MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99
SHA3-384 hash: 9e58fd65a5058f61d523cc05692dc369633c6a4cce880dd36f09a1160fc53910effdb1d1417c2e620ec20d34258474ac
SHA1 hash: 117502f67a0f65a83d47357e598ec3ecae5899e4
MD5 hash: bb6d13903191c9d2cef2444e70d7b03e
humanhash: leopard-butter-princess-eighteen
File name:SecuriteInfo.com.W32.AIDetect.malware2.7985.31350
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:328'704 bytes
First seen:2021-09-07 06:41:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b9983337585a5531070ddcc78e55fc2d (11 x RaccoonStealer, 2 x ArkeiStealer, 1 x Glupteba)
ssdeep 6144:iMqgFbgXaa2pKQQUadSppEHB1CtuSPgLnsfk9C8HYl2o1khnjU:plgXaa2pKQQNSpp1teBc8HQSnY
Threatray 224 similar samples on MalwareBazaar
TLSH T18764AD20B6A1C035F1F711F549B993B9AA3ABDB16B2490CF62D42BEE16346E4DD30347
dhash icon e0e8e8e8aa62a499 (12 x RaccoonStealer, 9 x RedLineStealer, 7 x ArkeiStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.7985.31350
Verdict:
Malicious activity
Analysis date:
2021-09-07 06:46:20 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/18d0a94c-1039-422b-8df4-3aa7434dd401

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185929/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.7985.31350.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Creating a file
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Delayed reading of the file
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Stealing user critical data
Enabling autorun for a service
Enabling autorun by creating a file
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c731588-5908-4150-adf5-ec95501c0f68
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846302
Signature
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478733 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 88 49.12.130.173, 49714, 80 HETZNER-ASDE Germany 2->88 90 pool.hashvault.pro 2->90 120 Malicious sample detected (through community Yara rule) 2->120 122 Multi AV Scanner detection for dropped file 2->122 124 Sigma detected: Powershell adding suspicious path to exclusion list 2->124 126 10 other signatures 2->126 9 SecuriteInfo.com.W32.AIDetect.malware2.7985.exe 15 32 2->9         started        14 System.exe 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 98 77.232.38.156, 35454, 49690 EUT-ASEUTIPNetworkRU Russian Federation 9->98 100 cdn.discordapp.com 162.159.134.233, 443, 49692 CLOUDFLARENETUS United States 9->100 102 api.ip.sb 9->102 76 C:\Users\user\AppData\Local\Temp\Zenar.exe, PE32+ 9->76 dropped 78 SecuriteInfo.com.W...lware2.7985.exe.log, ASCII 9->78 dropped 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->140 142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->142 144 Tries to harvest and steal browser information (history, passwords, etc) 9->144 146 Tries to steal Crypto Currency Wallets 9->146 18 Zenar.exe 38 9->18         started        23 conhost.exe 9->23         started        104 52.216.204.35, 443, 49710 AMAZON-02US United States 14->104 110 5 other IPs or domains 14->110 80 C:\ProgramData\Systemd\WinUpdater.exe, PE32+ 14->80 dropped 82 C:\ProgramData\Systemd\old.exet (copy), PE32+ 14->82 dropped 84 C:\ProgramData\Systemd\old.exeA (copy), PE32+ 14->84 dropped 86 C:\ProgramData\Systemd\old.exe (copy), PE32+ 14->86 dropped 148 Query firmware table information (likely to detect VMs) 14->148 150 Hides threads from debuggers 14->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->152 25 WinUpdater.exe 14->25         started        27 cmd.exe 14->27         started        29 cmd.exe 14->29         started        31 12 other processes 14->31 106 127.0.0.1 unknown unknown 16->106 108 192.168.2.1 unknown unknown 16->108 file6 signatures7 process8 dnsIp9 92 iplogger.org 88.99.66.31, 443, 49695, 49696 HETZNER-ASDE Germany 18->92 94 bitbucket.org 104.192.141.1, 443, 49697, 49701 AMAZON-02US United States 18->94 96 3 other IPs or domains 18->96 70 C:\ProgramData\Microsoft Network\System.exe, PE32+ 18->70 dropped 72 C:\ProgramData\Systemd\old.exeie (copy), PE32+ 18->72 dropped 74 C:\ProgramData\Systemd\old.exeb. (copy), PE32+ 18->74 dropped 128 Query firmware table information (likely to detect VMs) 18->128 130 May check the online IP address of the machine 18->130 132 Machine Learning detection for dropped file 18->132 134 Adds a directory exclusion to Windows Defender 18->134 33 WinUpdater.exe 18->33         started        36 cmd.exe 18->36         started        38 cmd.exe 18->38         started        48 18 other processes 18->48 136 Hides threads from debuggers 25->136 138 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->138 40 conhost.exe 27->40         started        42 conhost.exe 29->42         started        44 taskkill.exe 29->44         started        46 conhost.exe 31->46         started        50 11 other processes 31->50 file10 signatures11 process12 signatures13 112 Query firmware table information (likely to detect VMs) 33->112 114 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->114 116 Hides threads from debuggers 33->116 118 Tries to detect sandboxes / dynamic malware analysis system (registry check) 33->118 52 conhost.exe 36->52         started        54 taskkill.exe 36->54         started        56 conhost.exe 38->56         started        58 taskkill.exe 38->58         started        66 2 other processes 40->66 60 conhost.exe 48->60         started        62 conhost.exe 48->62         started        64 conhost.exe 48->64         started        68 18 other processes 48->68 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 06:42:08 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dymyns3fgzotydhislent3nyf6at723ehligachwaddhii4pjwmq._file
Verdict:
malicious
Similar samples:
080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a
RedLineStealer
4c89265179f2471e24688ac126c541886173be7773617450b0849cb48a5a293d
RedLineStealer
778c5c85b7aeb0db2367daa8d4e15869330801058c8ee5e9c77fd0c890ac5afc
RedLineStealer
8f5b300680db95b545347229941acb9113690ab187cd7ac7b2cc601b9e31a205
RedLineStealer
93e582393fca866d1291b3852e63dbe2e7a1460e9e2ab3d750083f28f4d04e64
RedLineStealer
ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c
RedLineStealer
b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68
RedLineStealer
cdf2ed21f6bda94bdebd880cb3e45005de2e714d8f1311f3d38684f103be2f00
RedLineStealer
f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0
RedLineStealer
fce1d9496dbdcf9505069283bf61e825e76a1c99af5258beae9feb0a34385cd7
RedLineStealer
+ 214 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:proliv0609 discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210907-hgdkaafchp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
77.232.38.156:35454
Unpacked files
SH256 hash:
e281956380b064baa400592d6d10d3851be6205ef97665a104943a77c792dd69
MD5 hash:
ceae1d09d712b8311723d1e9bd531a77
SHA1 hash:
e03c0bc5ffb24d8c7f8f21dff06c384b11b90bd1
Link:
https://www.unpac.me/results/94d49928-ea60-4a53-8b07-b543efeafc3c/
SH256 hash:
ba69a0e7bf753891a8620ac5d4d2c0485431f6a1c0876a1658f409ce296bbdeb
MD5 hash:
281074716c2f806525d99a2cb56c8ef6
SHA1 hash:
b0ba4b49f8af2f5a40659598cc6161322b35322a
Link:
https://www.unpac.me/results/94d49928-ea60-4a53-8b07-b543efeafc3c/
SH256 hash:
dd7b0d72042a0c155ebb59f39b00c65367ff04cb176fe314740d4814683364c9
MD5 hash:
34eae9d344ba331442c3e686ce9e2f47
SHA1 hash:
2f9bb057d62a2b084cca338a97b93b4240bc362d
Link:
https://www.unpac.me/results/94d49928-ea60-4a53-8b07-b543efeafc3c/
SH256 hash:
1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99
MD5 hash:
bb6d13903191c9d2cef2444e70d7b03e
SHA1 hash:
117502f67a0f65a83d47357e598ec3ecae5899e4
Link:
https://www.unpac.me/results/94d49928-ea60-4a53-8b07-b543efeafc3c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1e1986cb6536/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185929/

Comments