MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 537b9009fd3cf3cc86499cba9ceda7ee637cd79069fb049a786ce10764ecf033. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 537b9009fd3cf3cc86499cba9ceda7ee637cd79069fb049a786ce10764ecf033
SHA3-384 hash: b30483858002b3f50f2de9b1e247b38ee183a726e44ad4c877935d74666a8385592e6e71248093344095911e06c1efe9
SHA1 hash: 592fd6711c019e8739221392b84fda7c988f5e42
MD5 hash: b66a47940ae6240a80ecef2a642ff96f
humanhash: freddie-speaker-glucose-river
File name:B66A47940AE6240A80ECEF2A642FF96F.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'257'020 bytes
First seen:2021-06-08 07:09:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbjLqoV0VrJnisfvILTrDpdkhdcOCWi++lbN5:UXVKrJndfwLoKqirD
Threatray 694 similar samples on MalwareBazaar
TLSH A3E53341F9D0A5B1D6720935427A2F262475BE201F28EEEBE3E0179EDD311D1DB32B1A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.55.55.250:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.55.55.250:80 https://threatfox.abuse.ch/ioc/67974/

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B66A47940AE6240A80ECEF2A642FF96F.exe
Verdict:
Malicious activity
Analysis date:
2021-06-08 07:31:35 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/5a82121a-b91c-4052-9342-400875520aeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165217/
Detection(s):
Win.Malware.Mikey-9866193-0
Create hunting rule

Win.Malware.Nymeria-9867377-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Sending a UDP request
Launching a process
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Reading critical registry keys
Deleting a recently created file
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Creating a file in the Program Files subdirectories
Connecting to a non-recommended domain
Modifying a system file
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798585
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Searches for Windows Mail specific files
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 430986 Sample: 5lUjG28hjV.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 105 139.45.197.137 RETN-ASEU Netherlands 2->105 107 139.45.197.236 RETN-ASEU Netherlands 2->107 109 14 other IPs or domains 2->109 169 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->169 171 Multi AV Scanner detection for domain / URL 2->171 173 Antivirus detection for dropped file 2->173 175 9 other signatures 2->175 10 5lUjG28hjV.exe 1 12 2->10         started        13 iexplore.exe 1 73 2->13         started        signatures3 process4 dnsIp5 81 C:\Users\user\Desktop\pzyh.exe, PE32 10->81 dropped 83 C:\Users\user\Desktop\pub2.exe, PE32 10->83 dropped 85 C:\Users\user\Desktop\KRSetp.exe, PE32 10->85 dropped 87 3 other files (1 malicious) 10->87 dropped 16 IDWCH1.exe 2 10->16         started        20 Folder.exe 6 10->20         started        22 jg3_3uag.exe 10->22         started        27 3 other processes 10->27 121 192.168.2.1 unknown unknown 13->121 24 iexplore.exe 38 13->24         started        file6 process7 dnsIp8 61 C:\Users\user\AppData\Local\...\IDWCH1.tmp, PE32 16->61 dropped 129 Antivirus detection for dropped file 16->129 29 IDWCH1.tmp 3 19 16->29         started        63 C:\Users\user\AppData\Local\...\install.dll, PE32 20->63 dropped 65 C:\Users\user\AppData\...65ewtonsoft.Json.dll, PE32 20->65 dropped 33 rundll32.exe 20->33         started        36 conhost.exe 20->36         started        67 C:\Users\user\AppData\Local\...\jg3_3uag.exe, PE32 22->67 dropped 38 jg3_3uag.exe 22->38         started        111 iplogger.org 88.99.66.31, 443, 49731, 49732 HETZNER-ASDE Germany 24->111 113 uyg5wye.2ihsfa.com 88.218.92.148, 49746, 80 ENZUINC-US Netherlands 27->113 115 news-systems.xyz 27->115 117 5 other IPs or domains 27->117 69 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 27->69 dropped 71 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 27->71 dropped 131 DLL reload attack detected 27->131 133 Detected unpacking (overwrites its own PE header) 27->133 135 Performs DNS queries to domains with low reputation 27->135 137 3 other signatures 27->137 40 jfiag3g_gg.exe 27->40         started        42 jfiag3g_gg.exe 27->42         started        44 jfiag3g_gg.exe 27->44         started        46 explorer.exe 27->46 injected file9 signatures10 process11 dnsIp12 123 limesfile.com 198.54.126.101, 49734, 80 NAMECHEAP-NETUS United States 29->123 89 C:\Users\user\AppData\...\_________hj__12.exe, PE32 29->89 dropped 91 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 29->91 dropped 93 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 29->93 dropped 95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->95 dropped 48 _________hj__12.exe 29->48         started        139 Writes to foreign memory regions 33->139 141 Allocates memory in foreign processes 33->141 143 Creates a thread in another existing process (thread injection) 33->143 53 svchost.exe 33->53 injected 55 svchost.exe 33->55 injected 125 101.36.107.74, 49739, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 38->125 127 iplogger.org 38->127 97 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 38->97 dropped 145 Antivirus detection for dropped file 38->145 147 Multi AV Scanner detection for dropped file 38->147 149 Drops PE files to the document folder of the user 38->149 153 2 other signatures 38->153 151 Tries to harvest and steal browser information (history, passwords, etc) 42->151 file13 signatures14 process15 dnsIp16 99 198.54.116.159 NAMECHEAP-NETUS United States 48->99 101 2.20.142.209 AKAMAI-ASN1EU European Union 48->101 103 2 other IPs or domains 48->103 73 C:\Users\user\AppData\...\Qidejacimu.exe, PE32 48->73 dropped 75 C:\Users\user\AppData\...\Cugyvyluke.exe, PE32 48->75 dropped 77 C:\Program Files (x86)\...\Ledajygaeta.exe, PE32 48->77 dropped 79 4 other files (3 malicious) 48->79 dropped 155 Antivirus detection for dropped file 48->155 157 Detected unpacking (overwrites its own PE header) 48->157 159 Machine Learning detection for dropped file 48->159 161 Searches for Windows Mail specific files 48->161 163 System process connects to network (likely due to code injection or exploit) 53->163 165 Sets debug register (to hijack the execution of another thread) 53->165 167 Modifies the context of a thread in another process (thread injection) 53->167 57 svchost.exe 53->57         started        file17 signatures18 process19 dnsIp20 119 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 57->119 177 Query firmware table information (likely to detect VMs) 57->177 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/537b9009fd3cf3cc86499cba9ceda7ee637cd79069fb049a786ce10764ecf033/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 00:48:49 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kn5zacp5htz4zbsjts5jz3nh5zrxzv4qnh5qjgtyntqqozhm6azq._file
Verdict:
malicious
Similar samples:
04361291bf3ae8acd73f886bf5cab71fa35097256e12c0bb1b2360d4603a40e7
RedLineStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RedLineStealer
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
RedLineStealer
6a966d8a8bc18b016f35a159c110eb8dd5527b83e39db5fa7300e4634c9cb096
RedLineStealer
b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
RedLineStealer
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
RedLineStealer
e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808
RedLineStealer
e6e11a92390d1e01775514d1a4f047f5b94471070a07bf82b6e9fe5c547d55a8
RedLineStealer
ea50cc254fa1cc865d19d13bbdf206dc69092d6f723cb56a3843d74ba83e64a0
RedLineStealer
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
RedLineStealer
+ 684 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:smokeloader family:vidar backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210608-16lc3b11m2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
PlugX
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Unpacked files
SH256 hash:
e77cdc6d91da7a5293f4b9ec11524dd8302c63b44d3aa2eaa5ea6691e5216237
MD5 hash:
2724973fee4e3d0f9e3da19e32be212c
SHA1 hash:
632e40eece8d06f9d8bcb88488ecfe34b608ead3
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
0edfac6be11732ddd99db66821ee47408c2dc1e9bed68e5ef9a8e130c565b79b
MD5 hash:
cbd6029abaa8e977d3b7435c6f70dd0e
SHA1 hash:
ebb89d4d7659ef77b658a86ad00dba0ead869f4c
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
9a9a50f91b2ae885d01b95069442f1e220c2a2a8d01e8f7c9747378b4a8f5cfc
MD5 hash:
957460132c11b2b5ea57964138453b00
SHA1 hash:
12e46d4c46feff30071bf8b0b6e13eabba22237f
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
ad7c7d62d8cf7d67da20025e9f64e9b3b70e29acd0bda186d2d607970fa24ab9
MD5 hash:
8068af2d3087fc5f66ac2742f923ec08
SHA1 hash:
9d33b4127bb988e73ce336d6a1bbd452a9542749
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
26ee7f056fbb8f0b5d3eb8f3abc85e770b5f6db302b2ab725e35408bebbb2488
MD5 hash:
74d2e1ce63a23329f61da491d0cfe9b8
SHA1 hash:
660aeb6092131115aa5ec94c9f4b3953ac51e39b
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
ae8ba25519c78f7badb0c2228839d593803e5c9a2602869a96aa49abb13c194c
MD5 hash:
686444e92aa56b87f5f9f79aafb41685
SHA1 hash:
64e31298cec4336fd6ca0398260a153f2d1d6721
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
acaab7d87bbab2210388fec2221d16fbaf9e174e40d5908d539116760efa7018
MD5 hash:
e7c58ba62ebec0a45b591d15486f25bf
SHA1 hash:
cdfa8fded3fadfcea7918dda7f5834b78d4ff958
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
63ad45de4679352fb4b78d3cd767343f7b1cb21fe9cd6b7f2febc9b77536092c
MD5 hash:
79bec8e2e85d7f5249e538e7d91d7913
SHA1 hash:
a3a734f24a9575e0d48861cbae27a26e53af8a47
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
1bfbd2e00e56583e0d36d469d3c735366948a8d61f30099a33a5b85cd8735cef
MD5 hash:
00d286039cb95d0d972a5cebc338038d
SHA1 hash:
f928410b11b8eb84b4c2670316ba94c8a1c6084f
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
6b3a2593b70c97fdbe4eeb60ead859453da402a65b0909245cdbe9f9ada51ca9
MD5 hash:
d346fb760e619fa5f8698225fe574137
SHA1 hash:
3d0e121499c9c24463d78703b61b7b063fffd62f
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
7756af24b68e1aa8058b466eb17ed6b77a368d2857c4d1789bc8c48e4541acce
MD5 hash:
4fe1215cf23bf3a1969f18e492a63b10
SHA1 hash:
ead530757ed207f65e34bc1938ca8da077f4e43c
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
SH256 hash:
537b9009fd3cf3cc86499cba9ceda7ee637cd79069fb049a786ce10764ecf033
MD5 hash:
b66a47940ae6240a80ecef2a642ff96f
SHA1 hash:
592fd6711c019e8739221392b84fda7c988f5e42
Link:
https://www.unpac.me/results/566e21f4-5fa2-4ba3-9e1f-bc2102c5498b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/537b9009fd3cf3cc86499cba9ceda7ee637cd79069fb049a786ce10764ecf033

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165217/

Comments