MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
SHA3-384 hash: 14e8c90cc5d0ebaf2fba4c21d3b99e6d0e984c00c8fae38c5fbac75accde53efbb77d62d1adb12eac600acd425fd285d
SHA1 hash: b6e42e3a1fbc20c78e003b065440733fb1cafe84
MD5 hash: a9d9617466a30b874b80d4fd6465f46b
humanhash: pluto-uncle-virginia-rugby
File name:a9d9617466a30b874b80d4fd6465f46b
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:238'592 bytes
First seen:2022-04-12 07:37:23 UTC
Last seen:2022-04-12 08:42:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97c74a5abad8ccf1223b83d8f06c72b2 (1 x RedLineStealer)
ssdeep 3072:Wn9NrR50/7ZnwpmyedsJufkq6c6+2fQxRPgBmhL+d8bdaPBUfeVHD6tpwWH47Yyw:W7150JwuA4xRoBmhKdyLf/kWfymv
Threatray 4'778 similar samples on MalwareBazaar
TLSH T1BA34AE4D71F3C8B3E7A3E431F776D2983D2DE460BB95895327080A3E5AD44B18529EB2
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
209609199e47fecdd76a96dabf1f9cf5
Verdict:
Malicious activity
Analysis date:
2022-04-13 05:27:34 UTC
Tags:
trojan loader rat redline evasion miner
Link:
https://app.any.run/tasks/95ae375f-2ffd-4b33-a236-2b189161af76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/262903/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39480928.18069.26739.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a window
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13558/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CallSleep
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware shell32.dll
Link:
https://www.filescan.io/uploads/62552c5cffe27d5119b2e6c5/reports/bc7d7f6a-274d-4834-abad-6c223a692ad0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6523435-f1c6-4245-987f-95a5047a5df2
Result
Threat name:
LoaderBot RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975153
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Detected Stratum mining protocol
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected LoaderBot
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607640 Sample: rnFMPDf3RV Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 102 Sigma detected: Xmrig 2->102 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 16 other signatures 2->108 12 rnFMPDf3RV.exe 3 2->12         started        16 svchost.exe 9 1 2->16         started        19 svchost.exe 1 2->19         started        21 svchost.exe 1 2->21         started        process3 dnsIp4 68 C:\Users\Public\M3gJNbpqWpct.exe, PE32 12->68 dropped 70 C:\Users\Public\BEgHvre3gJNc.exe, PE32 12->70 dropped 134 Drops PE files to the user root directory 12->134 136 Contains functionality to detect sleep reduction / modifications 12->136 23 BEgHvre3gJNc.exe 14 7 12->23         started        28 M3gJNbpqWpct.exe 5 12->28         started        72 127.0.0.1 unknown unknown 16->72 file5 signatures6 process7 dnsIp8 86 ip-api.com 208.95.112.1, 49746, 49748, 80 TUT-ASUS United States 23->86 88 checkip.eu-west-1.prod.check-ip.aws.a2z.com 54.246.90.13, 49745, 80 AMAZON-02US United States 23->88 92 3 other IPs or domains 23->92 62 C:\ProgramData\...\a9695eac.exe, PE32 23->62 dropped 64 C:\Users\user\AppData\...\tmpC3F9.tmp.bat, DOS 23->64 dropped 116 Multi AV Scanner detection for dropped file 23->116 118 May check the online IP address of the machine 23->118 120 Machine Learning detection for dropped file 23->120 122 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 23->122 30 cmd.exe 1 23->30         started        90 188.68.205.12, 49749, 7053 ITNET33RU Russian Federation 28->90 124 Antivirus detection for dropped file 28->124 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->128 130 2 other signatures 28->130 file9 signatures10 process11 process12 32 a9695eac.exe 15 3 30->32         started        36 reg.exe 1 30->36         started        39 conhost.exe 30->39         started        41 timeout.exe 1 30->41         started        dnsIp13 74 5.188.119.76, 49750, 80 SELECTELRU Russian Federation 32->74 76 107.189.6.214, 49751, 49760, 80 PONYNETUS United States 32->76 78 5 other IPs or domains 32->78 60 C:\Users\user\...\d15cd7442677c34d.exe, PE32 32->60 dropped 43 d15cd7442677c34d.exe 14 5 32->43         started        110 Creates an undocumented autostart registry key 36->110 file14 signatures15 process16 file17 66 C:\ProgramData\MinerFull.exe, PE32 43->66 dropped 132 Machine Learning detection for dropped file 43->132 47 MinerFull.exe 43->47         started        signatures18 process19 dnsIp20 94 xxx01xzb.beget.tech 91.106.207.25, 49766, 80 BEGET-ASRU Russian Federation 47->94 58 C:\Users\user\AppData\Roaming\...\Driver.exe, MS-DOS 47->58 dropped 96 Antivirus detection for dropped file 47->96 98 Multi AV Scanner detection for dropped file 47->98 100 Machine Learning detection for dropped file 47->100 52 Driver.exe 47->52         started        file21 signatures22 process23 dnsIp24 80 94.23.247.226, 3333, 49767 OVHFR France 52->80 82 pool.supportxmr.com 52->82 84 pool-fr.supportxmr.com 52->84 112 Multi AV Scanner detection for dropped file 52->112 56 conhost.exe 52->56         started        signatures25 114 Detected Stratum mining protocol 80->114 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 02:32:20 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224
RedLineStealer
2032f4c705391c616308c070f4aa16aed376c18cdc1deb207e8c9048edb0cce8
RedLineStealer
2cef44b61ff47451356f3ae57bbd4d4540b856144ab8f8a2dc9fd9eb55c6cc2a
RedLineStealer
495b412404af5fc597de31a84cbddf175ea4859c9922b012cf0035406a87c29f
RedLineStealer
8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43
RedLineStealer
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
RedLineStealer
d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457
RedLineStealer
+ 4'768 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot family:redline botnet:123 discovery infostealer loader miner persistence spyware stealer suricata
Link:
https://tria.ge/reports/220412-jgdeysggbp/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
LoaderBot executable
LoaderBot
RedLine
RedLine Payload
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
188.68.205.12:7053
Unpacked files
SH256 hash:
98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
MD5 hash:
c523d423234494eeb7b60a892d7a4bea
SHA1 hash:
db992908237ee2ab5c07f4362b9a29516ac09a5d
Link:
https://www.unpac.me/results/1e21581d-0dc2-4e15-9dec-8f7d8bd037ae/
SH256 hash:
2ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
MD5 hash:
64eeb5ab677596ec8516a8414428b5d7
SHA1 hash:
4c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
Link:
https://www.unpac.me/results/1e21581d-0dc2-4e15-9dec-8f7d8bd037ae/
SH256 hash:
15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
MD5 hash:
a9d9617466a30b874b80d4fd6465f46b
SHA1 hash:
b6e42e3a1fbc20c78e003b065440733fb1cafe84
Link:
https://www.unpac.me/results/1e21581d-0dc2-4e15-9dec-8f7d8bd037ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/15791f0ceae7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2142273/
Cape
Cape
https://www.capesandbox.com/analysis/262903/

Comments


Avatar
zbet commented on 2022-04-12 07:37:26 UTC

url : hxxp://107.189.6.214/hmBo0ded/1.exe