MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51d754d17bded4a65f90a483bf8aeb78fdcbb421ccbcd5391eeb777e4ffc4d7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51d754d17bded4a65f90a483bf8aeb78fdcbb421ccbcd5391eeb777e4ffc4d7d
SHA3-384 hash: 6c90e6ac87a0e6186960b769ef15680115a912d3977f517196b654fb6dd221feb7a86fc64bbc9b836ed4a94e8191ba78
SHA1 hash: 1e5872c1fdd4bed72e7745891ccc0f29f1ae4963
MD5 hash: a94fe2d4ea938aeda1b547621f8127b4
humanhash: steak-foxtrot-enemy-magazine
File name:a94fe2d4ea938aeda1b547621f8127b4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'192 bytes
First seen:2021-09-29 12:01:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'636 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 96:DJOElmu1B9ilJJMOfEkdEKozt1ExafVHcqkTzNt:FLkJwGE3E0tq1
Threatray 97 similar samples on MalwareBazaar
TLSH T12FF1C506B7E80737DCBE4B7A98B3431053B2E6154D13CB1E5CC8825E6CA27140DA2BB6
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
65.108.1.219:28593

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.1.219:28593 https://threatfox.abuse.ch/ioc/227532/

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193125/
Detection(s):
Win.Packed.Tiny-9879243-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Malware family:
Mokes
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f60c536-13fa-469c-8784-e3157c412beb
Result
Threat name:
BitCoin Miner RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861436
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 493861 Sample: GLBtdTEH84.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 90 ip-api.com 208.95.112.1, 49761, 80 TUT-ASUS United States 2->90 92 151.80.144.188, 14433, 49779 OVHFR Italy 2->92 94 12 other IPs or domains 2->94 118 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->118 120 Sigma detected: Xmrig 2->120 122 Multi AV Scanner detection for domain / URL 2->122 124 24 other signatures 2->124 11 GLBtdTEH84.exe 14 5 2->11         started        15 svchost.exe 2->15         started        17 services64.exe 2->17         started        signatures3 process4 dnsIp5 116 cdn.discordapp.com 162.159.135.233, 443, 49732 CLOUDFLARENETUS United States 11->116 86 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 11->86 dropped 88 C:\Users\user\AppData\...behaviorgraphLBtdTEH84.exe.log, ASCII 11->88 dropped 19 LzmwAqmV.exe 11 11->19         started        23 WerFault.exe 15->23         started        file6 process7 file8 60 C:\Users\user\AppData\...\sfx_123_206.exe, PE32 19->60 dropped 62 C:\Users\user\AppData\...\oliver2109-c.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 19->64 dropped 66 6 other files (2 malicious) 19->66 dropped 126 Multi AV Scanner detection for dropped file 19->126 128 Machine Learning detection for dropped file 19->128 25 PublicDwlBrowser1100.exe 15 5 19->25         started        30 Chrome7.exe 5 19->30         started        32 setup.exe 21 19->32         started        34 3 other processes 19->34 signatures9 process10 dnsIp11 102 iplogger.org 88.99.66.31, 443, 49759, 49760 HETZNER-ASDE Germany 25->102 104 my-all-group.bar 172.67.169.45, 443, 49752, 49753 CLOUDFLARENETUS United States 25->104 112 3 other IPs or domains 25->112 74 C:\ProgramData\3514328.exe, PE32 25->74 dropped 148 Multi AV Scanner detection for dropped file 25->148 150 Detected unpacking (overwrites its own PE header) 25->150 152 May check the online IP address of the machine 25->152 154 Performs DNS queries to domains with low reputation 25->154 36 3514328.exe 25->36         started        76 C:\Users\user\AppData\...\services64.exe, PE32+ 30->76 dropped 156 Machine Learning detection for dropped file 30->156 40 services64.exe 30->40         started        43 cmd.exe 30->43         started        106 194.145.227.161, 49787, 80 CLOUDPITDE Ukraine 32->106 108 zukayh04.top 194.87.210.74, 49795, 49796, 49802 AS-REGRU Russian Federation 32->108 114 2 other IPs or domains 32->114 78 C:\Users\user\AppData\Local\...\file[1].exe, PE32 32->78 dropped 80 C:\Users\user\AppData\Local\...\null[1], PE32 32->80 dropped 82 C:\Users\user\AppData\Local\...\file[1].exe, PE32 32->82 dropped 84 3 other files (none is malicious) 32->84 dropped 110 45.9.20.20, 13441, 49785 DEDIPATH-LLCUS Russian Federation 34->110 158 Injects a PE file into a foreign processes 34->158 45 mshta.exe 34->45         started        47 conhost.exe 34->47         started        file12 signatures13 process14 dnsIp15 96 the-lead-bitter.com 104.21.66.135, 443, 49767 CLOUDFLARENETUS United States 36->96 130 Multi AV Scanner detection for dropped file 36->130 132 Detected unpacking (changes PE section rights) 36->132 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->134 144 3 other signatures 36->144 49 conhost.exe 36->49         started        98 sanctam.net 185.65.135.234, 49765, 58899 ESAB-ASSE Sweden 40->98 100 bitbucket.org 104.192.141.1, 443, 49766 AMAZON-02US United States 40->100 70 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 40->70 dropped 72 C:\Users\user\AppData\...\sihost64.exe, PE32+ 40->72 dropped 136 Writes to foreign memory regions 40->136 138 Allocates memory in foreign processes 40->138 140 Modifies the context of a thread in another process (thread injection) 40->140 146 2 other signatures 40->146 142 Uses schtasks.exe or at.exe to add and modify task schedules 43->142 51 conhost.exe 43->51         started        53 schtasks.exe 43->53         started        55 cmd.exe 45->55         started        file16 signatures17 process18 file19 68 C:\Users\user\AppData\Local\...\4MCYlgNAW.eXE, PE32 55->68 dropped 58 conhost.exe 55->58         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51d754d17bded4a65f90a483bf8aeb78fdcbb421ccbcd5391eeb777e4ffc4d7d/
Threat name:
ByteCode-MSIL.Trojan.SmallDownloader
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 23:28:00 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=khlvjul333kkmx4qusb37cxlpd64xnbbzs6nkoi65n3x4t74jv6q._file
Verdict:
malicious
Similar samples:
6fe7d70e9a5c92dac044cf54d080b64ec4fcbc08ea405e84533f74ced0e0400e
RedLineStealer
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
RedLineStealer
890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664
RedLineStealer
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
RedLineStealer
9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467
RedLineStealer
a5ae0f12308cd01e02c8c75137818f8945f4fba0785f5558c75bff2f20fb7957
RedLineStealer
b41de952a4fc93913cc56535c289c1cfd5b4c249477a0fad912956abf6b2293b
RedLineStealer
b7915e2c423abfd40c013439cc726587a44fc207696637b2a431abce68963dd4
RedLineStealer
bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95
RedLineStealer
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
RedLineStealer
+ 87 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:aboba botnet:oliver2109 botnet:uts discovery infostealer miner persistence spyware stealer
Link:
https://tria.ge/reports/210929-n7fp8aege7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
xmrig
Malware Config
C2 Extraction:
45.9.20.20:13441
213.166.69.181:64650
65.108.1.219:28593
Dropper Extraction:
http://shellloader.top/welcome
Unpacked files
SH256 hash:
51d754d17bded4a65f90a483bf8aeb78fdcbb421ccbcd5391eeb777e4ffc4d7d
MD5 hash:
a94fe2d4ea938aeda1b547621f8127b4
SHA1 hash:
1e5872c1fdd4bed72e7745891ccc0f29f1ae4963
Link:
https://www.unpac.me/results/8f50f380-69fa-4190-ad56-0634fd4f9760/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/51d754d17bde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51d754d17bded4a65f90a483bf8aeb78fdcbb421ccbcd5391eeb777e4ffc4d7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193125/

Comments