MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d69fb4a5141f6bd961fa7dbe92bbc30f8a7448b437df16fa960ff30ec009429. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d69fb4a5141f6bd961fa7dbe92bbc30f8a7448b437df16fa960ff30ec009429
SHA3-384 hash: 4c2064017025e78d26d6bd0f3fed5434fb856956db863658981eb57c6b522141063234a9ca573fb3af2720cd0df7b5b0
SHA1 hash: 92fe3ff58b110c7957e548506bad333956d22135
MD5 hash: 93d3b83db50e6a39cb6d69ae12aad8e1
humanhash: pennsylvania-robin-december-grey
File name:93D3B83DB50E6A39CB6D69AE12AAD8E1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'094'681 bytes
First seen:2021-05-28 15:20:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 39 x VIPKeylogger)
ssdeep 98304:JNSkvZHtj88tWalQFcSffHw11EJsarM51GOsPz6aZRgiPRVJpgws:JNxZNI8tHld0YXgsIM51zCgiJJ9s
Threatray 18 similar samples on MalwareBazaar
TLSH A81633DA62012673E4B0C5F869DC97334B6E04B863307CE0D7B6C995B223DE5775AB0A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://45.153.230.32/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.153.230.32/ https://threatfox.abuse.ch/ioc/66258/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
93D3B83DB50E6A39CB6D69AE12AAD8E1.exe
Verdict:
No threats detected
Analysis date:
2021-05-28 16:01:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/93bd6bf9-f1ac-4a9f-9492-3859879754f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162997/
Detection(s):
Win.Trojan.Jaik-9862236-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Trojan.Jaik-9864221-0
Create hunting rule

Win.Malware.Jaik-9865264-0
Create hunting rule

Win.Malware.Jaik-9865286-0
Create hunting rule

Win.Malware.Jaik-9865288-0
Create hunting rule

Win.Trojan.Jaik-9865540-0
Create hunting rule

Win.Malware.Jaik-9865553-0
Create hunting rule

Win.Malware.Jaik-9865607-0
Create hunting rule

Win.Malware.Jaik-9865619-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793951
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates files with lurking names (e.g. Crack.exe)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426359 Sample: 37RTY3UhlS.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 113 email.yg9.me 2->113 135 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->135 137 Multi AV Scanner detection for domain / URL 2->137 139 Found malware configuration 2->139 141 8 other signatures 2->141 12 37RTY3UhlS.exe 9 2->12         started        signatures3 process4 file5 103 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->103 dropped 15 setup_installer.exe 16 12->15         started        process6 file7 105 C:\Users\user\AppData\...\setup_install.exe, PE32 15->105 dropped 107 C:\Users\user\AppData\Local\...\metina_8.exe, PE32 15->107 dropped 109 C:\Users\user\AppData\Local\...\metina_7.exe, PE32 15->109 dropped 111 11 other files (4 malicious) 15->111 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 115 estrix.xyz 104.21.57.186, 49716, 80 CLOUDFLARENETUS United States 18->115 117 127.0.0.1 unknown unknown 18->117 143 Detected unpacking (changes PE section rights) 18->143 145 Performs DNS queries to domains with low reputation 18->145 22 cmd.exe 1 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 18->26         started        28 8 other processes 18->28 signatures10 process11 process12 30 metina_3.exe 56 22->30         started        34 metina_4.exe 1 1 24->34         started        37 metina_7.exe 26->37         started        39 metina_1.exe 5 28->39         started        41 metina_2.exe 1 28->41         started        43 metina_5.exe 28->43         started        45 2 other processes 28->45 dnsIp13 121 94.130.58.199 HETZNER-ASDE Germany 30->121 129 2 other IPs or domains 30->129 153 Multi AV Scanner detection for dropped file 30->153 155 Detected unpacking (changes PE section rights) 30->155 157 Detected unpacking (overwrites its own PE header) 30->157 173 3 other signatures 30->173 123 ip-api.com 208.95.112.1, 49731, 80 TUT-ASUS United States 34->123 131 2 other IPs or domains 34->131 73 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 34->73 dropped 159 Antivirus detection for dropped file 34->159 161 May check the online IP address of the machine 34->161 163 Machine Learning detection for dropped file 34->163 47 jfiag3g_gg.exe 34->47         started        50 jfiag3g_gg.exe 34->50         started        125 privacytools.xyz 45.139.187.152, 49728, 80 HostingvpsvilleruRU Russian Federation 37->125 127 bandshoo.info 104.21.60.85, 49725, 80 CLOUDFLARENETUS United States 37->127 133 13 other IPs or domains 37->133 75 C:\Users\...\MBkjm6aKpx9C3p2OzQBrhBOp.exe, PE32 37->75 dropped 77 C:\Users\...\kIsvspUfnEJXX4c1GBeGcecZ.exe, PE32 37->77 dropped 89 11 other files (none is malicious) 37->89 dropped 165 Performs DNS queries to domains with low reputation 37->165 79 C:\Users\user\AppData\Local\...\install.dll, PE32 39->79 dropped 52 rundll32.exe 39->52         started        81 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 41->81 dropped 167 Renames NTDLL to bypass HIPS 41->167 169 Checks if the current machine is a virtual machine (disk enumeration) 41->169 54 explorer.exe 41->54 injected 83 C:\Users\user\AppData\Local\...\metina_5.tmp, PE32 43->83 dropped 56 metina_5.tmp 43->56         started        85 C:\Users\user\AppData\Local\...\Crack.exe, PE32 45->85 dropped 87 C:\Users\user\AppData\Local\...\PbOSetp.exe, PE32 45->87 dropped 171 Creates files with lurking names (e.g. Crack.exe) 45->171 60 Crack.exe 45->60         started        62 PbOSetp.exe 45->62         started        file14 signatures15 process16 dnsIp17 175 Tries to harvest and steal browser information (history, passwords, etc) 47->175 177 Writes to foreign memory regions 52->177 179 Allocates memory in foreign processes 52->179 181 Creates a thread in another existing process (thread injection) 52->181 64 svchost.exe 52->64 injected 66 svchost.exe 52->66 injected 119 198.54.126.101 NAMECHEAP-NETUS United States 56->119 91 C:\Users\user\...\_____Zi____DanE______10.exe, PE32 56->91 dropped 93 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 56->93 dropped 95 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 56->95 dropped 97 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->97 dropped 68 _____Zi____DanE______10.exe 56->68         started        99 C:\Users\user\...\logi_audio_conexant.dll, PE32+ 60->99 dropped 101 C:\Users\...\legacy_forcefeedback_x86.dll, PE32 60->101 dropped 71 conhost.exe 60->71         started        file18 signatures19 process20 signatures21 147 Antivirus detection for dropped file 68->147 149 Detected unpacking (overwrites its own PE header) 68->149 151 Machine Learning detection for dropped file 68->151
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d69fb4a5141f6bd961fa7dbe92bbc30f8a7448b437df16fa960ff30ec009429/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 03:53:45 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvu7wssrih3l3fq7u7n6sk54gd4korelin67c35jmd7tb3aasquq._file
Verdict:
unknown
Similar samples:
2cafa910950afa826e2e255ebe4c40a611bcb12c012a502a36efeb2f4effe320
RedLineStealer
46e99e70a21a9ecd28e61195f175bea9260eea38b1718f6750166688d955e91e
RedLineStealer
4e9bb871716df27af35ede8b153efa96e131321fa3ced426fce64b893ebd089a
RedLineStealer
59c98f1846f03efaa1a594b76b320e3f35ecd53e9ed640bb360bdcf0a41f3c2d
RedLineStealer
679d4240ec3562404c1222d91bb2594cb90843b5aec479ce75bd47d4a4e8b780
RedLineStealer
df102108e8beb55334e3976e1cb7f389e8f9ecd23a12c4d71c22921626938c50
RedLineStealer
e7c3cea59ec83faa8886c1a5d0b0eabd00cf68ae8491ad6a985f3b6e422c0d19
RedLineStealer
ec606c6695e9c2716c8b3eb6c8b45d085caa03658274366a846ad37c452bd65f
RedLineStealer
f3b3bf03f311300ba76f4de3376ff21b3b1971ccbc90e24638ab15c2b42ef79b
RedLineStealer
f8b69bd4d7c6a8c131c5f9cd93ca7d0a3645f9cf1f207608bf8d209f3bcaa3b3
RedLineStealer
+ 8 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:plugx family:raccoon family:redline family:smokeloader family:vidar botnet:74452b5cbc58563477e4a9e149f2093398530bbd aspackv2 backdoor discovery dropper infostealer loader stealer trojan
Link:
https://tria.ge/reports/210528-4nqnjfl2fe/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Glupteba
Glupteba Payload
MetaSploit
PlugX
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://20xbtc.com/upload/
http://yzsnw.com/upload/
http://kaledebiyat.com/upload/
http://expertizizmir.com/upload/
http://dedkndy.com/upload/
http://theuncu.com/upload/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d69fb4a5141f6bd961fa7dbe92bbc30f8a7448b437df16fa960ff30ec009429

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_HyperPro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperPro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162997/

Comments