->56         started        signatures15 process16 signatures17 121 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->121 123 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 53->123 58 Windows Security.exe 53->58         started        61 conhost.exe 53->61         started        63 conhost.exe 56->63         started        65 taskkill.exe 56->65         started        process18 signatures19 127 Injects a PE file into a foreign processes 58->127 67 Windows Security.exe 58->67         started        process20 dnsIp21 95 193.233.48.87, 27941, 49806 NETIS-ASRU Russian Federation 67->95 85 C:\Users\user\AppData\Roaming\...\c.exe, PE32 67->85 dropped 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 67->125 72 cmd.exe 67->72         started        74 cmd.exe 67->74         started        file22 signatures23 process24 file25 78 c.exe 72->78         started        81 conhost.exe 72->81         started        89 C:\Users\user\AppData\Local\...\tmp72E3.vbs, ASCII 74->89 dropped 137 Command shell drops VBS files 74->137 signatures26 process27 signatures28 141 Antivirus detection for dropped file 78->141 143 Multi AV Scanner detection for dropped file 78->143 145 Detected unpacking (overwrites its own PE header) 78->145 147 2 other signatures 78->147 83 c.exe 78->83         started        process29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07f2c932e734ffae4db69237c2410ada87cfa7e0c570bb054e6f365fc6ae84d2/
Threat name:
Win32.Trojan.Mamson
Create hunting rule
Status:
Malicious
First seen:
2022-04-23 00:38:25 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7zmsmxhgt724tnwsi34eqik3kd47j7ayvylwbkon43f7rvoqtja._file
Verdict:
malicious
Similar samples:
02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224
RedLineStealer
0f0807cdcb400a718656d3ec845ad57ffef9e25232d50044bb8d7a5d9d2a0a98
RedLineStealer
162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a
RedLineStealer
392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b
RedLineStealer
bbf8740210ddb4d5dc45175e2a5ad41a7f42ad04f125dae730872b1d03103fca
RedLineStealer
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
RedLineStealer
d88a28ba18a1f550e2bfdaad7b2ecfe6a27e89fbf1448301f98b8efc42d5c89a
RedLineStealer
f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792
RedLineStealer
+ 5'079 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220513-1gfnraefck/
Gathering data
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07f2c932e734/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07f2c932e734ffae4db69237c2410ada87cfa7e0c570bb054e6f365fc6ae84d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270521/

Comments