MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15df73dad867d9fc37d282336230f4e1fe4397288f02a06c05a28d084908f0b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15df73dad867d9fc37d282336230f4e1fe4397288f02a06c05a28d084908f0b6
SHA3-384 hash: fbc4f1d2b4a563771c6a7cb2d2bda40ca6223755685429004e8ed116a1d665834f97e59402f2f2bd99abdad51893b829
SHA1 hash: 6f92c113122f2c1c4dbb80c9257e915dc2d6f367
MD5 hash: a6346640458285f32f64e7eddae6c175
humanhash: wolfram-beer-fifteen-charlie
File name:Trainer v5.1.1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'688'960 bytes
First seen:2022-01-13 13:10:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:ieUlB59Ghh03k+mKEppE4edOqMw00ZtHBvOv3IyIj:ie482MQ4edOh5EOv1Ij
Threatray 249 similar samples on MalwareBazaar
TLSH T1CF0633CADB14900FCBAA1A3B41974347C59CDE01EC5A2E7F962FC2B09618DED50976B3
Reporter tech_skeech
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
92.255.85.47:41320 https://threatfox.abuse.ch/ioc/294701/

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trainer v5.1.1.exe
Verdict:
Malicious activity
Analysis date:
2022-01-13 18:40:24 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/d1513eed-ec97-406a-a588-4339fb9656da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219018/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed raccoon
Link:
https://www.filescan.io/uploads/61e024eae997359713e623f8/reports/8c66a125-008a-484f-8b55-3d5f817696a4/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89259f14-47f3-4053-b955-b44b4b31fd69
Result
Threat name:
RedLine TON Miner
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920311
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected TON Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552786 Sample: Trainer v5.1.1.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 96 Multi AV Scanner detection for domain / URL 2->96 98 Antivirus detection for URL or domain 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 8 other signatures 2->102 12 Trainer v5.1.1.exe 2->12         started        15 RegHost.exe 1 2->15         started        process3 signatures4 132 Writes to foreign memory regions 12->132 134 Allocates memory in foreign processes 12->134 136 Injects a PE file into a foreign processes 12->136 17 AppLaunch.exe 15 7 12->17         started        138 Antivirus detection for dropped file 15->138 140 Multi AV Scanner detection for dropped file 15->140 142 Detected unpacking (changes PE section rights) 15->142 144 5 other signatures 15->144 22 explorer.exe 1 15->22         started        24 bfsvc.exe 1 15->24         started        26 conhost.exe 15->26         started        process5 dnsIp6 86 92.255.85.47, 41320, 49689 SOVTEL-ASRU Russian Federation 17->86 88 data-host-coin-8.com 45.135.233.182, 49693, 80 ASBAXETNRU Russian Federation 17->88 82 C:\Users\user\...\8969_1642062684_8360.exe, PE32+ 17->82 dropped 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->104 106 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->106 108 Tries to harvest and steal browser information (history, passwords, etc) 17->108 110 Tries to steal Crypto Currency Wallets 17->110 28 8969_1642062684_8360.exe 1 2 17->28         started        90 192.168.2.1 unknown unknown 22->90 33 RegHost.exe 22->33         started        35 conhost.exe 24->35         started        file7 signatures8 process9 dnsIp10 94 185.137.234.33, 49695, 8080 SELECTELRU Russian Federation 28->94 84 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 28->84 dropped 146 Antivirus detection for dropped file 28->146 148 Multi AV Scanner detection for dropped file 28->148 150 Detected unpacking (changes PE section rights) 28->150 158 5 other signatures 28->158 37 explorer.exe 1 28->37         started        39 curl.exe 1 28->39         started        42 bfsvc.exe 1 28->42         started        44 conhost.exe 28->44         started        152 Injects code into the Windows Explorer (explorer.exe) 33->152 154 Writes to foreign memory regions 33->154 156 Allocates memory in foreign processes 33->156 46 explorer.exe 33->46         started        48 bfsvc.exe 33->48         started        50 conhost.exe 33->50         started        file11 signatures12 process13 dnsIp14 52 RegHost.exe 37->52         started        92 api.telegram.org 149.154.167.220, 443, 49696 TELEGRAMRU United Kingdom 39->92 55 conhost.exe 39->55         started        57 conhost.exe 42->57         started        59 RegHost.exe 46->59         started        61 conhost.exe 48->61         started        process15 signatures16 112 Injects code into the Windows Explorer (explorer.exe) 52->112 114 Writes to foreign memory regions 52->114 116 Allocates memory in foreign processes 52->116 118 Modifies the context of a thread in another process (thread injection) 52->118 63 explorer.exe 52->63         started        65 bfsvc.exe 52->65         started        67 conhost.exe 52->67         started        120 Hides threads from debuggers 59->120 122 Injects a PE file into a foreign processes 59->122 69 conhost.exe 59->69         started        71 bfsvc.exe 59->71         started        process17 process18 73 RegHost.exe 63->73         started        76 conhost.exe 65->76         started        signatures19 124 Writes to foreign memory regions 73->124 126 Allocates memory in foreign processes 73->126 128 Modifies the context of a thread in another process (thread injection) 73->128 130 2 other signatures 73->130 78 conhost.exe 73->78         started        80 bfsvc.exe 73->80         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15df73dad867d9fc37d282336230f4e1fe4397288f02a06c05a28d084908f0b6/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 13:11:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxpxhwwym7m7yn6sqizwemhu4h7ehfzir4bka3afukgqqsii6c3a._file
Verdict:
malicious
Similar samples:
1b7e034dcef7122ca791a5da14c588922d67cf81f33c6d1e281d54df46a11bc2
RedLineStealer
22b1bd5ff8d474bb70ad086e75dbba870aaeb52599d436b84ba35e9e612078b4
RedLineStealer
3980a26f3644a2e8749461e88bfa44849557613bdd9b27656a5cec2cd5122527
RedLineStealer
48027757a1a094a10889267946a724be5cdb3e2e121198e9287fd2dcf6e27f57
RedLineStealer
a16e7379dfd435c1b99183299ecbdb3b468e47cc68bb9a14bef5fda17bb2e942
RedLineStealer
e56e40b828cafc16582377e3086fa8a9f892190d2e6fe5b2686039c65dfb7360
RedLineStealer
fd61c25b7d28f6cbf12269fc8733fa844fa888998c16f0046b1520761fc0d79c
RedLineStealer
+ 239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220113-qext5saeak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
36ea26d89cc0a29e36db52e001dcef49d73e4049ff30c5c793aeb1208b3d1db1
MD5 hash:
ea386279a733ad246541b4ff1d005596
SHA1 hash:
9eb26d99433c7316f4de0f548ec28667042ced69
Link:
https://www.unpac.me/results/752424c0-29e3-4f5f-b8b5-cdc541e14353/
SH256 hash:
6537fd7ae0cee250eff328f10ac348e3ac6a0f22b72f05d375eb18081f908259
MD5 hash:
10958fe271177ec7aafe220246aacb4d
SHA1 hash:
80a9d6709693533580029679a185a3be9ffad0bb
Link:
https://www.unpac.me/results/752424c0-29e3-4f5f-b8b5-cdc541e14353/
SH256 hash:
15df73dad867d9fc37d282336230f4e1fe4397288f02a06c05a28d084908f0b6
MD5 hash:
a6346640458285f32f64e7eddae6c175
SHA1 hash:
6f92c113122f2c1c4dbb80c9257e915dc2d6f367
Link:
https://www.unpac.me/results/752424c0-29e3-4f5f-b8b5-cdc541e14353/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/15df73dad867/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15df73dad867d9fc37d282336230f4e1fe4397288f02a06c05a28d084908f0b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 15df73dad867d9fc37d282336230f4e1fe4397288f02a06c05a28d084908f0b6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219018/

Comments