MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47f0cc37525d34a5c36724e81ee48d4854e5504f5c58bf7591ea92ed9cbf1933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 8 File information Comments

SHA256 hash:	47f0cc37525d34a5c36724e81ee48d4854e5504f5c58bf7591ea92ed9cbf1933
SHA3-384 hash:	2052122f1e47af530b0ebd1b64af26be0a50504a7275346b03367a9cf07be87fe2e16f59cd0d76f0921e1a9900119f32
SHA1 hash:	854a925793e40033ebf6bed75a45ddf3c56aa156
MD5 hash:	1320f08291b91ad305d0355c222b34e7
humanhash:	spring-grey-hydrogen-august
File name:	854a925793e40033ebf6bed75a45ddf3c56aa156.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	596'702 bytes
First seen:	2021-06-08 07:09:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b8494300a1f7342d4c600a7b12e15925 (3 x RedLineStealer, 3 x RemoteManipulator, 1 x njrat)
ssdeep	12288:1XmwRo+mv8QD4+0N46rNNQ57kekvu5q+m7M5DzZnQoizZU+NWKEo:1X48QE+UVEwvu5q2nQZZ3WKB
Threatray	90 similar samples on MalwareBazaar
TLSH	92C4F235A6414577D0620A36884BD376F83ABB002B3C55CF76DE0A2C9D3375A3E792DA
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
162.55.55.250:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
162.55.55.250:80	https://threatfox.abuse.ch/ioc/67974/

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

main_setup_x86x64.exe

Verdict:

Malicious activity

Analysis date:

2021-06-06 00:41:56 UTC

Tags:

trojan evasion opendir loader rat redline stealer raccoon phishing netsupport unwanted danabot

Link:

https://app.any.run/tasks/3d4e5ae0-e057-4f62-88b8-eb8c7f044dea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/165223/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Filecoder.I.dropper.22548.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Delayed reading of the file

Creating a file in the %temp% subdirectories

Creating a file in the Program Files subdirectories

Deleting a recently created file

Creating a process from a recently created file

Searching for the window

Sending a UDP request

DNS request

Sending an HTTP GET request

Changing a file

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

suspicious

Classification:

troj.evad

Score:

38 / 100

Link:

https://www.joesandbox.com/analysis/798578

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/47f0cc37525d34a5c36724e81ee48d4854e5504f5c58bf7591ea92ed9cbf1933/

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2021-06-03 20:00:00 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i7ymyn2slu2klq3hetub5zenjbkokucplrml65mr5kjo3hf7dezq._file

Verdict:

malicious

RedLineStealer

2c44f7515715ebafdc7bb8cf40adf36adce1e1bf7fd2555d56427a6d73a850d8

RedLineStealer

4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202

RedLineStealer

4564033ca316b31e192f8dcfca9743756ebfe554c43e952924c4ef6581ef9e15

RedLineStealer

48c1378f5e48ec365691bf3cf9c44f381e181c0e669df0169ff057c2cf8917f8

RedLineStealer

8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413

RedLineStealer

a4c57df59f0c85eebcb7b40263d8c3de037f41b7d2d43b6d34e7baf72a2e1448

RedLineStealer

cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95

RedLineStealer

e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798

RedLineStealer

ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39

RedLineStealer

+ 80 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:posh_test discovery evasion infostealer trojan upx

Link:

https://tria.ge/reports/210608-q2zyfmm2je/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Checks whether UAC is enabled

Loads dropped DLL

Executes dropped EXE

UPX packed file

RedLine

RedLine Payload

Malware Config

C2 Extraction:

ullerolaru.xyz:80

Unpacked files

SH256 hash:

e09e1466987e4712be269afcfa351778b6e4013ba8353cd8739c37f8ef5da447

MD5 hash:

3d8768c972bfe236cc495ae92712b33b

SHA1 hash:

707807e94f5152285b5678df957b41645991f8b2

Link:

https://www.unpac.me/results/b7a6e6d0-50da-46b3-9fd7-f7969edb7763/

SH256 hash:

32d193934b9ca9e73cb5e72bde51a3bf4369442fd7c8a347fb573297633741ef

MD5 hash:

d54266f0b4d11e16043b2a9c28436d2f

SHA1 hash:

374dcf91616c7a654d89a780f2262dbeb52ee362

Link:

https://www.unpac.me/results/b7a6e6d0-50da-46b3-9fd7-f7969edb7763/

SH256 hash:

47f0cc37525d34a5c36724e81ee48d4854e5504f5c58bf7591ea92ed9cbf1933

MD5 hash:

1320f08291b91ad305d0355c222b34e7

SHA1 hash:

854a925793e40033ebf6bed75a45ddf3c56aa156

Link:

https://www.unpac.me/results/b7a6e6d0-50da-46b3-9fd7-f7969edb7763/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47f0cc37525d34a5c36724e81ee48d4854e5504f5c58bf7591ea92ed9cbf1933

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/165223/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample