MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b70b57af7fcdfb9d0c83217e58d6acd5fafe898f11a815b88b444ecfadb57ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b70b57af7fcdfb9d0c83217e58d6acd5fafe898f11a815b88b444ecfadb57ab
SHA3-384 hash: 2c3449ec5c8f791c8624a779aeb9742c5469d4c2ded2c90d404550c17b0b147eecbfadf5204beaef042b62c8ee858abd
SHA1 hash: 4e0791acabbcb8f393cff66fa2327e2292a46c0c
MD5 hash: f77bf6a3d7b14c5e7a291e532816584d
humanhash: utah-west-pluto-floor
File name:F77BF6A3D7B14C5E7A291E532816584D.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:779'116 bytes
First seen:2021-07-13 13:05:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:d/QiQXCp5m+ksmpk3U9j0IAqfsoxvjFEOTb9WmZX/8shzdsY4CpHPhn17Tdkz:VQi3pc6m6UR0Irp1hf39Wkv8xwJhJkz
Threatray 2'440 similar samples on MalwareBazaar
TLSH T163F4BD7DB634C339F5E55AB08C228B5859E63D28187C680934F93B997BF3FC25149E82
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.198.57.69:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.198.57.69:80 https://threatfox.abuse.ch/ioc/159867/

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://topkeygen.com
Verdict:
Malicious activity
Analysis date:
2021-07-10 20:08:58 UTC
Tags:
loader evasion autoit trojan stealer vidar rat redline phishing ficker
Link:
https://app.any.run/tasks/860a8fcd-3fc9-448b-8e42-1778c94a7f1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171420/
Detection(s):
Win.Malware.Passteal-9853623-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74398eb0-61b7-4dd2-bcc0-48336b55e824
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815568
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447977 Sample: xSnF0lxFUX.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 121 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->121 123 Antivirus detection for URL or domain 2->123 125 Antivirus detection for dropped file 2->125 127 6 other signatures 2->127 10 xSnF0lxFUX.exe 2 2->10         started        13 Xiveshylaewy.exe 2->13         started        process3 dnsIp4 81 C:\Users\user\AppData\...\xSnF0lxFUX.tmp, PE32 10->81 dropped 16 xSnF0lxFUX.tmp 3 19 10->16         started        119 superstationcity.com 194.163.135.248, 49748, 80 NEXINTO-DE Germany 13->119 83 C:\Program Files (x86)\...\Windows Update.exe, PE32 13->83 dropped 85 C:\...\Windows Update.exe.config, XML 13->85 dropped 20 Windows Update.exe 13->20         started        file5 process6 dnsIp7 87 requested404.com 63.250.33.126, 49712, 49717, 80 NAMECHEAP-NETUS United States 16->87 53 C:\Users\user\...\1061149_flats_fon.exe, PE32 16->53 dropped 55 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 16->55 dropped 57 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 16->57 dropped 59 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->59 dropped 22 1061149_flats_fon.exe 22 20 16->22         started        89 privateinvestig8tor.com 20->89 91 connectini.net 20->91 file8 process9 dnsIp10 105 iplogger.org 88.99.66.31, 443, 49723 HETZNER-ASDE Germany 22->105 107 connectini.net 162.0.210.44, 443, 49713, 49724 ACPCA Canada 22->107 109 2 other IPs or domains 22->109 73 C:\Users\user\AppData\...\Kifebyvequ.exe, PE32 22->73 dropped 75 C:\Users\user\AppData\...\Waelucehora.exe, PE32 22->75 dropped 77 C:\Program Files (x86)\...\Xiveshylaewy.exe, PE32 22->77 dropped 79 3 other files (2 malicious) 22->79 dropped 129 Detected unpacking (overwrites its own PE header) 22->129 131 Creates autostart registry keys with suspicious values (likely registry only malware) 22->131 27 Kifebyvequ.exe 14 5 22->27         started        31 Waelucehora.exe 22->31         started        33 SystemMonitor.exe 2 22->33         started        file11 signatures12 process13 dnsIp14 111 connectini.net 27->111 133 Multi AV Scanner detection for dropped file 27->133 135 Detected unpacking (overwrites its own PE header) 27->135 36 chrome.exe 27->36         started        40 chrome.exe 27->40         started        42 chrome.exe 27->42         started        46 8 other processes 27->46 113 ticaus.pw 111.90.146.149, 49821, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 31->113 115 ezps.co.uk 62.233.121.32, 443, 49822, 49832 IOMART-ASGB United Kingdom 31->115 117 2 other IPs or domains 31->117 61 C:\Users\user\AppData\...\SystemMonitor.tmp, PE32 33->61 dropped 44 SystemMonitor.tmp 27 18 33->44         started        file15 signatures16 process17 dnsIp18 99 192.168.2.1 unknown unknown 36->99 101 192.168.2.6 unknown unknown 36->101 103 2 other IPs or domains 36->103 63 C:\Users\user\AppData\Local\...\000005.ldb, DOS 36->63 dropped 48 chrome.exe 36->48         started        65 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->65 dropped 67 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->67 dropped 69 C:\Program Files (x86)\...\is-V5DR1.tmp, PE32 44->69 dropped 71 C:\Program Files (x86)\...\is-BTFCR.tmp, PE32 44->71 dropped 51 SystemMonitor.exe 44->51         started        file19 process20 dnsIp21 93 vexacion.com 139.45.197.236, 49733, 49734, 49753 RETN-ASEU Netherlands 48->93 95 adsaro.net 161.35.179.108, 443, 49777, 49778 DIGITALOCEAN-ASNUS United States 48->95 97 33 other IPs or domains 48->97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b70b57af7fcdfb9d0c83217e58d6acd5fafe898f11a815b88b444ecfadb57ab/
Threat name:
ByteCode-MSIL.Ransomware.Hermes
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 00:40:28 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnylk6xx7tp3tugigil6ldlkzvp272ey6enicw4iwrcoz6w3k6vq._file
Verdict:
suspicious
Similar samples:
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
RedLineStealer
2df4e3a4d7b6e5f33ef54c73ff86ffc76d8667ff587756a2887bf91687ab46a9
RedLineStealer
361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f
RedLineStealer
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
RedLineStealer
3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab
RedLineStealer
4905fecf9b5d2057f495dcd21e81e03db0114af804fe59931cd901fbfbde5c9a
RedLineStealer
531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4
RedLineStealer
8f2e44c29365ee8ded05c7de45e97d2d750cb430bf5ea2ea27ad48c2fa9cf884
RedLineStealer
abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc
RedLineStealer
f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9
RedLineStealer
+ 2'430 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:517 botnet:btccach botnet:mil backdoor discovery evasion infostealer persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/210713-lcmyjxpegs/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
185.224.135.239:17336
185.53.46.82:3214
https://olegf9844.tumblr.com/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/3f645365-c15c-4b89-9f05-1427e692fe6d/
SH256 hash:
b6552d66f43ac2095535db861106ed4dfb7beb71bc3b07ce085b768aaaec0f4e
MD5 hash:
97d4e60f367c27f958e9ae86e74ee766
SHA1 hash:
1cf6f2e4fd40438c0354568db1312921b82a550d
Link:
https://www.unpac.me/results/3f645365-c15c-4b89-9f05-1427e692fe6d/
SH256 hash:
3b70b57af7fcdfb9d0c83217e58d6acd5fafe898f11a815b88b444ecfadb57ab
MD5 hash:
f77bf6a3d7b14c5e7a291e532816584d
SHA1 hash:
4e0791acabbcb8f393cff66fa2327e2292a46c0c
Link:
https://www.unpac.me/results/3f645365-c15c-4b89-9f05-1427e692fe6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b70b57af7fcdfb9d0c83217e58d6acd5fafe898f11a815b88b444ecfadb57ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171420/

Comments