MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 359f9ca568b7525fa41e8ce63450ef4fe1f5c4ba5a334d1473ef93867b21f8a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 359f9ca568b7525fa41e8ce63450ef4fe1f5c4ba5a334d1473ef93867b21f8a5
SHA3-384 hash: d8a61e210386a45a248130946c78c74194ad25521b5932d33862626c9863c78c909c72b8ffb04387e68d5a7ba17a4eaa
SHA1 hash: 7b8471160368282e2b4d7ecdf3c86451affd2e3b
MD5 hash: 75c49537e8132c4e4246645cbc49a55c
humanhash: failed-berlin-harry-missouri
File name:75c49537e8132c4e4246645cbc49a55c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'701'833 bytes
First seen:2022-10-24 15:35:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a93cea5329220fb90674a1f0bde2cd0e (40 x RedLineStealer, 7 x RecordBreaker, 2 x ErbiumStealer)
ssdeep 24576:g3TdiD7/85n6wUIyFaYmYoxSCTkMtbqxWdNEbrYIZ7v4eF6BXyFNa65gAEjnPqxb:eer85rUnMG4eF2XyfaFAUnPqx6BBMl3F
TLSH T12AC52C135A8B0D75DDD277B4A1CB633EA734ED30CA2A8B7FB608C43959532C56C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://78.47.204.168/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
75c49537e8132c4e4246645cbc49a55c.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 15:37:38 UTC
Tags:
trojan rat redline loader stealer vidar
Link:
https://app.any.run/tasks/6454fdb2-27bd-4dcb-9ee2-867e576fd357

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323487/
Detection(s):
Win.Dropper.Fragtor-9975171-0
Create hunting rule

Win.Malware.Trojanx-9975180-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45058/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c936045-4180-45a9-b799-8f34722aa63e
Result
Threat name:
RedLine, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096699
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Schedule system process
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 729340 Sample: PjGCTo5SJi.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 107 pastebin.com 2->107 153 Snort IDS alert for network traffic 2->153 155 Malicious sample detected (through community Yara rule) 2->155 157 Antivirus detection for dropped file 2->157 159 18 other signatures 2->159 11 PjGCTo5SJi.exe 1 2->11         started        14 powershell.exe 2->14         started        16 powershell.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 signatures5 169 Writes to foreign memory regions 11->169 171 Injects a PE file into a foreign processes 11->171 20 vbc.exe 15 10 11->20         started        25 conhost.exe 11->25         started        173 Creates files in the system32 config directory 14->173 175 Modifies the context of a thread in another process (thread injection) 14->175 177 Sample uses process hollowing technique 14->177 27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        process6 dnsIp7 109 79.137.192.7, 39946, 49683 PSKSET-ASRU Russian Federation 20->109 111 adigitalshop.com 151.106.122.215, 443, 49684 PLUSSERVER-ASN1DE Germany 20->111 113 3 other IPs or domains 20->113 89 C:\Users\user\AppData\Local\...\Launcher.exe, PE32 20->89 dropped 91 C:\Users\user\AppData\Local\...\test.exe, PE32 20->91 dropped 93 C:\Users\user\AppData\Local\...\chrome.exe, MS-DOS 20->93 dropped 95 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 20->95 dropped 161 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->161 163 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->163 165 Tries to harvest and steal browser information (history, passwords, etc) 20->165 167 Tries to steal Crypto Currency Wallets 20->167 31 chrome.exe 20->31         started        35 brave.exe 2 20->35         started        37 test.exe 1 20->37         started        39 Launcher.exe 20->39         started        file8 signatures9 process10 dnsIp11 97 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 31->97 dropped 129 Multi AV Scanner detection for dropped file 31->129 131 Detected unpacking (changes PE section rights) 31->131 133 Machine Learning detection for dropped file 31->133 151 4 other signatures 31->151 42 GoogleUpdate.exe 31->42         started        55 3 other processes 31->55 99 C:\Users\user\AppData\Local\Temp\63B3.tmp, PE32+ 35->99 dropped 101 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 35->101 dropped 135 Writes to foreign memory regions 35->135 137 Modifies the context of a thread in another process (thread injection) 35->137 139 Found hidden mapped module (file has been removed from disk) 35->139 141 Maps a DLL or memory area into another process 35->141 46 cmd.exe 35->46         started        48 cmd.exe 35->48         started        57 4 other processes 35->57 143 Allocates memory in foreign processes 37->143 145 Injects a PE file into a foreign processes 37->145 50 vbc.exe 37->50         started        59 3 other processes 37->59 115 140.82.121.4, 443, 49775, 49776 GITHUBUS United States 39->115 117 pastebin.com 172.67.34.170, 443, 49753 CLOUDFLARENETUS United States 39->117 119 2 other IPs or domains 39->119 103 C:\ProgramData\Dllhost\dllhost.exe, PE32 39->103 dropped 105 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 39->105 dropped 147 Antivirus detection for dropped file 39->147 149 Sample is not signed and drops a device driver 39->149 53 cmd.exe 39->53         started        61 7 other processes 39->61 file12 signatures13 process14 dnsIp15 121 141.95.93.189, 443, 49691, 49693 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 42->121 123 api.peer2profit.com 172.66.40.196, 443, 49689, 49690 CLOUDFLARENETUS United States 42->123 179 Detected unpacking (changes PE section rights) 42->179 181 Detected unpacking (overwrites its own PE header) 42->181 183 Uses netsh to modify the Windows network and firewall settings 42->183 185 Modifies the windows firewall 42->185 63 netsh.exe 42->63         started        67 2 other processes 42->67 187 Uses cmd line tools excessively to alter registry or file data 46->187 189 Uses powercfg.exe to modify the power settings 46->189 191 Modifies power options to not sleep / hibernate 46->191 69 11 other processes 46->69 71 5 other processes 48->71 125 t.me 149.154.167.99, 443, 49692 TELEGRAMRU United Kingdom 50->125 127 78.47.204.168, 49699, 80 HETZNER-ASDE Germany 50->127 87 C:\ProgramData\sqlite3.dll, PE32 50->87 dropped 193 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->193 195 Tries to harvest and steal browser information (history, passwords, etc) 50->195 197 DLL side loading technique detected 50->197 199 Tries to steal Crypto Currency Wallets 50->199 65 cmd.exe 50->65         started        201 Encrypted powershell cmdline option found 53->201 73 2 other processes 53->73 75 6 other processes 55->75 77 3 other processes 57->77 79 9 other processes 61->79 file16 signatures17 process18 process19 81 conhost.exe 63->81         started        83 conhost.exe 67->83         started        85 conhost.exe 67->85         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/359f9ca568b7525fa41e8ce63450ef4fe1f5c4ba5a334d1473ef93867b21f8a5/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 05:42:49 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwpzzjliw5jf7ja6rttdiuhpj7q7lrf2lizu2fdt56jym6zb7csq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1707 evasion infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/221024-s1w6vahec2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
Stops running service(s)
UPX packed file
Modifies security service
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
79.137.192.7:39946
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
ed32fc475932414f62493ce07ee5c97c670979cba11249e14c8bf2ae36951363
MD5 hash:
d804be71289546b5cb28086f48e56254
SHA1 hash:
c6441ea8e3886ccea07bc16fe385dbba84f1e073
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/909abddb-0494-4a7e-9fe6-d4188cd35c15/
SH256 hash:
359f9ca568b7525fa41e8ce63450ef4fe1f5c4ba5a334d1473ef93867b21f8a5
MD5 hash:
75c49537e8132c4e4246645cbc49a55c
SHA1 hash:
7b8471160368282e2b4d7ecdf3c86451affd2e3b
Link:
https://www.unpac.me/results/909abddb-0494-4a7e-9fe6-d4188cd35c15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/359f9ca568b7525fa41e8ce63450ef4fe1f5c4ba5a334d1473ef93867b21f8a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323487/

Comments