MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59cc3561cf457f8e258eaac0dcaa33e9f2294400b92af8bfb5c5b66290322236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59cc3561cf457f8e258eaac0dcaa33e9f2294400b92af8bfb5c5b66290322236
SHA3-384 hash: 14133fafb7ceb229cdd74288a5525ca49692e85f799c5760d1b3522d4cb6b10914fbf61f951f6411a689f1b0ccaa0003
SHA1 hash: dceb0549838da324b782d1cf59ea1eba48f2c435
MD5 hash: c5906ae3ce0c2bc2a88c40e1822320e0
humanhash: robert-july-football-batman
File name:Genshin Impact.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'426'840 bytes
First seen:2022-07-26 14:14:03 UTC
Last seen:2022-07-26 14:47:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep 24576:NKK1BxJ7Sjo7XtqYkYKLvlL67Mm0dOisD3aHQ5LVB8ZoFC3/L7A:nSjob/twCaZoFC3/3A
TLSH T121656C29EB0619B4DA239771C5DEEB3B9B147A248022EF3BFF4ADE08A4331137C55156
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tech_skeech
Tags:exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.93.2.28:21390 https://threatfox.abuse.ch/ioc/839673/

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294294/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.90177.10407.2951.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27495/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/62dff7625c40cd8dc5ee79ab/reports/6df0a225-3fed-4475-b731-8b801cb75ab4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Certishell
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a89ec63-ca94-4565-85ad-f202fbb7c5e0
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1041118
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 673608 Sample: Genshin Impact.exe Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 63 neredenkyor.xyz 2->63 65 transfer.sh 2->65 67 2 other IPs or domains 2->67 83 Snort IDS alert for network traffic 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for dropped file 2->87 89 6 other signatures 2->89 10 Genshin Impact.exe 1 2->10         started        signatures3 process4 signatures5 101 Writes to foreign memory regions 10->101 103 Injects a PE file into a foreign processes 10->103 13 AppLaunch.exe 15 11 10->13         started        18 conhost.exe 10->18         started        process6 dnsIp7 75 185.106.92.139, 16578, 49768 SUPERSERVERSDATACENTERRU Russian Federation 13->75 77 a0669976.xsph.ru 141.8.195.65, 49789, 49796, 49798 SPRINTHOSTRU Russian Federation 13->77 55 C:\Users\user\AppData\Local\...\updater.exe, PE32 13->55 dropped 57 C:\Users\user\AppData\Local\Temp\update.exe, PE32 13->57 dropped 59 C:\Users\user\AppData\Local\Temp\upd.exe, PE32 13->59 dropped 61 2 other malicious files 13->61 dropped 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->105 107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->107 109 Tries to harvest and steal browser information (history, passwords, etc) 13->109 111 Tries to steal Crypto Currency Wallets 13->111 20 update.exe 2 13->20         started        24 upd.exe 3 13->24         started        27 updater.exe 2 13->27         started        29 2 other processes 13->29 file8 signatures9 process10 dnsIp11 49 C:\Users\user\AppData\Local\Temp\4853.exe, PE32 20->49 dropped 91 Antivirus detection for dropped file 20->91 93 Multi AV Scanner detection for dropped file 20->93 95 Suspicious powershell command line found 20->95 31 powershell.exe 20->31         started        69 127.0.0.1 unknown unknown 24->69 71 192.168.2.1 unknown unknown 24->71 73 a0669976.xsph.ru 24->73 51 C:\Users\user\AppData\Local\Temp\v.exe, PE32 24->51 dropped 33 v.exe 24->33         started        53 C:\Users\user\AppData\Local\Temp\4739.exe, PE32 27->53 dropped 36 powershell.exe 27->36         started        38 conhost.exe 29->38         started        file12 signatures13 process14 signatures15 40 4853.exe 31->40         started        43 conhost.exe 31->43         started        79 Antivirus detection for dropped file 33->79 81 Multi AV Scanner detection for dropped file 33->81 45 conhost.exe 33->45         started        47 conhost.exe 36->47         started        process16 signatures17 97 Antivirus detection for dropped file 40->97 99 Multi AV Scanner detection for dropped file 40->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59cc3561cf457f8e258eaac0dcaa33e9f2294400b92af8bfb5c5b66290322236/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-07-26 14:15:08 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhgdkyopiv7y4jmovlanzkrt5hzcsraaxevprp5vyw3gfebsei3a._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@moriwws botnet:parlamentaquva infostealer miner spyware stealer
Link:
https://tria.ge/reports/220726-rj1x2adfa9/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Detected Stratum cryptominer command
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.106.92.139:16578
193.106.191.106:26883
185.186.142.127:6737
45.155.204.124:23180
194.93.2.28:21390
185.215.113.94:15995
neredenkyor.xyz:81
Unpacked files
SH256 hash:
52c5ddcc6a36e3331b1478c72853ad4ff9c3f4d966d0f2fdd58bd924fd590023
MD5 hash:
58c4b923a12c9589733bf5a2db72949a
SHA1 hash:
254b753fe355a8f95dd5008c813e97aabb6fea68
Link:
https://www.unpac.me/results/9f661b67-8ea7-49e8-88bf-570d2a2b5a17/
SH256 hash:
59cc3561cf457f8e258eaac0dcaa33e9f2294400b92af8bfb5c5b66290322236
MD5 hash:
c5906ae3ce0c2bc2a88c40e1822320e0
SHA1 hash:
dceb0549838da324b782d1cf59ea1eba48f2c435
Link:
https://www.unpac.me/results/9f661b67-8ea7-49e8-88bf-570d2a2b5a17/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 59cc3561cf457f8e258eaac0dcaa33e9f2294400b92af8bfb5c5b66290322236

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/294294/

Comments