MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48b3f374c95239bd35e8ca86deb5b8e5339b66ff390ad60ee3efc10b9cc026c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48b3f374c95239bd35e8ca86deb5b8e5339b66ff390ad60ee3efc10b9cc026c4
SHA3-384 hash: c492e893d3b74f4d5ba68238c7599dcbc3896873e553a731aa56548b81e65b3ebefe79afbd109dd070ecda8fe6752a4c
SHA1 hash: 3264b5a3a64d2747029adc01a5ae49a90c39945d
MD5 hash: a647822ceb2f2d0c7cb64239ca787007
humanhash: india-oregon-ten-leopard
File name:a647822ceb2f2d0c7cb64239ca787007.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:31'984'277 bytes
First seen:2021-11-25 05:56:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 786432:Cu0+uyYB9X9TuImariCicXqwOjBV6Jpbq6JE/MzwlXEEj/:ayYfX9qNqlXqwwB0mkFMn
Threatray 25 similar samples on MalwareBazaar
TLSH T1F16733E79D02E92DE13505BF483FE5E25EBA6CAE401E3AC00E6784D360AF42D2E17557
File icon (PE):PE icon
dhash icon ad69d9c949656dd4 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.118.165.79:61909

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.118.165.79:61909 https://threatfox.abuse.ch/ioc/254307/

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a647822ceb2f2d0c7cb64239ca787007.exe
Verdict:
No threats detected
Analysis date:
2021-11-25 05:58:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c5e25c8-c696-4577-9967-c758b5452859

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Creating a process with a hidden window
Changing a file
Launching a process
Creating a file in the Windows subdirectories
Moving a file to the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Blocking the User Account Control
Setting a single autorun event
Unauthorized injection to a system process
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut overlay packed
Link:
https://www.filescan.io/uploads/619f25b2f36138de3f3b9d1f/reports/e1fb029e-2051-4157-81e5-4ec7b9fbc372/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895890
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bypass UAC via CMSTP
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528368 Sample: Ai7wdxvMOs.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 83 pool.hashvault.pro 2->83 87 Sigma detected: Xmrig 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for dropped file 2->91 93 15 other signatures 2->93 10 Ai7wdxvMOs.exe 10 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 file5 75 C:\Users\...75umify 4.02v Leads Generator.exe, PE32+ 10->75 dropped 77 C:\Users\user\AppData\Local\Temp\123.exe, PE32 10->77 dropped 20 123.exe 4 6 10->20         started        24 Numify 4.02v Leads Generator.exe 10->24         started        79 C:\Windows\Temp\r2cexi45.inf, Windows 13->79 dropped 131 Multi AV Scanner detection for dropped file 13->131 133 Adds a directory exclusion to Windows Defender 13->133 135 Changes security center settings (notifications, updates, antivirus, firewall) 16->135 81 C:\Windows\Temp\deib504j.inf, Windows 18->81 dropped signatures6 process7 file8 71 C:\Windows\Cursors\blazes\svchost.exe, PE32 20->71 dropped 73 2b4269160ad4493eaf...c8ba0b55.tmp (copy), PE32 20->73 dropped 95 Multi AV Scanner detection for dropped file 20->95 97 Creates an autostart registry key pointing to binary in C:\Windows 20->97 99 Writes to foreign memory regions 20->99 105 4 other signatures 20->105 26 AddInProcess32.exe 20->26         started        30 powershell.exe 20->30         started        32 powershell.exe 20->32         started        37 2 other processes 20->37 101 Allocates memory in foreign processes 24->101 103 Creates a thread in another existing process (thread injection) 24->103 34 conhost.exe 4 24->34         started        signatures9 process10 dnsIp11 85 185.118.165.79, 49722, 49763, 61909 CHELYABINSK-SIGNAL-ASRU Russian Federation 26->85 115 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->115 117 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->117 119 Tries to harvest and steal browser information (history, passwords, etc) 26->119 121 Tries to steal Crypto Currency Wallets 26->121 39 conhost.exe 30->39         started        41 conhost.exe 32->41         started        69 C:\Windows\System32\services64.exe, PE32+ 34->69 dropped 123 Adds a directory exclusion to Windows Defender 34->123 43 cmd.exe 34->43         started        46 cmd.exe 1 34->46         started        48 cmd.exe 34->48         started        50 conhost.exe 37->50         started        52 conhost.exe 37->52         started        file12 signatures13 process14 signatures15 125 Drops executables to the windows directory (C:\Windows) and starts them 43->125 54 services64.exe 43->54         started        57 conhost.exe 43->57         started        127 Uses schtasks.exe or at.exe to add and modify task schedules 46->127 129 Adds a directory exclusion to Windows Defender 46->129 59 powershell.exe 22 46->59         started        61 conhost.exe 46->61         started        63 powershell.exe 46->63         started        65 conhost.exe 48->65         started        67 schtasks.exe 48->67         started        process16 signatures17 107 Antivirus detection for dropped file 54->107 109 Writes to foreign memory regions 54->109 111 Allocates memory in foreign processes 54->111 113 Creates a thread in another existing process (thread injection) 54->113
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 15:54:00 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcz7g5gjki432npizkdn5nny4uzzwzx7hefnmdxd57aqxhgae3ca._file
Verdict:
malicious
Similar samples:
176d2404c4d760523a609289c6d7e6c4398a1a738930d505fb3c029972f1f1ce
RedLineStealer
2f8571d423e2af665fecf616c284491982acd4d3ab59a4ceb0790fa713266376
RedLineStealer
48b3f374c95239bd35e8ca86deb5b8e5339b66ff390ad60ee3efc10b9cc026c4
RedLineStealer
4d791f4e9af710f39f7f42df9db2945ad95d88d233297eae85363a7bf3e01ca6
RedLineStealer
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
RedLineStealer
5b5eab7a12fdfc6cc39e39193b7a9020ee46e72acac70033236ef9b6b2da32c7
RedLineStealer
5ef8714caf9c7296847b67b27edb93c3aec23d7e77b57d23d0e8607d707a2c49
RedLineStealer
6c90f16a6932be921cbb44b9e4531cf36e5ded6d5dd0016c4309a56ab8a96461
RedLineStealer
85d879be258470ed22d55bb6fda8be5d0b7d480c23d95b252516e85ccad2fec4
RedLineStealer
94505318bde41275a8eda927ef9a844bd200ff9e9f9d81badcac37e303a1e74b
RedLineStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig evasion infostealer miner persistence spyware trojan
Link:
https://tria.ge/reports/211125-gnlnssedcj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
UAC bypass
Windows security bypass
xmrig
Malware Config
C2 Extraction:
185.118.165.79:61909
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/48b3f374c952/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/48b3f374c95239bd35e8ca86deb5b8e5339b66ff390ad60ee3efc10b9cc026c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:Netwalker
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:Detects Netwalker Ransomware
Reference:https://github.com/f0wl/configwalker
Rule name:pe_imphash
Create hunting rule
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments