MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 517c6f4aad96b59020c6c736521a3084b2c625c5d7ce4f637634839b98b28c11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 517c6f4aad96b59020c6c736521a3084b2c625c5d7ce4f637634839b98b28c11
SHA3-384 hash: 856002ee1fb476a86506aa2266224908710d44d5816f6b0693128d870c33d780aad58ed5d2e3148d93666e94845dc5ae
SHA1 hash: 6943644e7c6e52324353770e13ede9b78e3036a9
MD5 hash: 5cfa1c74d3410705daf7055374b56f2f
humanhash: black-venus-october-victor
File name:5cfa1c74d3410705daf7055374b56f2f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:70'144 bytes
First seen:2021-10-22 10:09:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:QMedEMYp16zhzxfCH+zU72gSWASIkDrG556ufBxQseeIYECraHJLQFS3dQ4UsDQ5:VFMYp8htfCHWeVtAmG55ivnpmEab00
Threatray 1'539 similar samples on MalwareBazaar
TLSH T117639377406691A6C5892330F4B11F4B367CD6381980B698F14FF2AEEC1D29D9EF83A5
File icon (PE):PE icon
dhash icon ec525c1598491354 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-22 11:31:46 UTC
Tags:
trojan evasion rat redline loader stealer vidar opendir kelihos
Link:
https://app.any.run/tasks/af5d3c60-1f84-422d-999a-107ae8a4c180

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199349/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a service
Creating a window
Connection attempt to an infection source
Sending a TCP request to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61728dfd9a5a1e91c5ceb43f/reports/eae5e461-a8f3-4ed3-84d5-6be82ab05ba4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a55971b8-939e-41bc-8ab6-f146c76e250b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875159
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 507591 Sample: HNjps9ILa2.exe Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 59 querahinor.xyz 2->59 65 Antivirus detection for URL or domain 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected RedLine Stealer 2->69 71 3 other signatures 2->71 8 HNjps9ILa2.exe 15 8 2->8         started        signatures3 process4 dnsIp5 61 iplogger.org 88.99.66.31, 443, 49776, 49777 HETZNER-ASDE Germany 8->61 63 niemannbest.me 172.67.221.103, 443, 49768, 49769 CLOUDFLARENETUS United States 8->63 35 C:\Users\user\AppData\Roaming\8830638.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Roaming\7772255.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Roaming\7487787.exe, PE32 8->39 dropped 41 2 other malicious files 8->41 dropped 79 May check the online IP address of the machine 8->79 13 7487787.exe 1 4 8->13         started        17 1467253.exe 3 8->17         started        20 8830638.exe 3 8->20         started        22 2 other processes 8->22 file6 signatures7 process8 dnsIp9 43 C:\Users\user\AppData\...\WinHoster.exe, PE32 13->43 dropped 81 Multi AV Scanner detection for dropped file 13->81 83 Detected unpacking (changes PE section rights) 13->83 85 Detected unpacking (overwrites its own PE header) 13->85 24 WinHoster.exe 13->24         started        45 querahinor.xyz 45.129.99.59, 8080 GMHOSTUA Estonia 17->45 47 kanagoriyn.xyz 45.129.99.60, 8080 GMHOSTUA Estonia 17->47 49 hadachannt.xyz 17->49 87 Query firmware table information (likely to detect VMs) 17->87 89 Performs DNS queries to domains with low reputation 17->89 91 Hides threads from debuggers 17->91 27 conhost.exe 17->27         started        51 188.68.201.6, 10085 ITNET33RU Russian Federation 20->51 93 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->93 95 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->95 29 conhost.exe 20->29         started        53 speeddatingstudio.com 104.21.94.228, 443, 49781 CLOUDFLARENETUS United States 22->53 55 the-lead-bitter.com 172.67.160.101, 443, 49778 CLOUDFLARENETUS United States 22->55 57 192.168.2.1 unknown unknown 22->57 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->97 99 Tries to harvest and steal browser information (history, passwords, etc) 22->99 101 Tries to steal Crypto Currency Wallets 22->101 31 conhost.exe 22->31         started        33 conhost.exe 22->33         started        file10 signatures11 process12 signatures13 73 Multi AV Scanner detection for dropped file 24->73 75 Detected unpacking (changes PE section rights) 24->75 77 Detected unpacking (overwrites its own PE header) 24->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/517c6f4aad96b59020c6c736521a3084b2c625c5d7ce4f637634839b98b28c11/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 09:40:24 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kf6g6svns22zaiggy43fegrqqszmmjof27he6y3wgsbzxgfsrqiq._file
Verdict:
malicious
Similar samples:
015f49a2f30182ca1fec9949880253798b5d6a79de6e698faf8f05714bdf39ef
RedLineStealer
16b06e18530e2528d03f8dfa6e57cd1799b6123c1421c89e24bf0732d1ccf0f2
RedLineStealer
5a937c078e32bcbafa2bc39d1689eead7e714906d13febd08eeb9c05a4e974b0
RedLineStealer
5ab59ff09415735cefb48751e193ada67c040ea2390db7b5c17e9431447730b6
RedLineStealer
5ca2a5d2ec7cee822027375ef676891f3501dad244c504807b9daa6d87cf0ac1
RedLineStealer
646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d
RedLineStealer
893c359fbf489796d2b12678c3bf882d735c8405828562489c273090c4b15e44
RedLineStealer
baabe1f7bf9f0034037f5ed924b0b3e5637fea32e63c83c2321e088259384650
RedLineStealer
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
RedLineStealer
d303ff1d8ecf2f8c4d19465c207d6b3e6085318452f7177cee9223632a0fead8
RedLineStealer
+ 1'529 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211022-l7djrabea4/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
77b9e060109162a45a9265a2efce2b9853504b14f05f6909642699b15b93ef3f
MD5 hash:
e83ffb946b535be2467d522e092fe83c
SHA1 hash:
614cb5b54da2aeead709f74a368430d1db708431
Link:
https://www.unpac.me/results/2444423b-34cd-4d0a-b906-3f6506d399e3/
SH256 hash:
517c6f4aad96b59020c6c736521a3084b2c625c5d7ce4f637634839b98b28c11
MD5 hash:
5cfa1c74d3410705daf7055374b56f2f
SHA1 hash:
6943644e7c6e52324353770e13ede9b78e3036a9
Link:
https://www.unpac.me/results/2444423b-34cd-4d0a-b906-3f6506d399e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/517c6f4aad96b59020c6c736521a3084b2c625c5d7ce4f637634839b98b28c11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 517c6f4aad96b59020c6c736521a3084b2c625c5d7ce4f637634839b98b28c11

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/199349/
  
URLhaus
https://urlhaus.abuse.ch/url/1639256/
  
Delivery method
Distributed via web download

Comments