MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs 2 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2
SHA3-384 hash: a554f3c8fb36d776c9c5acc6b9e2d1ddfdd25156b85da3d22f01423e46085b4b4b83b0b2a71a93cefd5605a2123b5d03
SHA1 hash: 2a89ed89ce4dfed09ea35dbeaa6324912e24e291
MD5 hash: f8dfb6b2747437dc5501a0e928f683bc
humanhash: ink-lithium-grey-early
File name:F8DFB6B2747437DC5501A0E928F683BC.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'829'182 bytes
First seen:2021-06-29 16:46:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 49152:WC2lJmXbj5DIwbQea1LPEyK7r385JD3d6cIWhJ:WzlkbFDVrQMyOr3S3d6cLhJ
Threatray 8 similar samples on MalwareBazaar
TLSH 91851203B293C072D49901B505658BB64F3A7C319775D0F7AFD13AAA9D703E29B3638A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.84.0.164:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.84.0.164:80 https://threatfox.abuse.ch/ioc/155636/
http://157.90.127.76/ https://threatfox.abuse.ch/ioc/155776/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F8DFB6B2747437DC5501A0E928F683BC.exe
Verdict:
No threats detected
Analysis date:
2021-06-29 16:49:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e1305764-5fef-4180-9af0-1d7dd45c38b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168789/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04ea4cb0-298f-4c93-9b36-7723857160fa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/809545
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 441956 Sample: xvaDW96fiE.exe Startdate: 29/06/2021 Architecture: WINDOWS Score: 40 125 115.t.keepitpumpin.io 2->125 127 114.t.keepitpumpin.io 2->127 129 2 other IPs or domains 2->129 161 Antivirus detection for URL or domain 2->161 163 Antivirus / Scanner detection for submitted sample 2->163 165 Multi AV Scanner detection for submitted file 2->165 167 Connects to a pastebin service (likely for C&C) 2->167 13 xvaDW96fiE.exe 4 2->13         started        16 msiexec.exe 2->16         started        19 msiexec.exe 2->19         started        22 8 other processes 2->22 signatures3 process4 dnsIp5 113 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 13->113 dropped 115 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 13->115 dropped 24 irsetup.exe 15 13->24         started        117 C:\Users\user\AppData\Local\...\shi24E5.tmp, PE32 16->117 dropped 119 C:\Users\user\AppData\Local\...\shi2458.tmp, PE32 16->119 dropped 157 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->157 159 Opens network shares 16->159 131 pstbbk.com 157.230.96.32 DIGITALOCEAN-ASNUS United States 19->131 133 collect.installeranalytics.com 54.226.29.2 AMAZON-AESUS United States 19->133 135 192.168.2.1 unknown unknown 19->135 121 C:\Users\user\AppData\Local\...\shi3948.tmp, PE32 19->121 dropped 123 C:\Users\user\AppData\Local\...\shi388C.tmp, PE32 19->123 dropped 28 taskkill.exe 19->28         started        137 110.t.keepitpumpin.io 163.172.204.15 OnlineSASFR United Kingdom 22->137 139 167.99.82.239 DIGITALOCEAN-ASNUS United States 22->139 141 4 other IPs or domains 22->141 30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 3 other processes 22->36 file6 signatures7 process8 dnsIp9 145 1fichier.com 5.39.224.140, 443, 49716 DSTORAGEFR France 24->145 147 a-15.1fichier.com 5.39.224.15, 443, 49717 DSTORAGEFR France 24->147 149 pastebin.com 104.23.99.190, 443, 49714 CLOUDFLARENETUS United States 24->149 105 C:\Users\user\AppData\...\SetupB_343.exe, PE32 24->105 dropped 38 SetupB_343.exe 4 24->38         started        41 conhost.exe 28->41         started        file10 process11 file12 93 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 38->93 dropped 95 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 38->95 dropped 43 irsetup.exe 31 38->43         started        process13 dnsIp14 151 ip-api.com 208.95.112.1, 49723, 80 TUT-ASUS United States 43->151 153 www.findmemolite.com 46.101.214.246, 49726, 80 DIGITALOCEAN-ASNUS Netherlands 43->153 155 2 other IPs or domains 43->155 107 C:\Users\user\AppData\Local\...\maskvpn.exe, PE32 43->107 dropped 109 C:\Users\user\AppData\...\installerapp.exe, PE32 43->109 dropped 111 C:\Users\user\AppData\...\WcInstaller.exe, PE32 43->111 dropped 169 May check the online IP address of the machine 43->169 48 maskvpn.exe 2 43->48         started        51 WcInstaller.exe 43->51         started        53 installerapp.exe 66 43->53         started        file15 signatures16 process17 dnsIp18 75 C:\Users\user\AppData\Local\...\maskvpn.tmp, PE32 48->75 dropped 56 maskvpn.tmp 48->56         started        77 C:\...\WebCompanionInstaller.resources.dll, PE32 51->77 dropped 79 C:\...\WebCompanionInstaller.resources.dll, PE32 51->79 dropped 81 C:\...\WebCompanionInstaller.resources.dll, PE32 51->81 dropped 89 10 other files (none is malicious) 51->89 dropped 59 WebCompanionInstaller.exe 51->59         started        143 collect.installeranalytics.com 53->143 83 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 53->83 dropped 85 C:\Users\user\AppData\...\Windows Updater.exe, PE32 53->85 dropped 87 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 53->87 dropped 91 4 other files (none is malicious) 53->91 dropped 61 msiexec.exe 53->61         started        file19 process20 file21 97 C:\Users\user\AppData\...\libMaskVPN.dll, PE32 56->97 dropped 99 C:\Users\user\AppData\Local\...\botva2.dll, PE32 56->99 dropped 101 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 56->101 dropped 103 23 other files (none is malicious) 56->103 dropped 63 cmd.exe 56->63         started        65 cmd.exe 56->65         started        process22 process23 67 conhost.exe 63->67         started        69 tapinstall.exe 63->69         started        71 conhost.exe 65->71         started        73 tapinstall.exe 65->73         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 01:08:27 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=by7dkqj54vsj2zwtv2akkdaniqpzay2dwatbw5k2rs3szu7f56ra._file
Verdict:
unknown
Similar samples:
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
RedLineStealer
3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0
RedLineStealer
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
RedLineStealer
4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
RedLineStealer
5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee
RedLineStealer
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
RedLineStealer
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
RedLineStealer
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210629-rfl8f9xxv6/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
1e8121314ca307c278a039e28052aa9874ac5f852efcd87781f1d06af096735b
MD5 hash:
dfd5410256707f5916f6be62712dbc3d
SHA1 hash:
c4ec84f7929bd63f972fbdb5977f3b8e6c370fb1
Link:
https://www.unpac.me/results/be6d7503-787d-4ca0-9b55-ee36cfdd5020/
SH256 hash:
c3f051fdc89bba65156a1f0b0c6bcd9dd7950ff851ed8338e842ad1d89534c48
MD5 hash:
6e8174db90c85a6c871510c2ec49c3f9
SHA1 hash:
01d1ea3fceaae1eef1034e230c1924eba645a7ee
Link:
https://www.unpac.me/results/be6d7503-787d-4ca0-9b55-ee36cfdd5020/
SH256 hash:
0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2
MD5 hash:
f8dfb6b2747437dc5501a0e928f683bc
SHA1 hash:
2a89ed89ce4dfed09ea35dbeaa6324912e24e291
Link:
https://www.unpac.me/results/be6d7503-787d-4ca0-9b55-ee36cfdd5020/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168789/

Comments