MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
SHA3-384 hash: 0664ef30c2296fddeab4abc0b15865a0f159ce357f674b0bd5a0a01f88c114a06e7b41545822367adb95abb420002ee8
SHA1 hash: 502acf6405c03eb6533c3337b5c7c2c34c910cf6
MD5 hash: 2283f11e692747d6de67bedc4f5811e0
humanhash: lion-eleven-west-pluto
File name:GTA5TerrorMM.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'476'416 bytes
First seen:2021-10-24 19:30:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 908bea7ee71339f1c35ba419da3ba679 (36 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 98304:JLAcjbm8mrQg2fdT0ZQ4OGczQ1ccQyBwVQ0eD4FRZXlJVhvbjg5Lbr:58rQRKQZz8ccQyWVaARxbvXg5P
Threatray 281 similar samples on MalwareBazaar
TLSH T1AB26232372520125D1F3C87A552B7EE471FA46638B829CBEB6E67EC52D304E0F622D53
Reporter tech_skeech
Tags:CoinMiner.XMRig exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.33.87.34:45760 https://threatfox.abuse.ch/ioc/237529/

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GTA5TerrorMM.exe
Verdict:
Malicious activity
Analysis date:
2021-10-24 19:28:35 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/ce591e7e-d450-4de5-9141-ee70d9f67b26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199695/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.33001.9996.7959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce70570d-b44d-413c-9346-84a6465a8405
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875862
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Defender Exclusion
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508295 Sample: GTA5TerrorMM.exe Startdate: 24/10/2021 Architecture: WINDOWS Score: 100 136 Sigma detected: Xmrig 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 Multi AV Scanner detection for submitted file 2->140 142 8 other signatures 2->142 14 GTA5TerrorMM.exe 2->14         started        17 services64.exe 2->17         started        19 dsfsdf.exe 2->19         started        21 9 other processes 2->21 process3 signatures4 194 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->194 196 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 14->196 198 Writes to foreign memory regions 14->198 200 Injects a PE file into a foreign processes 14->200 23 AppLaunch.exe 15 7 14->23         started        28 WerFault.exe 23 9 14->28         started        202 Multi AV Scanner detection for dropped file 17->202 204 Allocates memory in foreign processes 17->204 206 Creates a thread in another existing process (thread injection) 17->206 30 conhost.exe 17->30         started        208 Changes security center settings (notifications, updates, antivirus, firewall) 21->208 32 MpCmdRun.exe 21->32         started        34 WerFault.exe 21->34         started        36 conhost.exe 21->36         started        process5 dnsIp6 130 178.33.87.34, 45760, 49753 OVHFR France 23->130 132 cdn.discordapp.com 162.159.134.233, 443, 49758 CLOUDFLARENETUS United States 23->132 122 C:\Users\user\AppData\Local\Temp\fl.exe, PE32 23->122 dropped 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->166 168 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->168 170 Tries to harvest and steal browser information (history, passwords, etc) 23->170 172 Tries to steal Crypto Currency Wallets 23->172 38 fl.exe 2 23->38         started        134 192.168.2.1 unknown unknown 28->134 124 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 28->124 dropped 42 cmd.exe 30->42         started        44 conhost.exe 32->44         started        file7 signatures8 process9 file10 112 C:\Users\user\AppData\Local\Temp\turbo.exe, PE32+ 38->112 dropped 114 C:\Users\user\AppData\...\monero-cash.exe, PE32+ 38->114 dropped 152 Antivirus detection for dropped file 38->152 154 Multi AV Scanner detection for dropped file 38->154 156 Adds a directory exclusion to Windows Defender 38->156 46 cmd.exe 38->46         started        48 cmd.exe 38->48         started        50 cmd.exe 1 38->50         started        53 conhost.exe 42->53         started        55 taskkill.exe 42->55         started        signatures11 process12 signatures13 57 monero-cash.exe 46->57         started        60 conhost.exe 46->60         started        62 turbo.exe 48->62         started        64 conhost.exe 48->64         started        144 Adds a directory exclusion to Windows Defender 50->144 66 powershell.exe 25 50->66         started        68 conhost.exe 50->68         started        70 powershell.exe 50->70         started        process14 signatures15 174 Multi AV Scanner detection for dropped file 57->174 176 Writes to foreign memory regions 57->176 178 Allocates memory in foreign processes 57->178 72 conhost.exe 57->72         started        180 Creates a thread in another existing process (thread injection) 62->180 75 conhost.exe 62->75         started        process16 file17 126 C:\Windows\System32\services64.exe, PE32+ 72->126 dropped 77 cmd.exe 72->77         started        80 cmd.exe 72->80         started        128 C:\Windows\System32\dsfsdf.exe, PE32+ 75->128 dropped 82 cmd.exe 75->82         started        84 cmd.exe 75->84         started        process18 signatures19 182 Drops executables to the windows directory (C:\Windows) and starts them 77->182 86 services64.exe 77->86         started        89 conhost.exe 77->89         started        184 Uses schtasks.exe or at.exe to add and modify task schedules 80->184 91 conhost.exe 80->91         started        93 schtasks.exe 80->93         started        95 dsfsdf.exe 82->95         started        97 conhost.exe 82->97         started        99 conhost.exe 84->99         started        101 schtasks.exe 84->101         started        process20 signatures21 146 Writes to foreign memory regions 86->146 148 Allocates memory in foreign processes 86->148 150 Creates a thread in another existing process (thread injection) 86->150 103 conhost.exe 86->103         started        107 conhost.exe 95->107         started        process22 file23 116 C:\Windows\System32\...\sihost64.exe, PE32+ 103->116 dropped 118 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 103->118 dropped 158 Drops executables to the windows directory (C:\Windows) and starts them 103->158 160 Writes to foreign memory regions 103->160 162 Modifies the context of a thread in another process (thread injection) 103->162 164 2 other signatures 103->164 109 sihost64.exe 103->109         started        120 C:\Windows\System32\...\sihost32.exe, PE32+ 107->120 dropped signatures24 process25 signatures26 186 Multi AV Scanner detection for dropped file 109->186 188 Writes to foreign memory regions 109->188 190 Allocates memory in foreign processes 109->190 192 Creates a thread in another existing process (thread injection) 109->192
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887/
Threat name:
Win32.Infostealer.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-24 19:31:07 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ld3e4qed7iuiwci5ydjjubinvhgqtzhomyd274xf7jp7xywhvcdq._file
Verdict:
malicious
Similar samples:
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
RedLineStealer
139c83b8cf3674d992e04f9e4a047c3a7ad5279b2f6b8bf18c39603f82bca16d
RedLineStealer
3493f8a91b2cd6485a72869c482cda93cab716bd9dd0540aaff978760b6d01ad
RedLineStealer
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
RedLineStealer
94cbc6a1b4cc99bbfb3824eab5720009773c04a2b4e628789d7db4f824a78201
RedLineStealer
979489468d527202ce55a465799013a16fccfcc838d523707a016e064a0e85a1
RedLineStealer
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
RedLineStealer
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
RedLineStealer
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
RedLineStealer
+ 271 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig infostealer miner spyware
Link:
https://tria.ge/reports/211024-x8c56afad7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
xmrig
Unpacked files
SH256 hash:
0171efd3b65c3308e2d53c7cb18d3f7b34e77cde4c7ffb2c7ff8dd98bdb39bb8
MD5 hash:
ced040c92aae3109f37e31dbd87b0937
SHA1 hash:
f2d6413b36a8b0bfb50bb380aeac119e5eb27cbd
Link:
https://www.unpac.me/results/03cf59d0-7da1-4884-ba88-5f4f857e758a/
SH256 hash:
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
MD5 hash:
2283f11e692747d6de67bedc4f5811e0
SHA1 hash:
502acf6405c03eb6533c3337b5c7c2c34c910cf6
Link:
https://www.unpac.me/results/03cf59d0-7da1-4884-ba88-5f4f857e758a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/58f64e4083fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887

(this sample)

anyrun
any.run
https://app.any.run/tasks/ce591e7e-d450-4de5-9141-ee70d9f67b26
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199695/

Comments