MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39e51d5d0ed297f10acac6eaac6e199ebec75e8594359bfe2cce30beb6082a34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39e51d5d0ed297f10acac6eaac6e199ebec75e8594359bfe2cce30beb6082a34
SHA3-384 hash: 05a6a19abb36f53b50084ffa79f0c0eb7a0dc94e7cbf50341708925538850ba6e3364c5869143215a3341c6faf023f1a
SHA1 hash: f035eddd961927cb28a3baf3451c7b9c323fb9e6
MD5 hash: 4e199a735a8e591ae9bd1d6b5bb37690
humanhash: chicken-oven-iowa-social
File name:4E199A735A8E591AE9BD1D6B5BB37690.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:166'912 bytes
First seen:2021-04-26 22:25:58 UTC
Last seen:2021-04-26 22:39:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:FA3wBSxW9YbVSr7tLiUB7TXwtNfe88888888888888888888888888888888888R:eAB4GcSiquW888888888888888888888
Threatray 848 similar samples on MalwareBazaar
TLSH 29F3282B26759222C7D8DF3CE8A52A677739DD203844F24870D6B69A583DF8C09F43D6
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.123.233.63:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.123.233.63:80 https://threatfox.abuse.ch/ioc/10256/

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4E199A735A8E591AE9BD1D6B5BB37690.exe
Verdict:
Malicious activity
Analysis date:
2021-04-26 22:27:25 UTC
Tags:
evasion stealer trojan rat redline phishing
Link:
https://app.any.run/tasks/bd3ebdab-7c18-42bf-80ab-3fe038b0ab95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144430/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36776662.252.9028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Reading critical registry keys
Deleting a recently created file
Sending an HTTP POST request
Sending a UDP request
Connecting to a non-recommended domain
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Forced shutdown of a system process
Unauthorized injection to a system process
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aee4d0da-ea47-4821-badc-c9994e3a97aa
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/698471
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 398153 Sample: kVXWdr5oFQ.exe Startdate: 27/04/2021 Architecture: WINDOWS Score: 100 92 Multi AV Scanner detection for domain / URL 2->92 94 Found malware configuration 2->94 96 Antivirus detection for URL or domain 2->96 98 8 other signatures 2->98 8 kVXWdr5oFQ.exe 15 9 2->8         started        13 Windows Host.exe 2->13         started        15 Windows Host.exe 2->15         started        process3 dnsIp4 76 news-systems.xyz 104.21.33.129, 443, 49715 CLOUDFLARENETUS United States 8->76 78 iplogger.org 88.99.66.31, 443, 49721 HETZNER-ASDE Germany 8->78 52 C:\Users\user\AppData\Roaming\7880262.exe, PE32 8->52 dropped 54 C:\Users\user\AppData\Roaming\7373978.exe, PE32 8->54 dropped 56 C:\Users\user\AppData\Roaming\6876646.exe, PE32 8->56 dropped 58 3 other malicious files 8->58 dropped 116 Detected unpacking (changes PE section rights) 8->116 118 Detected unpacking (overwrites its own PE header) 8->118 120 May check the online IP address of the machine 8->120 122 Performs DNS queries to domains with low reputation 8->122 17 2279160.exe 8->17         started        21 6876646.exe 14 3 8->21         started        23 7880262.exe 14 3 8->23         started        25 2 other processes 8->25 file5 signatures6 process7 dnsIp8 68 ldvamlwhdpetnyn.ml 104.21.85.176, 49722, 80 CLOUDFLARENETUS United States 17->68 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->100 102 Performs DNS queries to domains with low reputation 17->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->104 114 2 other signatures 17->114 28 2279160.exe 17->28         started        32 cmd.exe 17->32         started        34 WerFault.exe 17->34         started        70 nu.purplecafe.ru 217.107.34.191, 443, 49726, 49727 RTCOMM-ASRU Russian Federation 21->70 106 Writes to foreign memory regions 21->106 108 Allocates memory in foreign processes 21->108 110 Injects a PE file into a foreign processes 21->110 36 AddInProcess32.exe 21->36         started        38 AddInProcess32.exe 21->38         started        40 AddInProcess32.exe 23->40         started        42 AddInProcess32.exe 23->42         started        46 2 other processes 23->46 72 holdingfr0nts.xyz 172.67.172.191, 443, 49719 CLOUDFLARENETUS United States 25->72 74 192.168.2.1 unknown unknown 25->74 60 C:\ProgramData\...\Windows Host.exe, PE32 25->60 dropped 62 C:\ProgramData\66\vcruntime140.dll, PE32 25->62 dropped 64 C:\ProgramData\66\sqlite3.dll, PE32 25->64 dropped 66 5 other files (none is malicious) 25->66 dropped 112 Multi AV Scanner detection for dropped file 25->112 44 Windows Host.exe 25->44         started        file9 signatures10 process11 dnsIp12 80 styonorong.xyz 195.123.233.63, 49739, 49742, 49744 GREENFLOID-ASUA Bulgaria 28->80 82 api.ip.sb 28->82 48 conhost.exe 32->48         started        50 timeout.exe 32->50         started        124 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->124 126 Performs DNS queries to domains with low reputation 36->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->128 84 sthellete.xyz 185.183.96.36, 49745, 49747, 49748 HSAE Netherlands 38->84 86 api.ip.sb 38->86 88 45.67.228.131, 49755, 49757, 49758 SERVERIUS-ASNL Moldova Republic of 40->88 90 api.ip.sb 40->90 130 Tries to harvest and steal browser information (history, passwords, etc) 40->130 132 Tries to steal Crypto Currency Wallets 40->132 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39e51d5d0ed297f10acac6eaac6e199ebec75e8594359bfe2cce30beb6082a34/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-24 17:51:01 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhsr2xio2kl7ccwky3vky3qzt27moxufsq2zx7rmzyyl5nqifi2a._file
Verdict:
malicious
Similar samples:
01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358
RedLineStealer
1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
RedLineStealer
2a16c97f0d59f469fe061aa9574f7b379ff3788b3aeb5a29f5d59e7709e3c26c
RedLineStealer
4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202
RedLineStealer
556c6ec49b714eb7bf9b3d816fd18a8962fb6be756224aa4cf8614e5bd7f0738
RedLineStealer
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
RedLineStealer
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
RedLineStealer
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
RedLineStealer
f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
RedLineStealer
fab31b9c336ced2fe83d81198d3ccfa325ca4d4cab2464b72dcda37f34e2dd68
RedLineStealer
+ 838 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:25_4_net_cleaned botnet:alllsup botnet:yama1 discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210426-chjy3w34ha/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
styonorong.xyz:80
Sthellete.xyz:80
45.67.228.131:9603
Unpacked files
SH256 hash:
8260fd73e2bb7185c9bc55645b4a42555927c7ab1bc5ac1f2211435cf6e971da
MD5 hash:
5e9827bc5e57266dc73b51d018e6c850
SHA1 hash:
757edb6515ea96a8e2f10fd33120f4e6feca2fae
Link:
https://www.unpac.me/results/fe91481e-ea0a-4132-ab1d-6cf1e42d8b18/
SH256 hash:
39e51d5d0ed297f10acac6eaac6e199ebec75e8594359bfe2cce30beb6082a34
MD5 hash:
4e199a735a8e591ae9bd1d6b5bb37690
SHA1 hash:
f035eddd961927cb28a3baf3451c7b9c323fb9e6
Link:
https://www.unpac.me/results/fe91481e-ea0a-4132-ab1d-6cf1e42d8b18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39e51d5d0ed297f10acac6eaac6e199ebec75e8594359bfe2cce30beb6082a34

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144430/

Comments