MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1221600b565c655501fbb55c60109aafbcbf09712075c174463f137f41966420. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1221600b565c655501fbb55c60109aafbcbf09712075c174463f137f41966420
SHA3-384 hash: e9adb9be296f6fc7922f9013c7532876c135232a002e3ec227f1099d47e413be90f1c82b2551f54f77c22439aee1a96b
SHA1 hash: 0e9ed1c93e97ccafa49d60bd36179370278efb43
MD5 hash: d8f85aa636e96fec68dd03c52d0352ea
humanhash: illinois-green-nine-massachusetts
File name:d8f85aa636e96fec68dd03c52d0352ea.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:288'768 bytes
First seen:2021-10-01 12:02:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21506be3202517bb1e8cd3e1062868ad (5 x RedLineStealer, 5 x RaccoonStealer, 2 x Formbook)
ssdeep 6144:1msrLvrNAlMvJX7grnqJL6epRlGOOhxxdeTr/ekI:JrDqlMxrqYL6epRlkzxd6L
Threatray 1'649 similar samples on MalwareBazaar
TLSH T19D54AE083282CFF2D27A01F1AB46C7F0192DBD2C5E2A765B3744775E7E3D3919A1624A
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://91.219.236.63/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.63/ https://threatfox.abuse.ch/ioc/229384/

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8f85aa636e96fec68dd03c52d0352ea.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-01 19:53:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c70e81d-5078-4c34-ba08-8f26e78ee45a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193985/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/886b250d-24d5-469c-8b09-d45084da2b69
Result
Threat name:
RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862697
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495125 Sample: OfdJ45GQGY.exe Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 99 microsoft-com.mail.protection.outlook.com 2->99 101 defeatwax.ru 2->101 103 api.ip.sb 2->103 127 Multi AV Scanner detection for domain / URL 2->127 129 Antivirus detection for URL or domain 2->129 131 Antivirus detection for dropped file 2->131 133 21 other signatures 2->133 11 OfdJ45GQGY.exe 2->11         started        14 bsieafi 2->14         started        16 odqmyxqc.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 signatures5 171 Detected unpacking (changes PE section rights) 11->171 173 Contains functionality to inject code into remote processes 11->173 175 Injects a PE file into a foreign processes 11->175 20 OfdJ45GQGY.exe 11->20         started        177 Multi AV Scanner detection for dropped file 14->177 179 Machine Learning detection for dropped file 14->179 23 bsieafi 14->23         started        181 Detected unpacking (overwrites its own PE header) 16->181 183 Writes to foreign memory regions 16->183 185 Allocates memory in foreign processes 16->185 25 svchost.exe 16->25         started        28 WerFault.exe 18->28         started        process6 dnsIp7 161 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->161 163 Maps a DLL or memory area into another process 20->163 165 Checks if the current machine is a virtual machine (disk enumeration) 20->165 30 explorer.exe 14 20->30 injected 167 Creates a thread in another existing process (thread injection) 23->167 107 microsoft-com.mail.protection.outlook.com 52.101.24.0, 25, 49865 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->107 109 defeatwax.ru 193.56.146.188, 443, 49879, 49915 LVLT-10753US unknown 25->109 169 System process connects to network (likely due to code injection or exploit) 25->169 signatures8 process9 dnsIp10 113 193.56.146.41, 49823, 9080 LVLT-10753US unknown 30->113 115 216.128.137.31, 80 AS-CHOOPAUS United States 30->115 117 4 other IPs or domains 30->117 91 C:\Users\user\AppData\Roaming\bsieafi, PE32 30->91 dropped 93 C:\Users\user\AppData\Local\Temp\F78F.exe, PE32 30->93 dropped 95 C:\Users\user\AppData\Local\Temp\F3A6.exe, PE32 30->95 dropped 97 5 other malicious files 30->97 dropped 119 System process connects to network (likely due to code injection or exploit) 30->119 121 Benign windows process drops PE files 30->121 123 Deletes itself after installation 30->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->125 35 F3A6.exe 30->35         started        38 64BB.exe 30->38         started        41 F78F.exe 2 30->41         started        43 3 other processes 30->43 file11 signatures12 process13 dnsIp14 135 Multi AV Scanner detection for dropped file 35->135 137 Detected unpacking (changes PE section rights) 35->137 139 Machine Learning detection for dropped file 35->139 46 F3A6.exe 35->46         started        87 C:\Users\user\AppData\Local\...\odqmyxqc.exe, PE32 38->87 dropped 141 Detected unpacking (overwrites its own PE header) 38->141 143 Uses netsh to modify the Windows network and firewall settings 38->143 145 Modifies the windows firewall 38->145 49 cmd.exe 38->49         started        52 cmd.exe 38->52         started        54 sc.exe 38->54         started        63 3 other processes 38->63 147 Antivirus detection for dropped file 41->147 149 Sample uses process hollowing technique 41->149 151 Injects a PE file into a foreign processes 41->151 56 F78F.exe 2 41->56         started        59 conhost.exe 41->59         started        111 cdn.discordapp.com 162.159.135.233, 443, 49824, 49836 CLOUDFLARENETUS United States 43->111 89 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 43->89 dropped 153 Query firmware table information (likely to detect VMs) 43->153 155 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->155 157 Adds a directory exclusion to Windows Defender 43->157 159 2 other signatures 43->159 61 AdvancedRun.exe 43->61         started        65 4 other processes 43->65 file15 signatures16 process17 dnsIp18 187 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->187 189 Maps a DLL or memory area into another process 46->189 191 Checks if the current machine is a virtual machine (disk enumeration) 46->191 193 Creates a thread in another existing process (thread injection) 46->193 85 C:\Windows\SysWOW64\...\odqmyxqc.exe (copy), PE32 49->85 dropped 67 conhost.exe 49->67         started        69 conhost.exe 52->69         started        71 conhost.exe 54->71         started        105 188.72.208.174, 38430, 49871 WEBZILLANL Netherlands 56->105 73 AdvancedRun.exe 61->73         started        75 conhost.exe 63->75         started        77 conhost.exe 63->77         started        79 conhost.exe 63->79         started        81 conhost.exe 65->81         started        83 conhost.exe 65->83         started        file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1221600b565c655501fbb55c60109aafbcbf09712075c174463f137f41966420/
Threat name:
Win32.Trojan.DllCheck
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 12:03:05 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ciqwac2wlrsvkap3wvogaee2v66l6clreb24c5cgh4jx6qmwmqqa._file
Verdict:
malicious
Similar samples:
5ea70d1ccacc9fde5a0f1cf02273de35c8db3fdcf6ec8d5da788fed041a742ac
RedLineStealer
66a4ad6ad86ac5cc502368cdd94be1164da5fb4da4b2c2048a09c1c37b175f40
RedLineStealer
6995cc187abb7a1e4d973a54078e041eedd383f505174f9ebb3f0b897fa06d60
RedLineStealer
c28e190666a5967096f8c8e3ecd3a62e502fe84eb300113faa3fe06575ea118b
RedLineStealer
ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
RedLineStealer
d4928b68e9f811d65718737a7eea99963cc2b9778fb127151e610868fcb9de7e
RedLineStealer
d95a118a855f7188eb3fef55eb470bf41a9b569cfc40c3d68c90fd778a6ce585
RedLineStealer
e29a1c1188926719adc1bece4f4e828ac78c0aaca2cb01e141e6cf7ca5539e6b
RedLineStealer
edf6beb88780fb3085332f843b73418f52bbf095265dad631cf8e187644cb565
RedLineStealer
f3caecffb11faf28d31a3f30e39511ab1dbbce621259b73172d94f9a75962d1c
RedLineStealer
+ 1'639 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:114кk botnet:5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 botnet:installs123s botnet:r backdoor evasion infostealer miner persistence stealer themida trojan
Link:
https://tria.ge/reports/211001-n7116abfhq/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
188.72.208.174:38430
138.124.186.2:27999
193.56.146.60:18243
Unpacked files
SH256 hash:
592b089027938156e18387e4402b965a5f1ffc25e96d7efc3aa9331254587bdd
MD5 hash:
2dbb1eb8c40c88994738a736ad55c79b
SHA1 hash:
88e2fc9242606c7dfcd68d5da8c6d457837157a3
Link:
https://www.unpac.me/results/ff5889f0-45d6-4022-a5a6-15e68b8c11ae/
SH256 hash:
1221600b565c655501fbb55c60109aafbcbf09712075c174463f137f41966420
MD5 hash:
d8f85aa636e96fec68dd03c52d0352ea
SHA1 hash:
0e9ed1c93e97ccafa49d60bd36179370278efb43
Link:
https://www.unpac.me/results/ff5889f0-45d6-4022-a5a6-15e68b8c11ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1221600b565c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1221600b565c655501fbb55c60109aafbcbf09712075c174463f137f41966420

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 1221600b565c655501fbb55c60109aafbcbf09712075c174463f137f41966420

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1649571/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193985/

Comments