MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 5 YARA File information Comments

SHA256 hash:	39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b
SHA3-384 hash:	5a009fbbcad4511a08e9c425ac1c319ecf42410e2841c492487e25d70438f142e9667988c1895936d319147ebb6dbf74
SHA1 hash:	d8e12bfbb94aa19360ee64198c55127fa3f961cb
MD5 hash:	7db925ca083865c068baed7947c2b4a1
humanhash:	double-texas-earth-west
File name:	39f4195b8a8516a361343c641b3343bbf870abc69f7f7.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	293'888 bytes
First seen:	2021-09-24 19:45:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d63272091af7602d3a8fe5b2f0726122 (6 x RaccoonStealer, 4 x RedLineStealer, 1 x DanaBot)
ssdeep	6144:dlSHxT+Kj2ilNbC/PyP562N4soyTB0p5cWB:dkHxDj2ils/w5lugA
Threatray	1'758 similar samples on MalwareBazaar
TLSH	T11354AE20B7E0C039F5B702F649BAD7B9A9297DB0AB3880CF52D516EA56346E4DC30357
File icon (PE):
dhash icon	ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
http://185.163.204.37/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.204.37/	https://threatfox.abuse.ch/ioc/226142/
109.234.38.212:6677	https://threatfox.abuse.ch/ioc/226259/
135.181.142.223:30397	https://threatfox.abuse.ch/ioc/226444/
65.21.231.57:60751	https://threatfox.abuse.ch/ioc/226446/
185.244.180.224:39957	https://threatfox.abuse.ch/ioc/226450/

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

39f4195b8a8516a361343c641b3343bbf870abc69f7f7.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-24 19:47:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f3290068-c121-420c-9d3c-275f378a0ece

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191276/

Detection(s):

Win.Packed.Generic-9896517-0

Win.Packed.Generic-9896520-0

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f8064b2c-239b-4dbe-8661-41cfb90982a7

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/857617

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-09-24 19:46:11 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hh2bsw4kqulkgyjuhrsbwm2dxp4hbk6gt57xgqif6ko7n5rq2n5q._file

Verdict:

malicious

RedLineStealer

4ce736beca7ebfdae1fca1c504ef9482ada58dbf573fd57434aef6de2b36c9d6

RedLineStealer

73d3930011ac4fb1ac1ec5b4d339c001a9892c152fbc8be47b81d8ff559018ca

RedLineStealer

79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e

RedLineStealer

7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385

RedLineStealer

843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0

RedLineStealer

9664922ce8e322f3e2902a458b8a00f19515d2cd9c5802482e4e2d40fce8b861

RedLineStealer

a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6

RedLineStealer

ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549

RedLineStealer

fe7e25d0fd410494f9d8299439faf7d89edb627b494c882d2b33c94625c7c35c

RedLineStealer

+ 1'748 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:2k superstar botnet:5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 botnet:700$ botnet:f6d7183c9e82d2a9b81e6c0608450aa66cefb51f botnet:qq botnet:russianhack backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan

Link:

https://tria.ge/reports/210924-ygz2aahha7/

Behaviour

Checks SCSI registry key(s)

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Modifies registry key

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Launches sc.exe

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner Payload

Raccoon

RedLine

RedLine Payload

SmokeLoader

Tofsee

Windows security bypass

xmrig

Malware Config

C2 Extraction:

http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
135.181.142.223:30397
178.132.3.103:80
65.21.231.57:60751
185.244.180.224:39957
109.234.38.212:6677

Unpacked files

SH256 hash:

2fead9437f15e057951fd6a02ab05076e38db13483df0191787c21c79343b9e7

MD5 hash:

1c90f3a3fcd93ee08b2154cbcff49085

SHA1 hash:

73ac881633a13c3c31c1153d8105b8ecbb60961e

Link:

https://www.unpac.me/results/ac87800e-7326-434e-9b2a-c7d3c3bb0ce9/

SH256 hash:

39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b

MD5 hash:

7db925ca083865c068baed7947c2b4a1

SHA1 hash:

d8e12bfbb94aa19360ee64198c55127fa3f961cb

Link:

https://www.unpac.me/results/ac87800e-7326-434e-9b2a-c7d3c3bb0ce9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/39f4195b8a85/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39f4195b8a8516a361343c641b3343bbf870abc69f7f734105f29df6f630d37b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191276/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample