MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1
SHA3-384 hash: 5d3ea61c5f0f5a86a356854cac092007c835f9aa4025799fc61ee3f4e18ce55cf624fda89782421f6ff925a5f02c8a63
SHA1 hash: 27a1d27492d82fb1ae17d1cf1549262d367dba49
MD5 hash: a9acb6b3a69d554e4326726ad9221e15
humanhash: idaho-bacon-double-video
File name:a9acb6b3a69d554e4326726ad9221e15.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:10'001'946 bytes
First seen:2021-03-29 02:35:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 196608:mRmL/3ck9kIE45JVjL+k5ftYMV3J/uIlO+NLdOMV3:mc/3JnfRCX61uIlO+NLwMV3
TLSH 62A633ED7126302DD07A94B3A51E74222FA02D3D3D9E9F8B7A21FAE61F70519CB5C250
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://5.252.195.219:40355/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.252.195.219:40355/ https://threatfox.abuse.ch/ioc/5653/
http://78.47.33.70:53647/ https://threatfox.abuse.ch/ioc/5707/

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a9acb6b3a69d554e4326726ad9221e15.exe
Verdict:
Malicious activity
Analysis date:
2021-03-29 02:37:38 UTC
Tags:
rat redline trojan evasion stealer
Link:
https://app.any.run/tasks/985f9913-cedf-4d82-82e9-3b4eb01e044f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127430/
Detection(s):
Win.Packed.Dopping-9832657-0
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.UGA.20041.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Creating a process from a recently created file
Creating a window
Moving a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP POST request
Searching for the window
Adding a root certificate
Creating a service
Launching a service
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7674d8d-97f5-44e0-bee0-9b99ede882ed
Result
Threat name:
RMSRemoteAdmin Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656368
Signature
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Check external IP via Powershell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377116 Sample: EVpfhXQLoN.exe Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 111 zen.hldns.ru 2->111 113 checkip.amazonaws.com 2->113 115 4 other IPs or domains 2->115 137 Found malware configuration 2->137 139 Antivirus detection for URL or domain 2->139 141 Multi AV Scanner detection for dropped file 2->141 145 9 other signatures 2->145 14 EVpfhXQLoN.exe 20 2->14         started        17 svchost.exe 2->17         started        20 svchost.exe 2->20         started        23 6 other processes 2->23 signatures3 143 May check the online IP address of the machine 113->143 process4 dnsIp5 101 C:\Users\user\AppData\Local\...\instaler.exe, PE32 14->101 dropped 103 C:\Users\user\AppData\...\Xylophages.exe, PE32 14->103 dropped 105 C:\Users\user\AppData\Local\Temp\Holler.exe, PE32 14->105 dropped 107 2 other files (none is malicious) 14->107 dropped 25 cmd.exe 1 14->25         started        129 Changes security center settings (notifications, updates, antivirus, firewall) 17->129 119 127.0.0.1 unknown unknown 20->119 file6 signatures7 process8 process9 27 Holler.exe 15 3 25->27         started        31 instaler.exe 2 25->31         started        34 powershell.exe 14 18 25->34         started        36 3 other processes 25->36 dnsIp10 121 simple-mind.ru 81.177.140.169, 443, 49703 RTCOMM-ASRU Russian Federation 27->121 153 Multi AV Scanner detection for dropped file 27->153 155 Sample uses process hollowing technique 27->155 38 AddInProcess32.exe 27->38         started        40 AddInProcess32.exe 27->40         started        42 AddInProcess32.exe 27->42         started        109 C:\Users\user\AppData\Local\...\instaler.tmp, PE32 31->109 dropped 44 instaler.tmp 5 15 31->44         started        123 iplogger.org 88.99.66.31, 443, 49720 HETZNER-ASDE Germany 34->123 157 May check the online IP address of the machine 34->157 159 DLL side loading technique detected 34->159 125 78.47.33.70, 49721, 49741, 53647 HETZNER-ASDE Germany 36->125 127 5.252.195.219, 40355, 49722, 49723 IPSERVER-RU-NETFiordRU Russian Federation 36->127 161 Machine Learning detection for dropped file 36->161 file11 signatures12 process13 file14 47 PasswordOnWakeSettingFlyout.exe 38->47         started        49 conhost.exe 38->49         started        52 timeout.exe 38->52         started        87 C:\ProgramData\is-UFDA7.tmp, PE32 44->87 dropped 89 C:\ProgramData\is-OSQLR.tmp, PE32+ 44->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->91 dropped 54 cmd.exe 44->54         started        process15 file16 57 pass.exe 47->57         started        131 DLL side loading technique detected 49->131 81 C:\...\PasswordOnWakeSettingFlyout.exe, PE32+ 54->81 dropped 83 C:\Windows \System32\uxtheme.dll, PE32+ 54->83 dropped 133 Drops executables to the windows directory (C:\Windows) and starts them 54->133 135 Uses regedit.exe to modify the Windows registry 54->135 signatures17 process18 file19 85 C:\Users\user\AppData\Local\Temp\...\pass.tmp, PE32 57->85 dropped 60 pass.tmp 57->60         started        process20 file21 93 C:\ProgramData\Immunity\is-9JJOI.tmp, PE32 60->93 dropped 95 C:\ProgramData\Immunity\is-27VQ1.tmp, PE32 60->95 dropped 97 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 60->97 dropped 99 3 other files (none is malicious) 60->99 dropped 63 cmd.exe 60->63         started        65 cmd.exe 60->65         started        process22 process23 67 rutserv.exe 63->67         started        71 conhost.exe 63->71         started        73 CertMgr.Exe 63->73         started        75 rutserv.exe 63->75         started        77 conhost.exe 65->77         started        79 regedit.exe 65->79         started        dnsIp24 117 192.168.2.1 unknown unknown 67->117 147 Query firmware table information (likely to detect VMs) 67->147 149 Installs new ROOT certificates 73->149 151 DLL side loading technique detected 77->151 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1/
Threat name:
Win32.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-03-27 09:38:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncoklhpg2anybd5ei4egv36yfhyy6w3crqtzcsbcagekxfpgntyq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210329-165frz2ngj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
RedLine
Unpacked files
SH256 hash:
83412778c6a1d67f1c404681f1f2e7019f60d2a351773ff69ec9108c1c9feeb4
MD5 hash:
a0961b81ee865fd81ba9057a6c390a27
SHA1 hash:
f24391857c9c9ca92a7c7e4b33ece95ba4569fca
Link:
https://www.unpac.me/results/99948249-4af9-45b4-af0d-b00267aa53f2/
SH256 hash:
59b522ff8833852a3cc4016c13129035a581eecc0983d25f8f33e62ca43b11ac
MD5 hash:
f667a7e53acfc801ff0a7c538a6366f5
SHA1 hash:
63cd4c4b0834b403aef3c1dab95c833df016e90b
Link:
https://www.unpac.me/results/99948249-4af9-45b4-af0d-b00267aa53f2/
SH256 hash:
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
MD5 hash:
293165db1e46070410b4209519e67494
SHA1 hash:
777b96a4f74b6c34d43a4e7c7e656757d1c97f01
Link:
https://www.unpac.me/results/99948249-4af9-45b4-af0d-b00267aa53f2/
SH256 hash:
1fad691c59dc6c8737743d9914dd2cc20e2cad7c71cc27a0b549ad630fc4c6fd
MD5 hash:
5f8ca6f8ae9545e8dcfd212f9f083e0e
SHA1 hash:
f5558c751b1ecdf4096f81f07130bdb55098ab3f
Link:
https://www.unpac.me/results/99948249-4af9-45b4-af0d-b00267aa53f2/
SH256 hash:
8f759abf2d9e308b5b098e2e2df69bfc450f1af6d626eea4cc743e390687564e
MD5 hash:
545313cef59fee38c47eeab16fe877a8
SHA1 hash:
d70d4dc085d54e41209f87a1b54494f7b62dc02e
Link:
https://www.unpac.me/results/99948249-4af9-45b4-af0d-b00267aa53f2/
SH256 hash:
a6fe62d19b2b0f608fe3367ba5612742b9ff248b91a32b13fe189c891a22a00d
MD5 hash:
729168d16501390f6b7d92edb38886c4
SHA1 hash:
d244dc2a6325b22a02372c2b8e01ef4a3e51d10c
Link:
https://www.unpac.me/results/99948249-4af9-45b4-af0d-b00267aa53f2/
SH256 hash:
689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1
MD5 hash:
a9acb6b3a69d554e4326726ad9221e15
SHA1 hash:
27a1d27492d82fb1ae17d1cf1549262d367dba49
Link:
https://www.unpac.me/results/99948249-4af9-45b4-af0d-b00267aa53f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1011491/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127430/

Comments