MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA3-384 hash: 77a6caf52f49d14e975ebb771167ce1f8b073b066f34476af5db6d79a9378b08a3f4ee186f55384f46eaa2ab2d2e2ebb
SHA1 hash: e7334de04c18c241a091c3327cdcd56e85cc6baf
MD5 hash: 05a0baf55450d99cb0fa0ee652e2cd0c
humanhash: lima-friend-alpha-early
File name:e7334de04c18c241a091c3327cdcd56e85cc6baf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'800'704 bytes
First seen:2021-09-14 20:36:16 UTC
Last seen:2022-07-23 02:33:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9589ad8837113b4b31a6a8a07cbda1f9 (1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 49152:RDIXBR/L3s76UeTUDBzrVxbMyh9bkfHV7JVIGrl:Rk3/L3sWneVrPoyLof17JSM
Threatray 296 similar samples on MalwareBazaar
TLSH T1DE850264F300A8B2DAFA163191DD9A7444A93F713F31A0AFFB84365C4F726C65131A9B
dhash icon f0d8b06969e0e8f0 (3 x DiamondFox, 2 x RaccoonStealer, 2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
144.76.112.41:26462

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
144.76.112.41:26462 https://threatfox.abuse.ch/ioc/221922/

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1DF01AE4F663BBB5BDC2ABB2D68A1348.exe
Verdict:
Malicious activity
Analysis date:
2021-08-29 14:01:49 UTC
Tags:
trojan evasion stealer vidar opendir rat redline loader raccoon
Link:
https://app.any.run/tasks/42b8bb14-c22a-44a5-9b05-f0c606ac707d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187916/
Detection(s):
Win.Trojan.Dropperx-9888348-0
Create hunting rule

Win.Malware.Zusy-9892604-0
Create hunting rule

Win.Trojan.Zusy-9892636-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm packed
Link:
https://www.filescan.io/uploads/617512159a5a1e91c5d2016e/reports/5709aafb-61f2-4e22-818b-88db3c1ffe12/overview
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92861d0f-24ae-4571-bfd4-e5a715a0f716
Result
Threat name:
Glupteba Metasploit Raccoon RedLine Smok
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850965
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483396 Sample: XbvAoRKnFm.exe Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 49 208.95.112.1 TUT-ASUS United States 2->49 51 46.8.29.181 TEAM-HOSTASRU Russian Federation 2->51 53 10 other IPs or domains 2->53 75 Multi AV Scanner detection for domain / URL 2->75 77 Antivirus detection for URL or domain 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 19 other signatures 2->81 7 XbvAoRKnFm.exe 4 65 2->7         started        signatures3 process4 dnsIp5 55 37.0.10.214 WKD-ASIE Netherlands 7->55 57 37.0.10.244 WKD-ASIE Netherlands 7->57 59 8 other IPs or domains 7->59 23 C:\Users\...\zk7Cfr4bIV_VSsnx0WcczaFg.exe, PE32 7->23 dropped 25 C:\Users\...\zMbpE9MRTjC90ndqzbJLJ54a.exe, PE32 7->25 dropped 27 C:\Users\...\wFQAUDHMOBw56VwD8FLPqrMR.exe, PE32 7->27 dropped 29 45 other files (23 malicious) 7->29 dropped 83 Detected unpacking (creates a PE file in dynamic memory) 7->83 85 Drops PE files to the document folder of the user 7->85 87 Disable Windows Defender real time protection (registry) 7->87 12 wFQAUDHMOBw56VwD8FLPqrMR.exe 81 7->12         started        17 CrViwGvnj2i8rtCx80g2M3as.exe 7->17         started        19 513L8VOvIg7EGxit0bjWwSTz.exe 7->19         started        21 5 other processes 7->21 file6 signatures7 process8 dnsIp9 61 94.158.245.117 MIVOCLOUDMD Moldova Republic of 12->61 63 195.201.225.248 HETZNER-ASDE Germany 12->63 45 59 other files (none is malicious) 12->45 dropped 89 Detected unpacking (changes PE section rights) 12->89 91 Detected unpacking (overwrites its own PE header) 12->91 93 Tries to steal Mail credentials (via file access) 12->93 95 Contains functionality to steal Internet Explorer form passwords 12->95 65 116.203.165.54 HETZNER-ASDE Germany 17->65 67 74.114.154.22 AUTOMATTICUS Canada 17->67 69 192.168.2.1 unknown unknown 17->69 31 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 17->31 dropped 33 C:\Users\user\AppData\...\freebl3[1].dll, PE32 17->33 dropped 35 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 17->35 dropped 47 9 other files (none is malicious) 17->47 dropped 97 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->97 99 Tries to harvest and steal browser information (history, passwords, etc) 17->99 101 Tries to steal Crypto Currency Wallets 17->101 71 149.154.167.99 TELEGRAMRU United Kingdom 19->71 73 162.159.135.233 CLOUDFLARENETUS United States 19->73 37 C:\Users\...\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe, PE32 19->37 dropped 39 C:\...\PowerControl_Svc.exe, PE32 19->39 dropped 41 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 19->41 dropped 103 Drops PE files to the document folder of the user 19->103 43 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 21->43 dropped 105 Injects a PE file into a foreign processes 21->105 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 23:51:30 UTC
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jt553cwnzer353fbfwkpa3jpcyzhmvbuuieh355mqa6cksqk36oa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
24073b2c9d79f2505f93c77c1e06f6a0b7b44efe3a26e58e99ecb239566cb201
RedLineStealer
3bfa0b763724da5383365a116fde4a9cc1a1932b0f8bd4ba30807386e2b888e6
RedLineStealer
40507efbaa22e1db92c98d29ede1cdb9f68dcca04bf9558fe96e90ed18e847c1
RedLineStealer
5d02823347e5eed62fc726832e4044731b5ae02167106e92d3dbd5848f9fba42
RedLineStealer
60cc9eee3e5c35b67498092c33e30735304e8da670e1c6838f181578b30badf2
RedLineStealer
7600aa65af2e0c32f0471192312b18184c708e72d0eb9af7be927f210dc7ca12
RedLineStealer
b19abbca0a9e526093ea103daa869ec70c1163b7c80844c6be7cd684be26bda7
RedLineStealer
b7d6313abaa9157a215b0c3a952068bad014c490f359becab0b55c7e01885034
RedLineStealer
d5bc83c6fef7c7dffe1ed4475bcbfda29d96dfb53b560c545cf7b7c29b639591
RedLineStealer
e8c32e157a66fe9ec15372df53785ef878ae8869231ff57d170a5a1f6e609948
RedLineStealer
+ 286 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:149ruz botnet:3k_tipa botnet:937 botnet:a16e26e8e3bbf05aad922e6691134b0795801b32 backdoor dropper evasion infostealer loader stealer suricata themida trojan
Link:
https://tria.ge/reports/210914-zd5m2abcfk/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Contains code to disable Windows Defender
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
ieleishark.xyz:80
185.215.113.104:18754
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
https://dimonbk83.tumblr.com/
Unpacked files
SH256 hash:
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
MD5 hash:
05a0baf55450d99cb0fa0ee652e2cd0c
SHA1 hash:
e7334de04c18c241a091c3327cdcd56e85cc6baf
Link:
https://www.unpac.me/results/8e8a7c69-6544-4b45-988b-f392c9e78dab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4cfbdd8acdc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187916/

Comments