MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 3 YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
SHA3-384 hash: daf7c5ca334ed230b950b914d579de634f32493902f5a67546d4022c5eb9bdbae59759dd991e071f470ee155027d851f
SHA1 hash: b67c05496d160eaf4b2f503c7afb15fe0734de27
MD5 hash: c9586ef07c741e4a06eef3fa6e66e165
humanhash: paris-carolina-whiskey-social
File name:c9586ef07c741e4a06eef3fa6e66e165.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:178'176 bytes
First seen:2022-04-10 11:05:51 UTC
Last seen:2022-04-10 11:40:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3cacbf7d71f89228066f7d6f1ace9c85 (1 x RedLineStealer)
ssdeep 3072:eQT6fRcuUj4od1ksU7pwvWqYIxqNj84hM1XoU/SFpfsufAyuge1noz7U6lA/cY6r:eS2t+k8NSpiFbSF1sufA+2jo
TLSH T12A045C24B190B431E8B30876B4DA57F1596C793073988CFFB7D58B6A4A752D2D230B2B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.132:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.132:23196 https://threatfox.abuse.ch/ioc/518238/
46.8.19.115:7225 https://threatfox.abuse.ch/ioc/518239/
http://f0653783.xsph.ru/Dark.php https://threatfox.abuse.ch/ioc/518240/

Intelligence

File Origin
# of uploads :
2
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9586ef07c741e4a06eef3fa6e66e165.exe
Verdict:
No threats detected
Analysis date:
2022-04-10 11:06:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c54c0c4-e263-4eee-a399-ecf81c1d0fbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262412/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.49078.21221.25612.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  2/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13330/overview
Behaviour
CallSleep
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6252ba1a04b81dabe272ce4b/reports/793dd60b-49ea-476b-948b-c1b7ca3f87a2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/147910d2-529f-4af4-9e4c-c8c9711d32dc
Result
Threat name:
Djvu RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974011
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 606498 Sample: eITxWgldKM.exe Startdate: 10/04/2022 Architecture: WINDOWS Score: 100 47 188.72.236.239 WEBZILLANL Netherlands 2->47 49 199.188.201.89 NAMECHEAP-NETUS United States 2->49 51 11 other IPs or domains 2->51 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 20 other signatures 2->73 7 eITxWgldKM.exe 4 93 2->7         started        signatures3 process4 dnsIp5 53 187.212.186.135 UninetSAdeCVMX Mexico 7->53 55 62.204.41.233 TNNET-ASTNNetOyMainnetworkFI United Kingdom 7->55 57 12 other IPs or domains 7->57 23 C:\Users\...\sxAIm0_2M5N4_8Al2SwVesgh.exe, PE32 7->23 dropped 25 C:\Users\...\qhvah71Ch5XA3lIGda1coE0K.exe, PE32 7->25 dropped 27 C:\Users\...\p2RGkq_Q5L8JGcqQHLQDsWzP.exe, PE32 7->27 dropped 29 35 other files (16 malicious) 7->29 dropped 75 Creates HTML files with .exe extension (expired dropper behavior) 7->75 77 Tries to harvest and steal browser information (history, passwords, etc) 7->77 79 Disable Windows Defender real time protection (registry) 7->79 12 qhvah71Ch5XA3lIGda1coE0K.exe 7->12         started        17 p2RGkq_Q5L8JGcqQHLQDsWzP.exe 7->17         started        19 8I6WoQrCImZWs63JC6INH3aC.exe 7->19         started        21 6 other processes 7->21 file6 signatures7 process8 dnsIp9 59 45.67.229.135 ALEXHOSTMD Moldova Republic of 12->59 31 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->31 dropped 33 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 12->33 dropped 35 C:\Users\user\AppData\...\mozglue[1].dll, PE32 12->35 dropped 45 9 other files (none is malicious) 12->45 dropped 81 Query firmware table information (likely to detect VMs) 12->81 83 Hides threads from debuggers 12->83 85 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->85 87 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->87 89 Maps a DLL or memory area into another process 17->89 91 Checks if the current machine is a virtual machine (disk enumeration) 17->91 93 Writes to foreign memory regions 19->93 95 Allocates memory in foreign processes 19->95 97 Injects a PE file into a foreign processes 19->97 61 50.87.142.220 UNIFIEDLAYER-AS-1US United States 21->61 63 149.154.167.99 TELEGRAMRU United Kingdom 21->63 65 188.114.97.7 CLOUDFLARENETUS European Union 21->65 37 C:\Users\...\SD5YVXKTWncW4sexxcf8M3jO.exe, PE32 21->37 dropped 39 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 21->39 dropped 41 C:\...\PowerControl_Svc.exe, PE32 21->41 dropped 43 C:\Users\user\AppData\Local\...\WW14[1].bmp, PE32 21->43 dropped file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 08:08:20 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dnw3f73w6rlegebbbmqocmiy6n6jfyppizkbwgxmnnnjrpszrlsa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer suricata trojan
Link:
https://tria.ge/reports/220410-m7dp7aaaak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Unpacked files
SH256 hash:
1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
MD5 hash:
c9586ef07c741e4a06eef3fa6e66e165
SHA1 hash:
b67c05496d160eaf4b2f503c7afb15fe0734de27
Link:
https://www.unpac.me/results/883abac0-49c0-4d37-9422-8589a678d2ad/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1b6db2ff76f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:NETDIC_208
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262412/

Comments