MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f5d2516bb90d08755178e51a894001e6a1c14912e0e990d7ac8e4f935df7a39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f5d2516bb90d08755178e51a894001e6a1c14912e0e990d7ac8e4f935df7a39
SHA3-384 hash: ca2ecd74e58eed20484d74c494438972b5297273ab2b97f9f08870016dfa176c72f1ce4ca203694bc9bb7e801d071715
SHA1 hash: acf8b8631864ec29f380738d84fa3c8422f39462
MD5 hash: 2d69a69020ea6436fb94ac8435add62d
humanhash: butter-salami-five-apart
File name:2d69a69020ea6436fb94ac8435add62d
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:815'104 bytes
First seen:2021-10-12 12:30:17 UTC
Last seen:2021-10-12 13:03:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15d5ef646683193cc56a57795c37b4cd (1 x RedLineStealer)
ssdeep 12288:ThHr3dkxOtWArhEU32bRS5xVMod9O35/8GU4unI1SS1ntOnRA0Q3rF4dH1tNNKdx:5axuzdxjnILKnRex43tN0nx
Threatray 204 similar samples on MalwareBazaar
TLSH T1AA055BC7B6B3618EE7A3B4794F0216D24A420D762F119AF56F30E96A11F3791CA93313
File icon (PE):PE icon
dhash icon c48e33714d6d92e8 (3 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2d69a69020ea6436fb94ac8435add62d
Verdict:
Malicious activity
Analysis date:
2021-10-12 12:37:25 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/bae43ea2-4581-4d2e-b4fd-7c2d336423b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196941/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.30448.15031.30616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Connection attempt
Sending a custom TCP request
Launching a service
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware packed rozena
Link:
https://www.filescan.io/uploads/616580079fb4d8593d627405/reports/e6707be2-b875-4b7f-97b7-a797c9f29969/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ca3d42c-0f70-489b-a61f-c82286932551
Result
Threat name:
BitCoin Miner RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868643
Signature
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501072 Sample: 4uNHQiXOV2 Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected BitCoin Miner 2->78 80 5 other signatures 2->80 9 4uNHQiXOV2.exe 15 7 2->9         started        14 runtimeservice.exe 3 2->14         started        process3 dnsIp4 60 176.57.71.68, 37814, 49769 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 9->60 62 a0588827.xsph.ru 141.8.192.193, 49773, 80 SPRINTHOSTRU Russian Federation 9->62 64 lm.kamisime.ru 81.177.141.85, 49770, 80 RTCOMM-ASRU Russian Federation 9->64 50 C:\Users\user\AppData\Local\Temp\123.exe, PE32+ 9->50 dropped 52 C:\Users\user\AppData\...\4uNHQiXOV2.exe.log, ASCII 9->52 dropped 84 Detected unpacking (creates a PE file in dynamic memory) 9->84 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->88 94 2 other signatures 9->94 16 123.exe 5 9->16         started        90 Multi AV Scanner detection for dropped file 14->90 92 Machine Learning detection for dropped file 14->92 20 cmd.exe 1 14->20         started        file5 signatures6 process7 file8 46 C:\Users\user\AppData\...\runtimeservice.exe, PE32+ 16->46 dropped 66 Multi AV Scanner detection for dropped file 16->66 68 Machine Learning detection for dropped file 16->68 22 runtimeservice.exe 14 7 16->22         started        26 cmd.exe 1 16->26         started        29 conhost.exe 20->29         started        31 schtasks.exe 20->31         started        signatures9 process10 dnsIp11 54 github.com 140.82.121.3, 443, 49774 GITHUBUS United States 22->54 56 raw.githubusercontent.com 185.199.108.133, 443, 49776 FASTLYUS Netherlands 22->56 58 sanctam.net 22->58 48 C:\Users\user\AppData\...\sihost32.exe, PE32+ 22->48 dropped 33 sihost32.exe 22->33         started        36 cmd.exe 1 22->36         started        82 Uses schtasks.exe or at.exe to add and modify task schedules 26->82 38 conhost.exe 26->38         started        40 schtasks.exe 1 26->40         started        file12 signatures13 process14 signatures15 70 Multi AV Scanner detection for dropped file 33->70 72 Machine Learning detection for dropped file 33->72 42 conhost.exe 36->42         started        44 schtasks.exe 1 36->44         started        process16
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f5d2516bb90d08755178e51a894001e6a1c14912e0e990d7ac8e4f935df7a39/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 09:57:26 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5oskfv3sdiiovixrzi2rfaadzvbyferfyhjsdl2zdspsno7pi4q._file
Verdict:
malicious
Similar samples:
040e76d98de6f2faeefdfff6e5c1c2b892a246cc028fa90cb67291714d91086e
RedLineStealer
2933bf42825a628f1839700c3eb682361460b09bb8aaf14b0ab71cd91e9488df
RedLineStealer
329903818d07ba0d9e6e77b1a334e7adc0be9ca594d122ee592257b34d4e8208
RedLineStealer
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
RedLineStealer
a80e58ef1c5a06c712d21814ad9d003f6f9482f5e7375ec15e5d2363f99b7c12
RedLineStealer
beaee39acaccc69b03494cb84ceae313d05b22f4e568383848d37256f64daac9
RedLineStealer
c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6
RedLineStealer
d35c898a91296ef8c7a80ea57e597d9d30b9a793bd32868e0311573dea2415c6
RedLineStealer
ddaa218a629d5d9c1cbc4158b6fba8f0e02c6bfa58afb79cb87947aef81e062d
RedLineStealer
e3ae2c777da0872f2f73349e3b59b25ebda48bbec928a7360917d2929d000653
RedLineStealer
+ 194 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:proliv discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211012-pp2emsccdp/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
176.57.71.68:37814
Unpacked files
SH256 hash:
0df1fb025c7a28e480075705fce1862d4c3130c8e94d285aacc17acb3c0ebd82
MD5 hash:
00cff889d3296b200886f92118d9a13e
SHA1 hash:
cff29ff8b2b2efc410359827be231ccdf3c355d9
Link:
https://www.unpac.me/results/6d9dba6c-ba3e-49be-95ef-b0c6ff29a37a/
SH256 hash:
0f797261eceda0e0dad652911f3a280a80f2e702341fb949603c656a755360fa
MD5 hash:
870e111f657772dc7c14b8ae9c61a36e
SHA1 hash:
57b13a4103638ecaae7a54fdc1ff8e46c375ba63
Link:
https://www.unpac.me/results/6d9dba6c-ba3e-49be-95ef-b0c6ff29a37a/
SH256 hash:
0f5d2516bb90d08755178e51a894001e6a1c14912e0e990d7ac8e4f935df7a39
MD5 hash:
2d69a69020ea6436fb94ac8435add62d
SHA1 hash:
acf8b8631864ec29f380738d84fa3c8422f39462
Link:
https://www.unpac.me/results/6d9dba6c-ba3e-49be-95ef-b0c6ff29a37a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0f5d2516bb90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/0f5d2516bb90d08755178e51a894001e6a1c14912e0e990d7ac8e4f935df7a39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0f5d2516bb90d08755178e51a894001e6a1c14912e0e990d7ac8e4f935df7a39

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196941/

Comments


Avatar
zbet commented on 2021-10-12 12:30:18 UTC

url : hxxp://2.56.59.42/WW/file1.exe