MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 5 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
SHA3-384 hash: 095fe8122c2579a0d38d07891f0b8ab0290bebf7fb8c6867f7475dcd2636c03bd2c606df34ff5c356c8f9290d9f24b68
SHA1 hash: 0582e854f5a685ef707f562fd6855897bb8a259b
MD5 hash: 84d7fc6978ca74c42913acdf24acc31d
humanhash: ceiling-mars-pizza-twelve
File name:84D7FC6978CA74C42913ACDF24ACC31D.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:337'408 bytes
First seen:2021-06-11 06:16:16 UTC
Last seen:2021-06-11 06:54:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d475ea6390829c1ee7e2c04a87d09521 (1 x RedLineStealer)
ssdeep 6144:ZYhdV090oVOOeHWyLISCaaHgjhlHw6nNzrcBAn/zICAOuT29H7FlZn4V:ChdV090oVOOe2FSfaHgjhlPNvsTY7LZ+
Threatray 746 similar samples on MalwareBazaar
TLSH 1F746B11B692C036D1B141321A78AFB685BDB9295F7106DB63C40F6EDD306D2AA31F3B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
104.21.2.30:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morsen04.top/index.php https://threatfox.abuse.ch/ioc/85864/
http://olmyad42.top/index.php https://threatfox.abuse.ch/ioc/85865/
104.21.2.30:80 https://threatfox.abuse.ch/ioc/87999/
193.110.3.160:80 https://threatfox.abuse.ch/ioc/88461/
172.67.128.165:80 https://threatfox.abuse.ch/ioc/89410/

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
84D7FC6978CA74C42913ACDF24ACC31D.exe
Verdict:
No threats detected
Analysis date:
2021-06-11 06:34:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29f00663-7123-4c48-9fca-83fb6911d200

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166011/
Detection(s):
SecuriteInfo.com.Variant.Adware.Zusy.189851.2855.13919.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Sending an HTTP POST request
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Delayed reading of the file
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process with a hidden window
Searching for the window
Creating a file in the Windows subdirectories
Launching a process
Sending a UDP request
Reading critical registry keys
Connecting to a non-recommended domain
Connection attempt
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7cb8e25-273b-4d4c-a0ab-bd9d448fef57
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800655
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected VMProtect packer
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433048 Sample: c71fd2gJus.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 125 1.1.1.1 CLOUDFLARENETUS Australia 2->125 169 Found malware configuration 2->169 171 Antivirus detection for URL or domain 2->171 173 Antivirus detection for dropped file 2->173 175 14 other signatures 2->175 13 c71fd2gJus.exe 1 2->13         started        signatures3 process4 process5 15 c71fd2gJus.exe 3 33 13->15         started        dnsIp6 157 208.95.112.1 TUT-ASUS United States 15->157 159 82.208.85.146 ROSTELECOM-ASRU Russian Federation 15->159 161 6 other IPs or domains 15->161 63 C:\Users\user\AppData\...\Setup3310[1].exe, PE32 15->63 dropped 65 C:\Users\user\AppData\...\Launcher.exe, PE32 15->65 dropped 67 C:\Users\user\AppData\Local\...\installer.exe, PE32 15->67 dropped 69 2 other files (none is malicious) 15->69 dropped 19 Setup3310.exe 2 15->19         started        file7 process8 file9 71 C:\Users\user\AppData\Local\...\Setup3310.tmp, PE32 19->71 dropped 22 Setup3310.tmp 3 14 19->22         started        process10 dnsIp11 127 142.250.180.225 GOOGLEUS United States 22->127 129 142.250.180.238 GOOGLEUS United States 22->129 131 3 other IPs or domains 22->131 73 C:\Users\user\AppData\...\itdownload.dll, PE32 22->73 dropped 75 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 22->75 dropped 77 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->77 dropped 79 C:\Users\user\AppData\Local\...\Setup.exe, PE32 22->79 dropped 26 Setup.exe 14 14 22->26         started        file12 process13 file14 81 C:\Program Files (x86)\...\lylal220.exe, PE32 26->81 dropped 83 C:\Program Files (x86)\...\hjjgaa.exe, PE32 26->83 dropped 85 C:\Program Files (x86)\...\guihuali-game.exe, PE32 26->85 dropped 87 4 other files (3 malicious) 26->87 dropped 29 Cube_WW.exe 26->29         started        33 RunWW.exe 85 26->33         started        36 LabPicV3.exe 26->36         started        38 3 other processes 26->38 process15 dnsIp16 145 136.144.41.133 WORLDSTREAMNL Netherlands 29->145 147 136.144.41.201 WORLDSTREAMNL Netherlands 29->147 155 7 other IPs or domains 29->155 107 C:\Users\user\Documents\setup_2.exe, PE32 29->107 dropped 109 C:\Users\user\Documents\ner.exe, PE32 29->109 dropped 111 C:\Users\user\Documents\jooyu.exe, PE32 29->111 dropped 119 51 other files (22 malicious) 29->119 dropped 40 10_6_r_net.exe 29->40         started        44 setup_2.exe 29->44         started        47 google-game.exe 29->47         started        59 5 other processes 29->59 149 159.69.20.131 HETZNER-ASDE Germany 33->149 151 74.114.154.18 AUTOMATTICUS Canada 33->151 121 12 other files (none is malicious) 33->121 dropped 163 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->163 165 Tries to harvest and steal browser information (history, passwords, etc) 33->165 167 Tries to steal Crypto Currency Wallets 33->167 113 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 36->113 dropped 49 LabPicV3.tmp 36->49         started        153 31.13.92.36 FACEBOOKUS Ireland 38->153 115 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 38->115 dropped 117 C:\Users\user\AppData\Local\...\lylal220.tmp, PE32 38->117 dropped 123 2 other files (none is malicious) 38->123 dropped 51 lylal220.tmp 38->51         started        53 conhost.exe 38->53         started        55 jfiag3g_gg.exe 38->55         started        57 rundll32.exe 38->57         started        file17 signatures18 process19 dnsIp20 133 217.107.34.191 RTCOMM-ASRU Russian Federation 40->133 177 Sample uses process hollowing technique 40->177 179 Injects a PE file into a foreign processes 40->179 135 45.77.178.25 AS-CHOOPAUS United States 44->135 89 C:\Users\user\AppData\Local\...\Login Data1, SQLite 44->89 dropped 181 Tries to harvest and steal browser information (history, passwords, etc) 44->181 91 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 47->91 dropped 93 C:\Users\user\AppData\...\pingsender.exe, PE32+ 47->93 dropped 95 C:\Users\user\AppData\...\IA2Marshal.dll, PE32+ 47->95 dropped 137 198.54.116.159 NAMECHEAP-NETUS United States 49->137 97 C:\Users\user\AppData\...\_____________.exe, PE32 49->97 dropped 103 3 other files (none is malicious) 49->103 dropped 61 _____________.exe 49->61         started        139 192.168.2.1 unknown unknown 51->139 99 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 51->99 dropped 105 3 other files (none is malicious) 51->105 dropped 141 88.218.92.148 ENZUINC-US Netherlands 59->141 143 47.254.169.135 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 59->143 101 C:\Users\user\AppData\Local\...\null[1], PE32 59->101 dropped file21 signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80/
Threat name:
Win32.Adware.OxyPumper
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 01:38:35 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i64ytnyqoonrzccarsu36g2oqm6nvnuljqqfyw6l3ff6yua4toaa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
34eea6a07ea67c590471581473b4a17d5ac8214e1ec94464af43fb2ce7334808
RedLineStealer
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
RedLineStealer
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
RedLineStealer
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
RedLineStealer
604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004
RedLineStealer
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
RedLineStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
RedLineStealer
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
RedLineStealer
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
RedLineStealer
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
RedLineStealer
+ 736 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:vidar botnet:10_6_r botnet:test discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210611-m1rl4yscbx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
PlugX
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
bynthori.xyz:80
qurigoraka.xyz:80
Unpacked files
SH256 hash:
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
MD5 hash:
84d7fc6978ca74c42913acdf24acc31d
SHA1 hash:
0582e854f5a685ef707f562fd6855897bb8a259b
Link:
https://www.unpac.me/results/71cca058-69bd-4e77-b8e4-6567a91835df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166011/

Comments