MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1041e565591869dad2e76b1be522e5d5a7daa60d59bdba5b7f944cc9ed23291d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 3 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1041e565591869dad2e76b1be522e5d5a7daa60d59bdba5b7f944cc9ed23291d
SHA3-384 hash: 411c27804c4da17b51e75486afa7356ecf68870fbe8dc6e11cc61ceecdbe281fe7f7d394a6d7b005854b8446fdf09828
SHA1 hash: 254d133fcffa45d0eb3f29ca2e58e0ce5e60f930
MD5 hash: 49640562f8590941bb0b6a77b6f5fca0
humanhash: cat-potato-stairway-mountain
File name:49640562F8590941BB0B6A77B6F5FCA0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:351'744 bytes
First seen:2021-06-02 17:25:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bca4c139115857ba195befba3c3bfd5f (5 x Stop, 3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 6144:oje/9y6/4WaWxI6ykdrvdw7Qh9OXWpKmXKVpGijpsurzr:oje/9yLWVbykdrCa9OGpKr7j+G
Threatray 1'927 similar samples on MalwareBazaar
TLSH 35749D31A7E1C039F0F322B449B59278A53A7EF2673481CF62D13AEA5A356D59C30747
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.17:18597

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.17:18597 https://threatfox.abuse.ch/ioc/69455/
http://nimidm22.top/index.php https://threatfox.abuse.ch/ioc/69456/
http://morzvl02.top/index.php https://threatfox.abuse.ch/ioc/69457/

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
49640562F8590941BB0B6A77B6F5FCA0.exe
Verdict:
Malicious activity
Analysis date:
2021-06-02 18:12:06 UTC
Tags:
trojan rat redline evasion
Link:
https://app.any.run/tasks/c7f29ac6-8b40-457c-939c-1097dab823f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLineDropperAHK
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164117/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot Glupteba RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796300
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Cryptbot
Yara detected Evader
Yara detected Glupteba
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 428696 Sample: FHnuwG4dWB.exe Startdate: 02/06/2021 Architecture: WINDOWS Score: 100 61 nimono32.top 2->61 63 api.ip.sb 2->63 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Found malware configuration 2->83 85 17 other signatures 2->85 8 FHnuwG4dWB.exe 29 2->8         started        signatures3 process4 dnsIp5 73 g-cleanpartners.in 8.209.68.196, 49735, 49736, 49740 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 8->73 75 gclean.biz 8->75 77 4 other IPs or domains 8->77 53 C:\Users\user\AppData\...\86506681811.exe, PE32 8->53 dropped 55 C:\Users\user\AppData\...\84287857977.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\...\41451772368.exe, PE32 8->57 dropped 59 6 other files (2 malicious) 8->59 dropped 107 May check the online IP address of the machine 8->107 13 cmd.exe 8->13         started        15 cmd.exe 8->15         started        17 cmd.exe 8->17         started        19 10 other processes 8->19 file6 signatures7 process8 file9 22 86506681811.exe 13->22         started        27 conhost.exe 13->27         started        29 41451772368.exe 15->29         started        31 conhost.exe 15->31         started        33 84287857977.exe 17->33         started        35 conhost.exe 17->35         started        41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->45 dropped 47 6 other malicious files 19->47 dropped 37 conhost.exe 19->37         started        39 taskkill.exe 19->39         started        process10 dnsIp11 65 api.ip.sb 22->65 67 51.38.208.16, 28626, 49753 OVHFR France 22->67 49 C:\Users\user\AppData\...\86506681811.exe.log, ASCII 22->49 dropped 87 Detected unpacking (changes PE section rights) 22->87 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->89 91 Query firmware table information (likely to detect VMs) 22->91 105 6 other signatures 22->105 69 nailedpizza.top 29->69 71 iplogger.org 29->71 51 C:\Users\user\AppData\...\edspolishpp.exe, PE32 29->51 dropped 93 Detected unpacking (overwrites its own PE header) 29->93 95 May check the online IP address of the machine 29->95 97 Contains functionality to register a low level keyboard hook 29->97 99 Sample or dropped binary is a compiled AutoHotkey binary 29->99 101 Multi AV Scanner detection for dropped file 33->101 103 Tries to harvest and steal browser information (history, passwords, etc) 33->103 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1041e565591869dad2e76b1be522e5d5a7daa60d59bdba5b7f944cc9ed23291d/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 04:04:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cba6kzkzdbu5vuxhnmn6kixf2wt5vjqnlg63uw37srgmt3jdfeoq._file
Verdict:
malicious
Similar samples:
3a4d13a372ee0719f47ffffd542763ecc50113e8873f24c82c32b9f06665163a
RedLineStealer
4d62b51a9ec8a8f5a1dfc47a82789d8e5d6bb7f02573cee7b0d38f52672b8f79
RedLineStealer
798204be3c87f8644d21f51035a29dd85e539e3969233ddda56a725461236717
RedLineStealer
7d7d95f5656db399e646ebc63be222f85a6489e81b0a9773391185ef1faf537d
RedLineStealer
989a76309e98914e5e73acd337113893430700e42838627c250fb8de76869937
RedLineStealer
a30aa51bc0554b2dedf5f0a7f29219ad301a97b5e6e4215f42973bb010345d3c
RedLineStealer
d460839a01093007c634bbca24ac143244b9f6d2b4943ea9aa292600884836ce
RedLineStealer
e5a666bc9d8b7c4a483d8a9204919dc454bca394cd22ac150aaf18bbb80b0b89
RedLineStealer
f29a98849772d487f462daadc5072112353b52fa17ffeac2d2e8d669fcffe573
RedLineStealer
fe5c6f5e168f59382dd4fa29158156c0d917f2e15035dfe3b38043c6327f0c24
RedLineStealer
+ 1'917 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline botnet:mix 02.06 discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210602-jhdxe64mz6/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
CryptBot Payload
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
nimono32.top
morudl03.top
185.215.113.17:18597
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1041e565591869dad2e76b1be522e5d5a7daa60d59bdba5b7f944cc9ed23291d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164117/

Comments