MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cee17cd6f7686d053d6a70106b234cc70e07718cc5a81731ec3256ca1988b8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cee17cd6f7686d053d6a70106b234cc70e07718cc5a81731ec3256ca1988b8d
SHA3-384 hash: b4067b10abdffd5eace5e439933690b4509e01d7434772b0eea173783ad5500257d5a0198f199718cd8f467ecd0b126f
SHA1 hash: 91fd582e6c9fcc99c21076f3e05535b504637394
MD5 hash: 27b98ddbcff37c453ae0346b024cc0d7
humanhash: island-kansas-nine-papa
File name:27B98DDBCFF37C453AE0346B024CC0D7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'920'718 bytes
First seen:2021-06-02 18:40:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 98304:Jh5pi396Hjeeki8bjvTE3GdGrRzk7kPxfeNHAEUFdsp17+12KTYS86jXoe:Jh5C9GqekoWdGdTxfiAEUFmp1CUxJ6jB
Threatray 32 similar samples on MalwareBazaar
TLSH C80633886B928112F8B69B741D4D2B332DFFCADE36722B25DBD0518BEF03A5105C561B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.17:18597

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.17:18597 https://threatfox.abuse.ch/ioc/69455/

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
27B98DDBCFF37C453AE0346B024CC0D7.exe
Verdict:
No threats detected
Analysis date:
2021-06-02 18:46:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0615fd2a-7677-473e-946e-a1d4055b2b6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164177/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/796185
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 428586 Sample: Sbb4QCilrT.exe Startdate: 02/06/2021 Architecture: WINDOWS Score: 92 125 217.107.34.191 RTCOMM-ASRU Russian Federation 2->125 127 45.87.0.187 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 2->127 129 3 other IPs or domains 2->129 165 Multi AV Scanner detection for domain / URL 2->165 167 Antivirus detection for URL or domain 2->167 169 Antivirus detection for dropped file 2->169 171 10 other signatures 2->171 12 Sbb4QCilrT.exe 9 2->12         started        signatures3 process4 file5 97 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->97 dropped 15 setup_installer.exe 16 12->15         started        process6 file7 117 C:\Users\user\AppData\...\setup_install.exe, PE32 15->117 dropped 119 C:\Users\user\AppData\Local\...\metina_7.exe, PE32 15->119 dropped 121 C:\Users\user\AppData\Local\...\metina_6.exe, PE32 15->121 dropped 123 11 other files (4 malicious) 15->123 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 131 8.8.8.8 GOOGLEUS United States 18->131 133 172.67.199.99 CLOUDFLARENETUS United States 18->133 135 127.0.0.1 unknown unknown 18->135 173 Detected unpacking (changes PE section rights) 18->173 22 cmd.exe 1 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 8 other processes 18->28 signatures10 process11 process12 30 metina_4.exe 2 22->30         started        34 metina_3.exe 6 24->34         started        36 metina_2.exe 1 26->36         started        38 metina_7.exe 14 18 28->38         started        41 metina_5.exe 1 1 28->41         started        43 metina_8.exe 28->43         started        45 2 other processes 28->45 dnsIp13 99 C:\Users\user\AppData\Local\...\metina_4.tmp, PE32 30->99 dropped 191 Antivirus detection for dropped file 30->191 47 metina_4.tmp 30->47         started        101 C:\Users\user\AppData\Local\...\install.dll, PE32 34->101 dropped 103 C:\Users\user\AppData\...103ewtonsoft.Json.dll, PE32 34->103 dropped 51 rundll32.exe 34->51         started        105 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 36->105 dropped 193 DLL reload attack detected 36->193 195 Machine Learning detection for dropped file 36->195 197 Renames NTDLL to bypass HIPS 36->197 199 Checks if the current machine is a virtual machine (disk enumeration) 36->199 54 explorer.exe 36->54 injected 143 89.221.213.3 WEDOSCZ Czech Republic 38->143 145 77.246.144.82 THEFIRST-ASRU Russian Federation 38->145 151 11 other IPs or domains 38->151 107 C:\Users\...\RQU15EP4HEL2ARLLZA2VQT7X.exe, PE32 38->107 dropped 109 C:\Users\...109VD8TUKVILUWVXSI69QJCTO9.exe, PE32 38->109 dropped 113 13 other files (none is malicious) 38->113 dropped 56 cmd.exe 38->56         started        66 13 other processes 38->66 147 208.95.112.1 TUT-ASUS United States 41->147 149 157.240.20.35 FACEBOOKUS United States 41->149 153 4 other IPs or domains 41->153 111 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 41->111 dropped 58 jfiag3g_gg.exe 41->58         started        60 jfiag3g_gg.exe 41->60         started        115 3 other files (1 malicious) 43->115 dropped 62 7Fdzc9CuQ6cn.exe 43->62         started        64 Browzar.exe 43->64         started        155 2 other IPs or domains 45->155 file14 signatures15 process16 dnsIp17 157 198.54.126.101 NAMECHEAP-NETUS United States 47->157 81 C:\Users\user\...\djhdfu_____________.exe, PE32 47->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 47->83 dropped 85 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->87 dropped 68 djhdfu_____________.exe 47->68         started        175 Writes to foreign memory regions 51->175 177 Allocates memory in foreign processes 51->177 179 Creates a thread in another existing process (thread injection) 51->179 72 svchost.exe 51->72 injected 75 conhost.exe 56->75         started        181 Tries to harvest and steal browser information (history, passwords, etc) 58->181 183 Sample uses process hollowing technique 62->183 185 Injects a PE file into a foreign processes 62->185 159 142.250.180.234 GOOGLEUS United States 64->159 161 142.250.185.238 GOOGLEUS United States 64->161 163 2 other IPs or domains 64->163 77 conhost.exe 66->77         started        79 conhost.exe 66->79         started        file18 signatures19 process20 dnsIp21 137 199.188.201.83 NAMECHEAP-NETUS United States 68->137 139 8.238.28.254 LEVEL3US United States 68->139 141 3 other IPs or domains 68->141 89 C:\Users\user\AppData\...\Bytebedile.exe, PE32 68->89 dropped 91 C:\Program Files (x86)\...\Wesaewelybu.exe, PE32 68->91 dropped 93 C:\Users\user\...\Bytebedile.exe.config, XML 68->93 dropped 95 3 other files (1 malicious) 68->95 dropped 187 Sets debug register (to hijack the execution of another thread) 72->187 189 Modifies the context of a thread in another process (thread injection) 72->189 file22 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cee17cd6f7686d053d6a70106b234cc70e07718cc5a81731ec3256ca1988b8d/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 00:20:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtxbptlpo2dnau6wu4aqnmruzryoa5yyzrnic4y6ymswzimyrogq._file
Verdict:
unknown
Similar samples:
2d69fb4a5141f6bd961fa7dbe92bbc30f8a7448b437df16fa960ff30ec009429
RedLineStealer
2e32799ea160a52100d3e33de1b9b6fd33c38452a86d0b77cb7d17bdeb4f71f7
RedLineStealer
360ae682470c27ef1e4a70a89aed9d14bb6f6260a5609b391c0d67220f91a306
RedLineStealer
36cb1f28f1fc16b0cfe9e4408f470fff8f29fa0a30b7e410b402d634f17c6f9b
RedLineStealer
59c98f1846f03efaa1a594b76b320e3f35ecd53e9ed640bb360bdcf0a41f3c2d
RedLineStealer
5b73fe2b2388fcd2b0f2c71f8499221e5ccd1bcfc4e31d2140d5eca1c3a45414
RedLineStealer
a7380ab000584685bb2bba25704046915d0bdaaf3a809bf80c84bbe27f765e49
RedLineStealer
e7c3cea59ec83faa8886c1a5d0b0eabd00cf68ae8491ad6a985f3b6e422c0d19
RedLineStealer
f1eef3e9a10cda6ba7e4a9608579631d42b429bb49ff1f4f4f5c8ea2ef60eddf
RedLineStealer
f3b3bf03f311300ba76f4de3376ff21b3b1971ccbc90e24638ab15c2b42ef79b
RedLineStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:smokeloader family:vidar botnet:2010 aspackv2 backdoor discovery evasion infostealer persistence stealer trojan upx
Link:
https://tria.ge/reports/210602-q336wzhsd2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Checks for common network interception software
PlugX
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
ullerolaru.xyz:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cee17cd6f7686d053d6a70106b234cc70e07718cc5a81731ec3256ca1988b8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164177/

Comments