MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40efd41d17fb832b13911977e0931d1e556aad35a78d1c40101932f9d5fb0eac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40efd41d17fb832b13911977e0931d1e556aad35a78d1c40101932f9d5fb0eac
SHA3-384 hash: 00eb31be15b14822cdf3235f0723384f0ec9a41dced53aa46046adee5343cc4acb528587f1dce8fb0d8d48fa68a9c609
SHA1 hash: d9b80b5092d447d611c35d0879940bb45e1fb323
MD5 hash: 019006cf7147712b8afbc7f031f347a2
humanhash: carpet-nineteen-speaker-foxtrot
File name:019006CF7147712B8AFBC7F031F347A2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:702'142 bytes
First seen:2021-06-18 18:21:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 12288:VOOfN590uu6opX+t4sP+Zx4e2ym7dWqzERnVqWSU15lMf4+HhGw3cW0zFg:YOfNkuu6oLsixr2ymhWS0DScPMfN3cNq
Threatray 556 similar samples on MalwareBazaar
TLSH C0E40252FAD045B1D472187459F8D630693CBC202B398ADFA3A8762D5F304D26B37BA7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.103.92.101:46795

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.103.92.101:46795 https://threatfox.abuse.ch/ioc/136572/

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MALWARE_DROP_TOBERE.zip
Verdict:
Malicious activity
Analysis date:
2021-06-17 10:04:05 UTC
Tags:
evasion loader autoit stealer trojan rat redline netsupport unwanted danabot phishing
Link:
https://app.any.run/tasks/282837d0-155e-457b-af5f-938a9114c221

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166895/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Steam.19390.13490.17676.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f4a612d-8659-4f7e-b0aa-48f52d6e7fc1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804496
Signature
.NET source code contains very large strings
Binary is likely a compiled AutoIt script file
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436907 Sample: lw1IpxgQ0E.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected RedLine Stealer 2->54 56 6 other signatures 2->56 8 lw1IpxgQ0E.exe 1 10 2->8         started        11 iexplore.exe 2 86 2->11         started        process3 dnsIp4 30 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 8->30 dropped 14 File.exe 3 19 8->14         started        38 192.168.2.1 unknown unknown 11->38 19 iexplore.exe 39 11->19         started        file5 process6 dnsIp7 40 nikss.webtm.ru 92.53.96.150, 49705, 80 TIMEWEB-ASRU Russian Federation 14->40 32 C:\Users\Public\run.exe, PE32 14->32 dropped 44 Multi AV Scanner detection for dropped file 14->44 46 Binary is likely a compiled AutoIt script file 14->46 48 Drops PE files to the user root directory 14->48 21 run.exe 4 14->21         started        42 iplogger.org 88.99.66.31, 443, 49711, 49712 HETZNER-ASDE Germany 19->42 file8 signatures9 process10 signatures11 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->60 62 Injects a PE file into a foreign processes 21->62 24 run.exe 15 28 21->24         started        28 conhost.exe 21->28         started        process12 dnsIp13 34 94.103.92.101, 46795, 49715, 49718 VDSINA-ASRU Russian Federation 24->34 36 api.ip.sb 24->36 64 Tries to harvest and steal browser information (history, passwords, etc) 24->64 66 Tries to steal Crypto Currency Wallets 24->66 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40efd41d17fb832b13911977e0931d1e556aad35a78d1c40101932f9d5fb0eac/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 07:31:47 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idx5ihix7obswe4rdf36bey5dzkwvljvu6gryqaqdezptvp3b2wa._file
Verdict:
malicious
Similar samples:
2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70
RedLineStealer
8358e817e423f16dcdcd3f213229f7b7b63de4a1ccce5f7ab07997a57183f758
RedLineStealer
913f62676d29a2368f9f6f97a3adc623ede915b58812e05aba24a1b0177697d4
RedLineStealer
9daf087ef991160871f07d75d1577eccd34d926e1bd5d30cc30516fdcbd84b45
RedLineStealer
d8a12da66c3b95e1f2dc9c7e5667a5baf7dbdbbaff01f342222dc696c07455fa
RedLineStealer
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
RedLineStealer
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
RedLineStealer
e37ee735ba2c075bb3ca8ab6a4cbc047600b146c093aa43cc7c7a771b393d487
RedLineStealer
e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808
RedLineStealer
ea50cc254fa1cc865d19d13bbdf206dc69092d6f723cb56a3843d74ba83e64a0
RedLineStealer
+ 546 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210618-lntfanbrbx/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
autoit_exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
e2cbbccb0982a39b27ca0631738712e654ae01e9b765573f03cd98d31193ce4b
MD5 hash:
b4bc2acb3377ae21b84e53c5b0d87b65
SHA1 hash:
7d0a18c9e31d120758a7252baff9176b3e02e7ea
Link:
https://www.unpac.me/results/eb9f029d-48a3-402c-86e2-623de25da2c4/
SH256 hash:
40efd41d17fb832b13911977e0931d1e556aad35a78d1c40101932f9d5fb0eac
MD5 hash:
019006cf7147712b8afbc7f031f347a2
SHA1 hash:
d9b80b5092d447d611c35d0879940bb45e1fb323
Link:
https://www.unpac.me/results/eb9f029d-48a3-402c-86e2-623de25da2c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40efd41d17fb832b13911977e0931d1e556aad35a78d1c40101932f9d5fb0eac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166895/

Comments