MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
SHA3-384 hash: b19ed0ff66bd5c714fd45492710245184552656fae4f050e960e8a2741b6380306b93d196fdf4b7131d61a65b082ca59
SHA1 hash: 7af05c0be338e496552947081ad025f0e12039a5
MD5 hash: 1fd2310b128e99eefe9acfcc8c221a35
humanhash: blue-thirteen-illinois-tennessee
File name:1FD2310B128E99EEFE9ACFCC8C221A35.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'829'182 bytes
First seen:2021-06-17 20:50:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Gh0stRAT, 3 x Nitol)
ssdeep 49152:WC2lJmXbj5DIwbQea1LPEyK7r385JD3d6cIWhi:WzlkbFDVrQMyOr3S3d6cLhi
Threatray 3 similar samples on MalwareBazaar
TLSH 35851203B293C072D49901B505658BB64F3A7C319775D0F7AFD13AAA9D703E29B3638A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.55.170.54:29785

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.55.170.54:29785 https://threatfox.abuse.ch/ioc/131101/

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1FD2310B128E99EEFE9ACFCC8C221A35.exe
Verdict:
No threats detected
Analysis date:
2021-06-17 20:55:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4de0ccb3-21cb-43ef-9ec9-c370f9364417

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166646/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35c32455-34bb-43e9-bd63-1738a9636357
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
58 / 100
Link:
https://www.joesandbox.com/analysis/803957
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 436368 Sample: Hngx5CdG2D.exe Startdate: 17/06/2021 Architecture: WINDOWS Score: 58 123 vexacion.com 2->123 125 www.directdexchange.com 2->125 127 37 other IPs or domains 2->127 177 Multi AV Scanner detection for domain / URL 2->177 179 Antivirus detection for URL or domain 2->179 181 Antivirus detection for dropped file 2->181 185 6 other signatures 2->185 15 Hngx5CdG2D.exe 4 2->15         started        signatures3 183 Performs DNS queries to domains with low reputation 123->183 process4 file5 119 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 15->119 dropped 121 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 15->121 dropped 18 irsetup.exe 15 15->18         started        process6 dnsIp7 129 1fichier.com 5.39.224.140, 443, 49715 DSTORAGEFR France 18->129 131 a-8.1fichier.com 5.39.224.8, 443, 49725 DSTORAGEFR France 18->131 133 pastebin.com 104.23.98.190, 443, 49714 CLOUDFLARENETUS United States 18->133 69 C:\Users\user\AppData\...\SetupB_343.exe, PE32 18->69 dropped 22 SetupB_343.exe 4 18->22         started        file8 process9 file10 81 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 22->81 dropped 83 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 22->83 dropped 25 irsetup.exe 33 22->25         started        process11 dnsIp12 159 ip-api.com 208.95.112.1, 49729, 80 TUT-ASUS United States 25->159 161 www.findmemolite.com 46.101.214.246 DIGITALOCEAN-ASNUS Netherlands 25->161 163 4 other IPs or domains 25->163 93 C:\Users\user\AppData\Local\Temp\pLab.exe, PE32 25->93 dropped 95 C:\Users\user\AppData\Local\...\maskvpn.exe, PE32 25->95 dropped 97 C:\Users\user\AppData\...\installerapp.exe, PE32 25->97 dropped 99 C:\Users\user\AppData\...\WcInstaller.exe, PE32 25->99 dropped 29 pLab.exe 2 25->29         started        32 installerapp.exe 25->32         started        34 maskvpn.exe 25->34         started        file13 process14 file15 101 C:\Users\user\AppData\Local\Temp\...\pLab.tmp, PE32 29->101 dropped 36 pLab.tmp 3 19 29->36         started        103 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 32->103 dropped 105 C:\Users\user\AppData\Local\...\shi3594.tmp, PE32+ 32->105 dropped 107 C:\Users\user\AppData\Local\...\INA3371.tmp, PE32 32->107 dropped 109 C:\Users\user\AppData\Local\...\maskvpn.tmp, PE32 34->109 dropped process16 dnsIp17 137 superstationcity.com 5.196.8.173, 49731, 49746, 80 OVHFR France 36->137 73 C:\Users\user\AppData\Local\...\gucca.exe, PE32 36->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 36->75 dropped 77 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 36->77 dropped 79 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->79 dropped 40 gucca.exe 20 20 36->40         started        file18 process19 dnsIp20 153 rep.pe-wok.biz 40->153 155 cor-tips.com 198.54.116.159, 49735, 80 NAMECHEAP-NETUS United States 40->155 157 5 other IPs or domains 40->157 85 C:\Users\user\AppData\...\SHinabifapae.exe, PE32 40->85 dropped 87 C:\Program Files (x86)\...\Cezhocedury.exe, PE32 40->87 dropped 89 C:\Users\user\...\SHinabifapae.exe.config, XML 40->89 dropped 91 3 other files (1 malicious) 40->91 dropped 187 Detected unpacking (overwrites its own PE header) 40->187 45 Pogypobygi.exe 40->45         started        48 SHinabifapae.exe 40->48         started        51 prolab.exe 40->51         started        file21 signatures22 process23 dnsIp24 165 192.168.2.1 unknown unknown 45->165 167 connectini.net 45->167 54 iexplore.exe 45->54         started        57 iexplore.exe 45->57         started        59 iexplore.exe 45->59         started        64 20 other processes 45->64 169 d.jumpstreetboys.com 172.67.222.38 CLOUDFLARENETUS United States 48->169 171 reportyuwt4sbackv97qarke3.com 48->171 173 connectini.net 48->173 175 Creates HTML files with .exe extension (expired dropper behavior) 48->175 71 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 51->71 dropped 61 prolab.tmp 51->61         started        file25 signatures26 process27 dnsIp28 139 www.directdexchange.com 54->139 149 2 other IPs or domains 54->149 141 www.cloud-security.xyz 57->141 143 cloud-security.xyz 57->143 145 www.directdexchange.com 59->145 147 directdexchange.com 59->147 111 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 61->111 dropped 113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 61->113 dropped 115 C:\Program Files (x86)\...\is-UQ32K.tmp, PE32 61->115 dropped 117 8 other files (none is malicious) 61->117 dropped 151 18 other IPs or domains 64->151 66 iexplore.exe 64->66         started        file29 process30 dnsIp31 135 www.profitabletrustednetwork.com 192.243.59.12, 443, 49754, 49755 ADVANCEDHOSTERS-ASNL Dominica 66->135
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 02:15:00 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7cxkmfvw3pae4mcu3sp5ue33lu6k7hlycipwuwossgxfz24uzrq._file
Verdict:
unknown
Similar samples:
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
RedLineStealer
5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee
RedLineStealer
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210617-zhadyddata/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
eccd29320cba73fc4ce37155d56e8cfc588de20dc39c9921372d2d386fb8ffc7
MD5 hash:
bbc401ffa1e86f961f9fb7733a9e566f
SHA1 hash:
cbc4b56440899e4280851792611e37ca390a2c8d
Link:
https://www.unpac.me/results/848253de-e23d-4234-8f3f-bf2bd118d5bb/
SH256 hash:
c3f051fdc89bba65156a1f0b0c6bcd9dd7950ff851ed8338e842ad1d89534c48
MD5 hash:
6e8174db90c85a6c871510c2ec49c3f9
SHA1 hash:
01d1ea3fceaae1eef1034e230c1924eba645a7ee
Link:
https://www.unpac.me/results/848253de-e23d-4234-8f3f-bf2bd118d5bb/
SH256 hash:
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
MD5 hash:
1fd2310b128e99eefe9acfcc8c221a35
SHA1 hash:
7af05c0be338e496552947081ad025f0e12039a5
Link:
https://www.unpac.me/results/848253de-e23d-4234-8f3f-bf2bd118d5bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166646/

Comments