MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ad6f28307707e2443713e2506ecb87ab29b5aa363912af90c9eeae0485709a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51ad6f28307707e2443713e2506ecb87ab29b5aa363912af90c9eeae0485709a
SHA3-384 hash: 023a43e0518d290b38bcab35263600ed8d16cecb089da71c2a286c04a54c5ee722039630bf7af49ff19706f8c32a3861
SHA1 hash: 6a36208e25f9bf8d64e988219d227f78a4ab9a1f
MD5 hash: 6d98b7871d86beea10fd5c0d79b52d23
humanhash: bluebird-virginia-dakota-king
File name:SazInjector.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'019'648 bytes
First seen:2021-11-15 16:15:10 UTC
Last seen:2021-11-15 16:24:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:XAZKdPCRHFbLFReP7G+mtXD/Dxs+GOPQoWhyrzd7Q4HFhIM:J4FxLFR/XDNs+GfoxHC4lh
Threatray 323 similar samples on MalwareBazaar
TLSH T1C83633004D1BB390E5A7403D4FDB7100B25993856A33678D6F986ACCCC9798B8E6BBDC
Reporter tech_skeech
Tags:CoinMiner.XMRig exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
136.144.41.189:12208 https://threatfox.abuse.ch/ioc/248261/

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SazInjector.exe
Verdict:
Malicious activity
Analysis date:
2021-11-15 16:13:48 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/93518411-533f-4416-a4f2-515171131c47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205971/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.12.8697.25774.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Enabling the 'hidden' option for files in the %temp% directory
DNS request
Deleting a recently created file
Connection attempt
Sending an HTTP GET request
Searching for the window
Searching for the Windows task manager window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Blocking the User Account Control
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi packed
Link:
https://www.filescan.io/uploads/619287c53edf00a722d58e2b/reports/28bbb9d2-8adb-45e1-ba26-4a06c3ed549e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dac8a92-5f8d-4391-9803-808f4d008d66
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889623
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Deletes itself after installation
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Sigma detected: Visual Basic Command Line Compiler Usage
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522132 Sample: SazInjector.exe Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 99 127.0.0.1 unknown unknown 2->99 101 pool.supportxmr.com 2->101 103 2 other IPs or domains 2->103 115 Antivirus / Scanner detection for submitted sample 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 Yara detected RedLine Stealer 2->119 121 12 other signatures 2->121 11 SazInjector.exe 6 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 1 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 83 C:\Users\user\AppData\Local\...\Zfbhsoqds.exe, PE32 11->83 dropped 85 C:\Users\user\AppData\...\Omkbdaobsv.exe, PE32 11->85 dropped 87 C:\Users\user\AppData\...\SazInjector.exe.log, ASCII 11->87 dropped 21 Zfbhsoqds.exe 12 11->21         started        25 Omkbdaobsv.exe 11->25         started        109 192.168.2.1 unknown unknown 14->109 file6 process7 file8 71 C:\Users\user\AppData\Local\...\Installer.exe, PE32 21->71 dropped 73 C:\Users\user\AppData\...\gzsxtfaz.cmdline, UTF-8 21->73 dropped 75 C:\Users\user\AppData\...\ResHacker-RH.exe, PE32 21->75 dropped 137 Antivirus detection for dropped file 21->137 139 Machine Learning detection for dropped file 21->139 141 Deletes itself after installation 21->141 27 Installer.exe 7 21->27         started        31 vbc.exe 6 21->31         started        33 BackgroundTransferHost.exe 21->33         started        143 Multi AV Scanner detection for dropped file 25->143 signatures9 process10 file11 89 C:\Users\user\...\ServicesInstaller.exe, PE32 27->89 dropped 91 C:\Users\user\AppData\...\JavaUpdate.exe, PE32+ 27->91 dropped 93 C:\Users\user\AppData\...\JavaSheduler.exe, PE32 27->93 dropped 145 Antivirus detection for dropped file 27->145 147 Detected unpacking (overwrites its own PE header) 27->147 149 Machine Learning detection for dropped file 27->149 151 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->151 35 ServicesInstaller.exe 15 21 27->35         started        39 JavaSheduler.exe 27->39         started        42 JavaUpdate.exe 4 27->42         started        95 vbcF77442F3A62E4A649C1BB44A99BB6034.TMP, MSVC 31->95 dropped 97 C:\Users\user\Desktop\SazInjector...exe, PE32 31->97 dropped 44 cvtres.exe 31->44         started        46 conhost.exe 31->46         started        signatures12 process13 dnsIp14 105 dontreachme.duckdns.org 136.144.41.189, 12208, 49769, 49825 WORLDSTREAMNL Netherlands 35->105 107 api.ip.sb 35->107 123 Antivirus detection for dropped file 35->123 125 Multi AV Scanner detection for dropped file 35->125 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->127 135 3 other signatures 35->135 48 conhost.exe 35->48         started        77 C:\Users\user\AppData\Roaming\...\smss.exe, PE32 39->77 dropped 129 Uses schtasks.exe or at.exe to add and modify task schedules 39->129 131 Drops PE files with benign system names 39->131 133 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 39->133 50 smss.exe 39->50         started        53 cmd.exe 39->53         started        55 schtasks.exe 39->55         started        79 C:\Users\user\Microsoft\services.exe, PE32+ 42->79 dropped 57 cmd.exe 42->57         started        81 C:\Users\user\AppData\Local\...\RES2640.tmp, Intel 44->81 dropped file15 signatures16 process17 signatures18 111 Multi AV Scanner detection for dropped file 50->111 59 conhost.exe 53->59         started        61 chcp.com 53->61         started        63 chcp.com 53->63         started        65 conhost.exe 55->65         started        113 Encrypted powershell cmdline option found 57->113 67 conhost.exe 57->67         started        69 powershell.exe 57->69         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51ad6f28307707e2443713e2506ecb87ab29b5aa363912af90c9eeae0485709a/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 06:46:36 UTC
AV detection:
29 of 44 (65.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgww6kbqo4d6erbxcprfa3wlq6vstnnkgy4rfl4qzhxk4befocna._file
Verdict:
malicious
Similar samples:
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
RedLineStealer
139c83b8cf3674d992e04f9e4a047c3a7ad5279b2f6b8bf18c39603f82bca16d
RedLineStealer
1b0c9f3f22d25cd518e480798ee44e8876107b2d37b2e92997c039d4a6c69db1
RedLineStealer
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
RedLineStealer
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
RedLineStealer
96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
RedLineStealer
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
RedLineStealer
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
RedLineStealer
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
RedLineStealer
+ 313 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig discovery evasion infostealer miner spyware stealer trojan
Link:
https://tria.ge/reports/211115-tqsw4sahb9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
UAC bypass
xmrig
Unpacked files
SH256 hash:
9a9d1f901ce782876d2e3e6a9b5dcc9e240e3fbaff203c088b61b8dbd8a102f6
MD5 hash:
41a644c84d1a31b693f29656c0efc557
SHA1 hash:
c90f553781b25347efb723bf83a1eb2ac58db374
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
SH256 hash:
58bf6d4db80009df3b5f9967d54575f459087100498eab59a7b13f5aa44d1e6d
MD5 hash:
541ebd27434e01ef36fb17fbb197565b
SHA1 hash:
3313d0e2bff470b4c2c6200a881ffd75054d5763
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
SH256 hash:
0da9fd34d122db7737e8748fd3ca6b2f7a9606e52bb0168efc3c64cf2e2c4d44
MD5 hash:
80099430fb50d4c31c7ce28e2cb0fef5
SHA1 hash:
1fbaa22a5d6c76ee2d6645ec922fc449ade78581
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
SH256 hash:
19703fbd5d11925c8871e6cee99a8cfa97910c4ad51ca7b008661b08d0a443c9
MD5 hash:
d6977bfdfcbd1bc0fd0585d010705efd
SHA1 hash:
fb5a05f16619e5fbf4313de3f2683189dbb2f5c6
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
SH256 hash:
52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
MD5 hash:
2f92eed4e2061af0961f379e9ded70d6
SHA1 hash:
8b58dcd428759d3633a14bcfc62a8cb6deb66de5
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
SH256 hash:
8147ffd1ca003a8242c91a20b253fcb63898027c5c5106b83b24606ad2a64407
MD5 hash:
527be144a7f54ec577a97e67c8f8fb7c
SHA1 hash:
30f5e14b91e8f5957439e74d37405cb606a9ec35
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
SH256 hash:
ccce09d2762ee85b890b6c70ffe63da2c3caabeb0485570d52a3e48d2dfb973c
MD5 hash:
b03de383bc26cb9e3320a29f9310c2ff
SHA1 hash:
25174a972b718691c9c4f84704842f233b1e23a1
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
SH256 hash:
722228104fff2fa9e45be67dde0a2483f21e29f8c5f98867e83793d9c444382f
MD5 hash:
43d9f8511872c03eac763e55986f1e02
SHA1 hash:
c0712c4a76c859f9ab4cd50aed38f0a30da46706
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
SH256 hash:
51ad6f28307707e2443713e2506ecb87ab29b5aa363912af90c9eeae0485709a
MD5 hash:
6d98b7871d86beea10fd5c0d79b52d23
SHA1 hash:
6a36208e25f9bf8d64e988219d227f78a4ab9a1f
Link:
https://www.unpac.me/results/02277d0d-f6bb-4ea9-b1aa-903213c6cf58/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/51ad6f283077/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51ad6f28307707e2443713e2506ecb87ab29b5aa363912af90c9eeae0485709a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 51ad6f28307707e2443713e2506ecb87ab29b5aa363912af90c9eeae0485709a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205971/

Comments