MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
SHA3-384 hash: 8e3c098f5ab7c94872b2d83d52139e35c2d36cc390c247cc7d07df6fdeafbb15a78df724cc42da475c2a7a5d7f131166
SHA1 hash: b58efcd64c1904431ba94adbbd4e83559f9bef08
MD5 hash: 98c452f8557d0ed0dfc4749141741cd7
humanhash: don-orange-friend-nitrogen
File name:98C452F8557D0ED0DFC4749141741CD7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'487'614 bytes
First seen:2021-04-01 00:27:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 196608:75aFAmXV/+lmefLXegGqjQp7hkteWW9KbmnWt:75a2QV2HfhG2QpFkMWW9KCm
Threatray 107 similar samples on MalwareBazaar
TLSH 5F8623412D40CEEDC5761DF22494D6CAE6D3B16C3F1E81FA928D16298DF4121EF16FA2
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://crownnest.cyou/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://crownnest.cyou/ https://threatfox.abuse.ch/ioc/6335/

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130377/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/661194
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to register a low level keyboard hook
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379533 Sample: 2Z4CHwLtzg.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 60 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected RedLine Stealer 2->66 68 Binary is likely a compiled AutoIt script file 2->68 10 2Z4CHwLtzg.exe 12 2->10         started        process3 signatures4 74 Contains functionality to register a low level keyboard hook 10->74 13 cmd.exe 1 10->13         started        15 cmd.exe 1 10->15         started        process5 signatures6 18 cmd.exe 7 13->18         started        21 conhost.exe 13->21         started        78 Submitted sample is a known malware sample 15->78 80 Obfuscated command line found 15->80 82 Uses ping.exe to sleep 15->82 84 Uses ping.exe to check the status of other devices and networks 15->84 23 conhost.exe 15->23         started        process7 signatures8 70 Obfuscated command line found 18->70 72 Uses ping.exe to sleep 18->72 25 Aprano.exe.com 18->25         started        27 PING.EXE 1 18->27         started        30 findstr.exe 1 18->30         started        33 4 other processes 18->33 process9 dnsIp10 35 Aprano.exe.com 25->35         started        60 127.0.0.1 unknown unknown 27->60 62 192.168.2.1 unknown unknown 27->62 52 C:\Users\user\AppData\...\Aprano.exe.com, Targa 30->52 dropped 38 Alzeremo.exe.com 1 33->38         started        41 Animazione.exe.com 33->41         started        file11 process12 dnsIp13 54 xBClidtxMI.xBClidtxMI 35->54 43 Aprano.exe.com 35->43         started        56 tcBtUbYArzPgCRXzyGHBr.tcBtUbYArzPgCRXzyGHBr 38->56 50 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 38->50 dropped 46 RegAsm.exe 38->46         started        58 LByBZilSQhpvxCLYFcVMSwJ.LByBZilSQhpvxCLYFcVMSwJ 41->58 48 Animazione.exe.com 41->48         started        file14 process15 signatures16 76 Tries to harvest and steal browser information (history, passwords, etc) 43->76
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 05:15:29 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ig6ry6ujnww6oc26qfmiuihqon7tbshmczezb5g2h54i3scd27iq._file
Verdict:
malicious
Similar samples:
18d8d0fe50b484ffb499c851cc2964239a5693b36940879e856b970f29e22765
RedLineStealer
3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce
RedLineStealer
5d5c572bd9c5a93783e2fbd7c551b54570ab531df2b7d1b93758453c4124db03
RedLineStealer
73188b6122dcf35a0d26fedf3679c9713e6f21ccf78499d8788ed39feb7fdb4a
RedLineStealer
79638b28279f6fc16f4d3a24a73ac67a405aa548aa09d6ca09f485b8e7e13901
RedLineStealer
7af76f869eab565b2b7d3ec5f141e5d8cd94551a6b1b31e0d8af7c3ea2b5a7db
RedLineStealer
9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
RedLineStealer
99ba4d5d99ff78d07193851a25935dbf32a98a86ab053c2a5d6c9a4ca8ca5075
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
f643cf2250b1ece8e720df93180962e563c6c1e587f4e42af47e4c26ed4ab861
RedLineStealer
+ 97 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210401-9x5fb6564j/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Modifies WinLogon
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies RDP port number used by Windows
Modifies Windows Firewall
Grants admin privileges
RedLine
Unpacked files
SH256 hash:
d02225930f16c81b627ce876000d478b7f9244a16be94bde85cb3963f24cc185
MD5 hash:
84377280814888b79b4c7d08dc68a153
SHA1 hash:
672ef0f0500ff294be6feab9f887638321fc0e17
Link:
https://www.unpac.me/results/7aa6af6d-f118-468a-a18f-1620101e3504/
SH256 hash:
3db6a6bfd8df2b6caf66056dbbd71d62e6068efcbd14e587435ca874bdea08d8
MD5 hash:
06162e245fe9e0a15b6fa90505f25523
SHA1 hash:
dda949895e79e438d37fff523ce4ee04b1328a72
Link:
https://www.unpac.me/results/7aa6af6d-f118-468a-a18f-1620101e3504/
SH256 hash:
bd9d0e1a14b4df5344feb2af166e4091fb47dc22aafcc3dbec554250459814ed
MD5 hash:
13793c9d898f8f2a5903ee4b2c64058c
SHA1 hash:
b224a0254951106490ce7967ad29843d27495b13
Link:
https://www.unpac.me/results/7aa6af6d-f118-468a-a18f-1620101e3504/
SH256 hash:
41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
MD5 hash:
98c452f8557d0ed0dfc4749141741cd7
SHA1 hash:
b58efcd64c1904431ba94adbbd4e83559f9bef08
Link:
https://www.unpac.me/results/7aa6af6d-f118-468a-a18f-1620101e3504/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/130377/

Comments