MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e29c4a8aa64659e07fb2e157f5a3f2cc6e322ed5b9299b15aa40886acf5c6f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e29c4a8aa64659e07fb2e157f5a3f2cc6e322ed5b9299b15aa40886acf5c6f9
SHA3-384 hash: f48ac643b6c01880e58dfa51e7c7e178bcdb5005c39383e29192e2f4707eef28d0cd9dd4ea8a0639f0558581d92197b7
SHA1 hash: 2c16bff04009d8084f33334a03ddfdc70d33d98f
MD5 hash: 02e8e8c35462339d2dbe4543e9283a28
humanhash: hot-washington-asparagus-black
File name:02E8E8C35462339D2DBE4543E9283A28.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:390'073 bytes
First seen:2021-05-29 17:20:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'503 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCkJm+ksmpk3U9jW1U4P9bZhclOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRK:pQi3ks6m6URA3Ph/cllL//plmW9bTXeE
Threatray 26 similar samples on MalwareBazaar
TLSH A8841292F7E54878E073CEB05C90DA62443B79A49DBCA50877ECDD8F9B3B6818256343
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
194.113.106.38:26940

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.113.106.38:26940 https://threatfox.abuse.ch/ioc/66885/

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
02E8E8C35462339D2DBE4543E9283A28.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-29 17:22:20 UTC
Tags:
installer
Link:
https://app.any.run/tasks/745197a7-1dc7-4003-930b-391341927fec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163194/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a UDP request
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Sending an HTTP POST request
Deleting a recently created file
Replacing files
Creating a file
Using the Windows Management Instrumentation requests
Adding an access-denied ACE
Launching a process
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Unauthorized injection to a recently created process
Setting a single autorun event
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794280
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426676 Sample: ELKx2TKs6n.exe Startdate: 29/05/2021 Architecture: WINDOWS Score: 100 102 www.profitabletrustednetwork.com 2->102 104 tpx.tesseradigital.com 2->104 106 48 other IPs or domains 2->106 157 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->157 159 Multi AV Scanner detection for domain / URL 2->159 161 Antivirus detection for URL or domain 2->161 165 6 other signatures 2->165 11 ELKx2TKs6n.exe 2 2->11         started        14 Picubuhege.exe 2->14         started        signatures3 163 Performs DNS queries to domains with low reputation 104->163 process4 dnsIp5 90 C:\Users\user\AppData\...LKx2TKs6n.tmp, PE32 11->90 dropped 17 ELKx2TKs6n.tmp 3 19 11->17         started        140 limesfile.com 14->140 92 C:\Program Files (x86)\...\Windows Update.exe, PE32 14->92 dropped 94 C:\...\Windows Update.exe.config, XML 14->94 dropped file6 process7 dnsIp8 100 limesfile.com 198.54.126.101, 49731, 49747, 49848 NAMECHEAP-NETUS United States 17->100 66 C:\Users\...\___________RUb__________y.exe, PE32 17->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 17->68 dropped 70 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->70 dropped 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->72 dropped 21 ___________RUb__________y.exe 22 20 17->21         started        file9 process10 dnsIp11 122 global-sc-ltd.com 199.188.201.83, 49741, 80 NAMECHEAP-NETUS United States 21->122 124 iplogger.org 88.99.66.31, 443, 49751, 49937 HETZNER-ASDE Germany 21->124 126 3 other IPs or domains 21->126 74 C:\Users\user\AppData\...\Fahokolyshi.exe, PE32 21->74 dropped 76 C:\Program Files (x86)\...\Picubuhege.exe, PE32 21->76 dropped 78 C:\Users\user\...\Fahokolyshi.exe.config, XML 21->78 dropped 80 3 other files (1 malicious) 21->80 dropped 167 Detected unpacking (overwrites its own PE header) 21->167 26 Fahokolyshi.exe 14 5 21->26         started        30 irecord.exe 2 21->30         started        33 Nukyregepe.exe 21->33         started        file12 signatures13 process14 dnsIp15 128 www.cloud-security.xyz 26->128 130 cloud-security.xyz 26->130 132 connectini.net 26->132 169 Performs DNS queries to domains with low reputation 26->169 35 iexplore.exe 26->35         started        38 iexplore.exe 26->38         started        40 iexplore.exe 26->40         started        45 16 other processes 26->45 96 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 30->96 dropped 42 irecord.tmp 27 31 30->42         started        134 104.21.62.88, 443, 49950 CLOUDFLARENETUS United States 33->134 136 reportyuwt4sbackv97qarke3.com 33->136 138 2 other IPs or domains 33->138 98 C:\Users\user\AppData\Local\...\installer.exe, PE32 33->98 dropped file16 signatures17 process18 dnsIp19 108 www.cloud-security.xyz 35->108 110 cloud-security.xyz 35->110 116 2 other IPs or domains 35->116 47 iexplore.exe 35->47         started        118 6 other IPs or domains 38->118 50 iexplore.exe 38->50         started        52 iexplore.exe 38->52         started        112 www.profitabletrustednetwork.com 40->112 114 vexacion.com 40->114 54 iexplore.exe 40->54         started        56 iexplore.exe 40->56         started        82 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->84 dropped 86 C:\Program Files (x86)\...\is-TMD1K.tmp, PE32 42->86 dropped 88 13 other files (none is malicious) 42->88 dropped 58 i-record.exe 42->58         started        120 6 other IPs or domains 45->120 60 iexplore.exe 45->60         started        62 iexplore.exe 45->62         started        64 2 other processes 45->64 file20 process21 dnsIp22 142 vexacion.com 47->142 149 9 other IPs or domains 47->149 151 33 other IPs or domains 50->151 153 2 other IPs or domains 52->153 145 www.profitabletrustednetwork.com 192.243.59.13, 443, 49754, 49755 ADVANCEDHOSTERS-ASNL Dominica 54->145 147 vexacion.com 139.45.197.236, 443, 49756, 49757 RETN-ASEU Netherlands 56->147 155 10 other IPs or domains 64->155 signatures23 171 Performs DNS queries to domains with low reputation 142->171
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e29c4a8aa64659e07fb2e157f5a3f2cc6e322ed5b9299b15aa40886acf5c6f9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-28 00:22:04 UTC
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyu4jkfkmrsz4b73fykx6wr7ftdogixnlojjtmk2uqeinlhvy34q._file
Verdict:
malicious
Similar samples:
13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8
RedLineStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RedLineStealer
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
RedLineStealer
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
RedLineStealer
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
RedLineStealer
aa9be79c40da851c806a4cbd196aad2731e57090c5c4e0bb107437073e0ebd11
RedLineStealer
c0b90c23b8130fffdfbff412f4535b474a3c207fa2228f78e6b822a38fae2d3f
RedLineStealer
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
RedLineStealer
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
RedLineStealer
f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9
RedLineStealer
+ 16 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:elysiumstealer family:plugx family:vidar discovery evasion persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210529-y8m8a58xps/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
ElysiumStealer
PlugX
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e29c4a8aa64659e07fb2e157f5a3f2cc6e322ed5b9299b15aa40886acf5c6f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163194/

Comments