MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 3 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
SHA3-384 hash: 4596a1755bcaf94e9231e50bb637e7678e55834886f3d11e1a4946529b974890f74c31fb89f8ac1e8ecbe9260be31304
SHA1 hash: 47f849e72bd7d203755775eebef19e1efa71ee19
MD5 hash: 2ab67006fad0b7b4e8fb6496e221a529
humanhash: whiskey-earth-indigo-undress
File name:47f849e72bd7d203755775eebef19e1efa71ee19.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'630'016 bytes
First seen:2021-08-13 15:15:31 UTC
Last seen:2021-08-13 16:08:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep 98304:HnGhGTPqSqfA0kWqa+5RmaH9ieepOs6435I58hsNcA5Pa:mBI02a+5gageepOs6435I58hS
Threatray 307 similar samples on MalwareBazaar
TLSH T1482637786BF8AC9B2F92FCE26CF07A33AA07B6935A62515C981535D20E35F913C51C07
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://ggc-partners.info/stats/remember.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/stats/remember.php https://threatfox.abuse.ch/ioc/184297/
http://ggc-partners.info/dlc/distribution.php https://threatfox.abuse.ch/ioc/184298/
http://45.67.231.40/ https://threatfox.abuse.ch/ioc/184315/

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
47f849e72bd7d203755775eebef19e1efa71ee19.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-13 15:18:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9f598a1c-3f50-4856-8988-519b4eedb457

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179027/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.20660.634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Creating a file
Connection attempt to an infection source
Creating a window
Creating a file in the %AppData% directory
Creating a process with a hidden window
Moving a recently created file
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Reading critical registry keys
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Running batch commands
Using the Windows Management Instrumentation requests
Launching a process
Launching cmd.exe command interpreter
Changing a file
Searching for the window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bdeb7be-7ea0-409d-ae75-217da2330307
Result
Threat name:
Glupteba Metasploit RedLine Socelars Xmr
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832521
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464952 Sample: 1VHJ3t2uPy.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 88 104.21.87.184 CLOUDFLARENETUS United States 2->88 90 212.224.105.106 DE-FIRSTCOLOwwwfirst-colonetDE Germany 2->90 92 5 other IPs or domains 2->92 112 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for URL or domain 2->116 118 17 other signatures 2->118 10 1VHJ3t2uPy.exe 12 2->10         started        13 services64.exe 2->13         started        16 svchost.exe 1 2->16         started        signatures3 process4 file5 74 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 10->74 dropped 76 C:\Users\user\AppData\Local\...\BearVpn 3.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\Local\Temp\8.exe, PE32 10->78 dropped 80 8 other malicious files 10->80 dropped 18 Chrome 5.exe 5 10->18         started        21 3.exe 14 5 10->21         started        25 1.exe 15 8 10->25         started        27 7 other processes 10->27 136 Contains functionality to inject code into remote processes 13->136 signatures6 process7 dnsIp8 56 C:\Users\user\AppData\...\services64.exe, PE32+ 18->56 dropped 29 services64.exe 18->29         started        34 cmd.exe 1 18->34         started        94 pruders.info 104.21.30.55, 443, 49725 CLOUDFLARENETUS United States 21->94 96 qwertys.info 172.67.194.30, 443, 49723 CLOUDFLARENETUS United States 21->96 58 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 21->58 dropped 120 Antivirus detection for dropped file 21->120 122 Multi AV Scanner detection for dropped file 21->122 124 Detected unpacking (overwrites its own PE header) 21->124 36 LzmwAqmV.exe 21->36         started        98 music-sec.xyz 104.21.92.87, 49735, 80 CLOUDFLARENETUS United States 25->98 60 C:\Users\user\AppData\Roaming\5303174.exe, PE32 25->60 dropped 62 C:\Users\user\AppData\Roaming\4108201.exe, PE32 25->62 dropped 70 2 other files (none is malicious) 25->70 dropped 126 Detected unpacking (changes PE section rights) 25->126 128 May check the online IP address of the machine 25->128 130 Performs DNS queries to domains with low reputation 25->130 100 95.181.179.116 NEOHOST-ASUA Russian Federation 27->100 102 5.101.44.156 LLHOSTM247EU Russian Federation 27->102 104 11 other IPs or domains 27->104 64 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 27->64 dropped 66 C:\Users\user\AppData\...\rollerkind2[1].exe, PE32 27->66 dropped 68 C:\Users\user\AppData\Local\...\null[1], PE32 27->68 dropped 72 6 other files (1 malicious) 27->72 dropped 132 Machine Learning detection for dropped file 27->132 134 Creates processes via WMI 27->134 38 11111.exe 27->38         started        40 5.exe 27->40         started        42 conhost.exe 27->42         started        44 2 other processes 27->44 file9 signatures10 process11 dnsIp12 106 sanctam.net 185.65.135.248, 49736, 58899 ESAB-ASSE Sweden 29->106 108 bitbucket.org 104.192.141.1, 443, 49737 AMAZON-02US United States 29->108 82 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 29->82 dropped 84 C:\Users\user\AppData\...\sihost64.exe, PE32+ 29->84 dropped 138 Writes to foreign memory regions 29->138 140 Allocates memory in foreign processes 29->140 142 Modifies the context of a thread in another process (thread injection) 29->142 156 2 other signatures 29->156 46 cmd.exe 29->46         started        144 Uses schtasks.exe or at.exe to add and modify task schedules 34->144 48 conhost.exe 34->48         started        50 schtasks.exe 1 34->50         started        146 Detected unpacking (changes PE section rights) 36->146 148 Detected unpacking (overwrites its own PE header) 36->148 150 Machine Learning detection for dropped file 36->150 152 Multi AV Scanner detection for dropped file 38->152 154 Tries to harvest and steal browser information (history, passwords, etc) 38->154 110 live.goatgame.live 172.67.222.125, 443, 49733 CLOUDFLARENETUS United States 40->110 86 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 40->86 dropped 52 conhost.exe 40->52         started        file13 signatures14 process15 process16 54 conhost.exe 46->54         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 23:36:17 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ls35zd2iqipz4h2izhjnklyprzbvyeug4xqn6nkr6ykn5tg4i7oa._file
Verdict:
malicious
Similar samples:
299dc3bb613a10e1a2d96c3e49d62d42145b1a48fbd6a087da6cc56661e82546
RedLineStealer
7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c
RedLineStealer
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
RedLineStealer
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
RedLineStealer
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
RedLineStealer
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
RedLineStealer
e08f276f148db04bdcd9fe52e5418b06572a5c537e5610d1ef711591c6d416bf
RedLineStealer
+ 297 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:socelars family:xmrig botnet:022f7f19749a47aa4d6a10b25bfd352ecb963373 botnet:mix 14.08 backdoor discovery dropper infostealer loader miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210813-3gbsg66f2a/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
XMRig Miner Payload
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M3
suricata: ET MALWARE GCleaner Related Downloader User-Agent
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
xmrig
Malware Config
C2 Extraction:
185.215.113.17:18597
Unpacked files
SH256 hash:
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
MD5 hash:
2ab67006fad0b7b4e8fb6496e221a529
SHA1 hash:
47f849e72bd7d203755775eebef19e1efa71ee19
Link:
https://www.unpac.me/results/2e211cf7-fc5a-450a-81a0-eb003110b746/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179027/

Comments