MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66155486f7e22faf23329dcc1cf5f1b157e48740fd2b6ea8187f23074972b9bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66155486f7e22faf23329dcc1cf5f1b157e48740fd2b6ea8187f23074972b9bd
SHA3-384 hash: 57db35f415fb46d2f606b4e993ffb3a466e58d04da57ef8c7ffb85bb63eaf29179218d1fd3d73468bc919080177c1c84
SHA1 hash: 4afa455e9b4608a3c6c99ddf087ea6dfe84aa007
MD5 hash: f19af6eef519084d51489efc82a0559c
humanhash: don-utah-indigo-london
File name:66155486f7e22faf23329dcc1cf5f1b157e48740fd2b6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:581'016 bytes
First seen:2021-11-12 11:00:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:qU7JG8N6F68BZGdCNHFdUj+ywZ50/sYfi0gwU5AeV:96F68BZGdCNHFaCq6
Threatray 27 similar samples on MalwareBazaar
TLSH T1A9C44418ADD28116F9EA6979CBD6AEC9FF3A31D2630357EC63044FC84B01951BE41E78
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
212.86.102.63:62907

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.86.102.63:62907 https://threatfox.abuse.ch/ioc/246887/

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205269/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/618e49793edf00a722d033ac/reports/faae3610-534c-46be-a3ba-45b0bbec2510/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69e3882a-5a33-4991-89e1-0d0e5bc8a41a
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888051
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520523 Sample: 66155486f7e22faf23329dcc1cf... Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected BitCoin Miner 2->79 81 Sigma detected: Powershell Defender Exclusion 2->81 10 66155486f7e22faf23329dcc1cf5f1b157e48740fd2b6.exe 14 6 2->10         started        15 services32.exe 2->15         started        process3 dnsIp4 71 185.215.113.109, 44059, 49761 WHOLESALECONNECTIONSNL Portugal 10->71 73 cdn.discordapp.com 162.159.135.233, 443, 49765 CLOUDFLARENETUS United States 10->73 75 192.168.2.1 unknown unknown 10->75 69 C:\Users\user\AppData\Local\...\filename.exe, PE32+ 10->69 dropped 107 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->107 109 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->109 111 Tries to harvest and steal browser information (history, passwords, etc) 10->111 113 Tries to steal Crypto Currency Wallets 10->113 17 filename.exe 4 10->17         started        21 WerFault.exe 20 9 10->21         started        115 Antivirus detection for dropped file 15->115 117 Multi AV Scanner detection for dropped file 15->117 119 Machine Learning detection for dropped file 15->119 121 Adds a directory exclusion to Windows Defender 15->121 23 cmd.exe 15->23         started        file5 signatures6 process7 file8 65 C:\Windows\System32\services32.exe, PE32+ 17->65 dropped 83 Antivirus detection for dropped file 17->83 85 Multi AV Scanner detection for dropped file 17->85 87 Machine Learning detection for dropped file 17->87 25 cmd.exe 17->25         started        28 cmd.exe 1 17->28         started        30 cmd.exe 17->30         started        89 Adds a directory exclusion to Windows Defender 23->89 32 conhost.exe 23->32         started        34 powershell.exe 23->34         started        36 powershell.exe 23->36         started        signatures9 process10 signatures11 101 Drops executables to the windows directory (C:\Windows) and starts them 25->101 38 services32.exe 25->38         started        42 conhost.exe 25->42         started        103 Uses schtasks.exe or at.exe to add and modify task schedules 28->103 105 Adds a directory exclusion to Windows Defender 28->105 44 powershell.exe 23 28->44         started        46 conhost.exe 28->46         started        48 powershell.exe 28->48         started        50 conhost.exe 30->50         started        52 schtasks.exe 30->52         started        process12 file13 67 C:\Windows\System32\...\sihost32.exe, PE32+ 38->67 dropped 97 Drops executables to the windows directory (C:\Windows) and starts them 38->97 99 Adds a directory exclusion to Windows Defender 38->99 54 sihost32.exe 38->54         started        57 cmd.exe 38->57         started        signatures14 process15 signatures16 91 Antivirus detection for dropped file 54->91 93 Multi AV Scanner detection for dropped file 54->93 95 Adds a directory exclusion to Windows Defender 57->95 59 conhost.exe 57->59         started        61 powershell.exe 57->61         started        63 powershell.exe 57->63         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66155486f7e22faf23329dcc1cf5f1b157e48740fd2b6ea8187f23074972b9bd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 11:01:08 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mykvjbxx4ix26izstxgbz5prwfl6jb2a7uvw5kayp4rqoslsxg6q._file
Verdict:
malicious
Similar samples:
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
RedLineStealer
2f394d52b952eeea2fdc7b06629711193524d15f0b8b6d6765f02345c7185f99
RedLineStealer
920df869a28663cf24be9e115521174b240a2ea249a637d0e432f57b202bceeb
RedLineStealer
c5532e2792cfe0391bd1a912a7ac696ff86d0fbf9be167e047986ef2ad92e896
RedLineStealer
ce231785f06d7c6b33b20dded67b62f759ec23b23bee89b01fcb00953f7028c9
RedLineStealer
fe3d7939166e8e6ae965d66d98f6ee5583e535b575ba194aef038c6c1ea15ae4
RedLineStealer
+ 17 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211112-m4j3ssacdp/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.109:44059
Unpacked files
SH256 hash:
a29536f07b02150aca708b8e1bd804502e91ed4a45c488865a6e8853dea6a962
MD5 hash:
5eec2623bf31e7381fe1bb4ba1c16007
SHA1 hash:
57d3f3ba61bb7abb813e7403e557f70f9b33433f
Link:
https://www.unpac.me/results/528d498a-0ae5-4ade-8b7b-cd014a511b23/
SH256 hash:
66155486f7e22faf23329dcc1cf5f1b157e48740fd2b6ea8187f23074972b9bd
MD5 hash:
f19af6eef519084d51489efc82a0559c
SHA1 hash:
4afa455e9b4608a3c6c99ddf087ea6dfe84aa007
Link:
https://www.unpac.me/results/528d498a-0ae5-4ade-8b7b-cd014a511b23/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/66155486f7e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/66155486f7e22faf23329dcc1cf5f1b157e48740fd2b6ea8187f23074972b9bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205269/

Comments