MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15fcf16c0b002ac7f125ed2d81851a1504554164d8b0d5b72d670a73200b8bfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15fcf16c0b002ac7f125ed2d81851a1504554164d8b0d5b72d670a73200b8bfb
SHA3-384 hash: 8aada233fbc1b617efe347ff6f90f0738ba1d20e2647294f0bbb2e4370ed7aceca90cf8657f33e482281c46e53f0c18c
SHA1 hash: a2a3b70c372f6342d4061eab111fd84807a8a71d
MD5 hash: 90041e6a7d5931255a6ae9c310e05c97
humanhash: montana-carbon-low-item
File name:90041e6a7d5931255a6ae9c310e05c97
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:198'656 bytes
First seen:2021-09-23 16:27:06 UTC
Last seen:2021-09-23 17:58:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fbfc74c3ddccb96d094c58debd98462 (10 x RedLineStealer, 2 x Tofsee, 2 x RaccoonStealer)
ssdeep 3072:QALINbTb1ok0g2p1QCzLyhkP52QOq++4hdVV9Nmk5sAaz:QAENbX1ok0Zp+E+kRRUhnTA
Threatray 352 similar samples on MalwareBazaar
TLSH T13814DF6136E18273E2B37B355974E7114A7F79A22B71D68FB60023AA5F733C09921393
File icon (PE):PE icon
dhash icon 0e62d89c64fcb8e2 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.15:6043 https://threatfox.abuse.ch/ioc/226451/

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
90041e6a7d5931255a6ae9c310e05c97
Verdict:
Malicious activity
Analysis date:
2021-09-23 16:28:24 UTC
Tags:
trojan rat redline opendir evasion loader stealer
Link:
https://app.any.run/tasks/0079182c-d1cd-4452-9893-206ad030416a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190836/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.19928.10150.UNOFFICIAL
Create hunting rule

Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/805a97a5-fbf7-46f5-be4f-a08792b9c119
Result
Threat name:
Glupteba RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856721
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Autohotkey Downloader Generic
Yara detected Evader
Yara detected Glupteba
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489152 Sample: sZqcv9vi4c Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Antivirus detection for URL or domain 2->87 89 Multi AV Scanner detection for dropped file 2->89 91 9 other signatures 2->91 9 sZqcv9vi4c.exe 26 2->9         started        process3 dnsIp4 75 194.145.227.161, 49728, 80 CLOUDPITDE Ukraine 9->75 77 sliderfriday.top 5.180.136.173, 49735, 49736, 49742 IHOR-CORE-ASRU Russian Federation 9->77 79 3 other IPs or domains 9->79 53 C:\Users\user\AppData\...\98026374445.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\...\68716010846.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...\59549645111.exe, PE32 9->57 dropped 59 6 other malicious files 9->59 dropped 119 Detected unpacking (changes PE section rights) 9->119 121 Detected unpacking (overwrites its own PE header) 9->121 123 May check the online IP address of the machine 9->123 14 cmd.exe 9->14         started        16 cmd.exe 1 9->16         started        18 cmd.exe 1 9->18         started        20 cmd.exe 9->20         started        file5 signatures6 process7 process8 22 98026374445.exe 14->22         started        27 conhost.exe 14->27         started        29 59549645111.exe 15 34 16->29         started        31 conhost.exe 16->31         started        33 68716010846.exe 38 18->33         started        35 conhost.exe 18->35         started        37 conhost.exe 20->37         started        39 taskkill.exe 20->39         started        dnsIp9 61 192.168.2.1 unknown unknown 22->61 63 sliderfriday.top 22->63 65 iplogger.org 22->65 49 C:\Users\user\AppData\Roaming\...\apinesp.exe, PE32 22->49 dropped 93 Detected unpacking (overwrites its own PE header) 22->93 95 May check the online IP address of the machine 22->95 97 Creates HTML files with .exe extension (expired dropper behavior) 22->97 107 2 other signatures 22->107 41 apinesp.exe 22->41         started        67 188.124.36.242, 25802, 49744 SELECTELRU Russian Federation 29->67 69 api.ip.sb 29->69 51 C:\Users\user\AppData\...\59549645111.exe.log, ASCII 29->51 dropped 99 Multi AV Scanner detection for dropped file 29->99 101 Detected unpacking (changes PE section rights) 29->101 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->103 109 6 other signatures 29->109 45 conhost.exe 29->45         started        71 xoklsd42.top 45.137.152.25, 49821, 80 MNOGOBYTE-ASMoscowRussiaRU Russian Federation 33->71 73 morhiw04.top 185.25.51.72, 49822, 49823, 49825 IST-ASLT Lithuania 33->73 105 Tries to harvest and steal browser information (history, passwords, etc) 33->105 file10 signatures11 process12 dnsIp13 81 185.215.113.15, 49761, 6043 WHOLESALECONNECTIONSNL Portugal 41->81 83 api.ip.sb 41->83 111 Multi AV Scanner detection for dropped file 41->111 113 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->113 115 Tries to harvest and steal browser information (history, passwords, etc) 41->115 117 Tries to steal Crypto Currency Wallets 41->117 47 conhost.exe 41->47         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15fcf16c0b002ac7f125ed2d81851a1504554164d8b0d5b72d670a73200b8bfb/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 16:28:04 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cx6pc3alaavmp4jf5uwydbi2cucfkqle3cynlnznm4fhgialrp5q._file
Verdict:
malicious
Similar samples:
3837bd604e129244d1ca1fdd901fec0de7069f960e4c787c579811e21f2448c2
RedLineStealer
46833cb6d7164e28570005bd33ca5a46e3d1f3666677d1a1ef541b70f98b5d14
RedLineStealer
49113451c4baac2ee6b97486bd1f57dcf68891d55ff4782daa4d578e23e78d7c
RedLineStealer
84e2ad7dc850968e01f5e82dd5f936558580ac0f868d86e3b7d55060c27140ab
RedLineStealer
aab74b8bcca09c0fecb8c23b554d2cb110710d8718de82e63f060860c5a396e7
RedLineStealer
b41de952a4fc93913cc56535c289c1cfd5b4c249477a0fad912956abf6b2293b
RedLineStealer
b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
RedLineStealer
b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84
RedLineStealer
e95fd4b1c20d7547466b404f5a9f00940e40e3c8421c3838b619adfa6bbcb4cb
RedLineStealer
ef2f21418e6ff5b26def9df5e5a12be498475dcd904e1e11bce087e8fb7037b6
RedLineStealer
+ 342 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix23.09 discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210923-tym1tsegh5/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:6043
Unpacked files
SH256 hash:
eb4c0951d2bae23fe5610e3cc4d32efdfa39d12fbe4922df1b61340cbda1942e
MD5 hash:
31b9aa52f867c7dd74f5308633ae8fcd
SHA1 hash:
7c16b4d86428e53da0a9a7b71e8c3be56c8cdfbb
Link:
https://www.unpac.me/results/60b8d5d0-f684-4e32-951d-d2fc58c7b402/
SH256 hash:
15fcf16c0b002ac7f125ed2d81851a1504554164d8b0d5b72d670a73200b8bfb
MD5 hash:
90041e6a7d5931255a6ae9c310e05c97
SHA1 hash:
a2a3b70c372f6342d4061eab111fd84807a8a71d
Link:
https://www.unpac.me/results/60b8d5d0-f684-4e32-951d-d2fc58c7b402/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15fcf16c0b002ac7f125ed2d81851a1504554164d8b0d5b72d670a73200b8bfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 15fcf16c0b002ac7f125ed2d81851a1504554164d8b0d5b72d670a73200b8bfb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190836/

Comments


Avatar
zbet commented on 2021-09-23 16:27:08 UTC

url : hxxp://194.145.227.159/pub.php?pub=shop/