MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 275cd3c09afaacc06adbdbcd5c638b5894c81eca008446454864b537f54593bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 275cd3c09afaacc06adbdbcd5c638b5894c81eca008446454864b537f54593bd
SHA3-384 hash: 3edc4a4b36cf33fb82a2c43cb4ddebb88f0381113719969ace815c57991b8bc75938d0779ad6cb7acb235c2048578cac
SHA1 hash: 547af1250db68ac9001550bb4a05ff8714b6e64d
MD5 hash: 1cfd3a83d9cf05e3f35449f9d8d5273a
humanhash: indigo-football-avocado-december
File name:1CFD3A83D9CF05E3F35449F9D8D5273A.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'439'848 bytes
First seen:2021-08-06 07:36:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:j2G/nvxW3WhzK4e1JoKhifKmijMF6FoTzx2BYJ1oMBcbajZh80fJWJzlNhy:jbA3IK91OCbjMF6uTV2Bg1oMBfjPjRWK
Threatray 9 similar samples on MalwareBazaar
TLSH T1DA652203FAC188B2C7B009754669AB11597DB5300F289AEFE3E84E2DDA742D0F735667
dhash icon 00a28e8e8e8e8600 (13 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
84.252.143.187:38919

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
84.252.143.187:38919 https://threatfox.abuse.ch/ioc/165968/

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1CFD3A83D9CF05E3F35449F9D8D5273A.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 07:39:46 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/802a4c3b-2575-4f64-8edc-da58d2b85fe9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176929/
Detection(s):
Win.Malware.Generic-9874383-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e86b738d-b5a4-4d69-b540-7040afc11afb
Result
Threat name:
HTMLPhisher RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828162
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected HtmlPhish10
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460593 Sample: J7yWiSGmFh.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 111 s0.2mdn.net 2->111 113 s0-2mdn-net.l.google.com 2->113 115 4 other IPs or domains 2->115 141 Multi AV Scanner detection for submitted file 2->141 143 Yara detected RedLine Stealer 2->143 145 Yara detected RedLine Stealer 2->145 147 7 other signatures 2->147 13 J7yWiSGmFh.exe 9 2->13         started        16 services32.exe 2->16         started        signatures3 process4 file5 107 C:\Users\user\AppData\Local\Temp\WH.exe, PE32 13->107 dropped 109 C:\Users\user\...\WALLHACK_28.07.2021.exe, PE32 13->109 dropped 19 WH.exe 15 34 13->19         started        24 WALLHACK_28.07.2021.exe 1 13->24         started        133 Adds a directory exclusion to Windows Defender 16->133 26 cmd.exe 16->26         started        signatures6 process7 dnsIp8 117 123.cj36311.tmweb.ru 188.225.63.143, 49849, 80 TIMEWEB-ASRU Russian Federation 19->117 119 84.252.143.187, 38919, 49772, 49847 MASTERHOST-ASMoscowRussiaRU Russian Federation 19->119 121 api.ip.sb 19->121 99 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 19->99 dropped 149 Multi AV Scanner detection for dropped file 19->149 151 Detected unpacking (changes PE section rights) 19->151 153 Detected unpacking (overwrites its own PE header) 19->153 157 6 other signatures 19->157 28 fl.exe 19->28         started        32 conhost.exe 19->32         started        34 cmd.exe 13 24->34         started        36 conhost.exe 24->36         started        38 cmd.exe 24->38         started        155 Adds a directory exclusion to Windows Defender 26->155 40 conhost.exe 26->40         started        42 powershell.exe 26->42         started        44 powershell.exe 26->44         started        46 2 other processes 26->46 file9 signatures10 process11 file12 105 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 28->105 dropped 163 Adds a directory exclusion to Windows Defender 28->163 48 cmd.exe 28->48         started        50 cmd.exe 28->50         started        53 chrome.exe 15 434 34->53         started        signatures13 process14 dnsIp15 56 svchost32.exe 48->56         started        60 conhost.exe 48->60         started        137 Uses schtasks.exe or at.exe to add and modify task schedules 50->137 139 Adds a directory exclusion to Windows Defender 50->139 62 conhost.exe 50->62         started        64 powershell.exe 50->64         started        66 powershell.exe 50->66         started        71 2 other processes 50->71 129 192.168.2.1 unknown unknown 53->129 131 239.255.255.250 unknown Reserved 53->131 68 chrome.exe 53->68         started        signatures16 process17 dnsIp18 101 C:\Windows\System32\services32.exe, PE32+ 56->101 dropped 159 Drops executables to the windows directory (C:\Windows) and starts them 56->159 73 services32.exe 56->73         started        76 cmd.exe 56->76         started        78 cmd.exe 56->78         started        123 mc.yandex.ru 87.250.250.119, 443, 49750 YANDEXRU Russian Federation 68->123 125 cheater.fun 37.143.9.227, 443, 49736, 49784 IHCRUInternet-HostingLtdMoscowRussiaRU Russian Federation 68->125 127 26 other IPs or domains 68->127 103 C:\Users\user\AppData\Local\...\Cookies, SQLite 68->103 dropped file19 signatures20 process21 signatures22 161 Adds a directory exclusion to Windows Defender 73->161 80 cmd.exe 73->80         started        83 conhost.exe 76->83         started        85 schtasks.exe 76->85         started        87 conhost.exe 78->87         started        89 choice.exe 78->89         started        process23 signatures24 135 Adds a directory exclusion to Windows Defender 80->135 91 conhost.exe 80->91         started        93 powershell.exe 80->93         started        95 powershell.exe 80->95         started        97 2 other processes 80->97 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/275cd3c09afaacc06adbdbcd5c638b5894c81eca008446454864b537f54593bd/
Threat name:
Win32.Trojan.Caynamer
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 23:18:03 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5onhqe27kwma2w33pgvyy4llckmqhwkaccemrkims2tp5kfso6q._file
Verdict:
malicious
Similar samples:
4824693d37ee0c444b89e21a2ae1cba396927f299e88751759635b2795c1bc96
RedLineStealer
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
RedLineStealer
5e18adfb9cd975a677c24f661b8bb3dbcfbe936e92c8c92f67d97e61eadba761
RedLineStealer
798eab01e5d7f1c78e3f7db514f3611ae85e468405af144245f55c8f2657c6d9
RedLineStealer
953dd19700177beaf848e510418db83c8481ce466819c7052be8d93974ce3191
RedLineStealer
9765d205b8b16a05e807f239217a734f37a1d7b263a116ee336d39688bb2ce58
RedLineStealer
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
RedLineStealer
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
RedLineStealer
da6e9bd269fbd3904c007d8c19272f372211b3930567d21b977d34716317143a
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210806-9ch912xpra/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
Unpacked files
SH256 hash:
330dc4ddee90cc6cee70be08b74fe1b87aba0df975f26c3638d098ed1ee73c17
MD5 hash:
1f333b57cbaf401b992b0eab5316e7f1
SHA1 hash:
7b95c0611df98b9be3a4720ed960128765a5a025
Link:
https://www.unpac.me/results/e9e5009b-e2b3-4f4f-b3a8-4d3c1df5e8c5/
SH256 hash:
275cd3c09afaacc06adbdbcd5c638b5894c81eca008446454864b537f54593bd
MD5 hash:
1cfd3a83d9cf05e3f35449f9d8d5273a
SHA1 hash:
547af1250db68ac9001550bb4a05ff8714b6e64d
Link:
https://www.unpac.me/results/e9e5009b-e2b3-4f4f-b3a8-4d3c1df5e8c5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/275cd3c09afa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/275cd3c09afaacc06adbdbcd5c638b5894c81eca008446454864b537f54593bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_mem
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176929/

Comments