MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264
SHA3-384 hash: 499f715483862e060bd4b2439c8fe904b8ff54347ba2331c5629e303b0ca94d05509bc5eea7049870cfcf22ea9ddcd6e
SHA1 hash: 55ba99cf12f267086867a698181ed02110d47d0f
MD5 hash: b51bea293772440512d9e3492c0034f0
humanhash: coffee-indigo-romeo-romeo
File name:71A117DE440384FDC4B8FB690FC73674E9E2A9A75E689.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'671'752 bytes
First seen:2021-11-07 10:20:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x3rRBtGVUQNqeyN1wjDeWME5hoIc6XdHyaYfZkVHAylyllQbds:x3rRJ3eyNSjyjE5holIdHxYfZkBUQu
TLSH T197263325B6FDC87AC0921070DD9C2B60E0F7D324515BC8EB1B4466DEAF2C687D61B93A
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
135.125.40.67:49126

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
135.125.40.67:49126 https://threatfox.abuse.ch/ioc/244769/
94.26.230.203:48759 https://threatfox.abuse.ch/ioc/244776/

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203015/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6187a8902084b424af0dcc78/reports/e83bbfb2-2fee-4e87-be0d-6f2265a0c40d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6d91698-3fe2-4c5e-9398-2f49dd4224c8
Result
Threat name:
Backstage Stealer SmokeLoader Vidar Xmri
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884765
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
DNS related to crypt mining pools
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Backstage Stealer
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 517223 Sample: 71A117DE440384FDC4B8FB690FC... Startdate: 07/11/2021 Architecture: WINDOWS Score: 100 99 yip.su 2->99 101 remotepc3.xyz 2->101 103 18 other IPs or domains 2->103 151 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->151 153 Multi AV Scanner detection for domain / URL 2->153 155 Antivirus detection for URL or domain 2->155 159 23 other signatures 2->159 13 71A117DE440384FDC4B8FB690FC73674E9E2A9A75E689.exe 8 2->13         started        16 svchost.exe 2->16         started        19 svchost.exe 2->19         started        21 4 other processes 2->21 signatures3 157 Tries to resolve many domain names, but no domain seems valid 101->157 process4 file5 76 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 13->76 dropped 78 C:\Users\user\AppData\...\setup_install.exe, PE32 13->78 dropped 80 C:\Users\user\AppData\Local\...\libzip.dll, PE32 13->80 dropped 82 3 other files (none is malicious) 13->82 dropped 23 setup_install.exe 3 13->23         started        125 Changes security center settings (notifications, updates, antivirus, firewall) 16->125 signatures6 process7 file8 74 C:\Users\user\AppData\...\237a24dfd0a.exe, PE32 23->74 dropped 26 cmd.exe 1 23->26         started        29 conhost.exe 23->29         started        process9 signatures10 165 Adds a directory exclusion to Windows Defender 26->165 31 237a24dfd0a.exe 17 26->31         started        process11 file12 84 C:\Users\user\AppData\...\setup_install.exe, PE32 31->84 dropped 86 C:\Users\user\...\Tue02cbf255aeefcc23.exe, PE32 31->86 dropped 88 C:\Users\user\AppData\...\Tue02c230a835.exe, PE32 31->88 dropped 90 12 other files (7 malicious) 31->90 dropped 127 Multi AV Scanner detection for dropped file 31->127 35 setup_install.exe 1 31->35         started        signatures13 process14 dnsIp15 105 sornx.xyz 104.21.43.244, 49757, 80 CLOUDFLARENETUS United States 35->105 107 127.0.0.1 unknown unknown 35->107 109 a.goatgame.co 35->109 161 Performs DNS queries to domains with low reputation 35->161 163 Adds a directory exclusion to Windows Defender 35->163 39 cmd.exe 35->39         started        41 cmd.exe 35->41         started        43 cmd.exe 35->43         started        45 7 other processes 35->45 signatures16 process17 signatures18 48 Tue02bfe594ac.exe 39->48         started        51 Tue0212efc3b6f712.exe 41->51         started        55 Tue02b96821f0a586d.exe 43->55         started        173 Adds a directory exclusion to Windows Defender 45->173 57 Tue0214a13e43ce3dc6.exe 45->57         started        59 Tue0269efed837a4d24.exe 45->59         started        61 Tue02cbf255aeefcc23.exe 45->61         started        63 2 other processes 45->63 process19 dnsIp20 129 Antivirus detection for dropped file 48->129 131 Detected unpacking (changes PE section rights) 48->131 133 Machine Learning detection for dropped file 48->133 149 4 other signatures 48->149 111 212.192.241.15, 49796, 49803, 49811 RAPMSB-ASRU Russian Federation 51->111 117 7 other IPs or domains 51->117 68 C:\Users\...\2AjYAI26FIJauZyayCvnoPIJ.exe, PE32+ 51->68 dropped 70 C:\Users\user\...70iceProcessX64[1].bmp, PE32+ 51->70 dropped 135 Multi AV Scanner detection for dropped file 51->135 137 May check the online IP address of the machine 51->137 139 Tries to harvest and steal browser information (history, passwords, etc) 51->139 141 Disable Windows Defender real time protection (registry) 51->141 113 ip-api.com 208.95.112.1, 49751, 80 TUT-ASUS United States 55->113 115 staticimg.youtuuee.com 55->115 119 2 other IPs or domains 55->119 121 5 other IPs or domains 57->121 143 Performs DNS queries to domains with low reputation 57->143 123 2 other IPs or domains 59->123 72 C:\Users\user\...\Tue02cbf255aeefcc23.tmp, PE32 61->72 dropped 145 Obfuscated command line found 61->145 65 Tue02c230a835.exe 63->65         started        file21 147 Tries to resolve many domain names, but no domain seems valid 115->147 signatures22 process23 dnsIp24 92 a.goatgame.co 65->92 95 staticimg.youtuuee.com 65->95 97 192.168.2.1 unknown unknown 65->97 signatures25 167 System process connects to network (likely due to code injection or exploit) 92->167 169 Performs DNS queries to domains with low reputation 92->169 171 Tries to resolve many domain names, but no domain seems valid 95->171
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 04:36:04 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogqrpxseaocp3rfy7nuq7rzwotu6fknhlzujkgxhta3uqcesijsa._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline aspackv2 evasion infostealer
Link:
https://tria.ge/reports/211107-mdm2rsaac5/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
RedLine
RedLine Payload
Unpacked files
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
65d0caa7b6ba974a3ccd023adb1eccfe37c9783248382aa128636a4b8da52d37
MD5 hash:
593b3c6b4a50f5d8ea328a0abc840d09
SHA1 hash:
2637fd2a316017f056b4a4c8fa762306de87b754
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
fb9d379ff908f5366cda1aec6da17f9909787015ac8fe62093b8dac10d5588b0
MD5 hash:
ebd32b83a8bbf1494bf3225d4a634c89
SHA1 hash:
ded629806e0cb7e3eb90efea05e078a592dd9e13
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
b208246a4f5d03e7e4fee5ec5b649a308d16ab5cd7836d546e1fd9cb7548bef6
MD5 hash:
b4217eebdc4a57a9b1076360e749418b
SHA1 hash:
d6d9f14e8eeebfb3700e4a310ec69a0fb69fcd61
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
8d2770616313b1e9c83ac35afdc0be523940ad59730179911b7ef2c03cf33e13
MD5 hash:
4210a3e50e91884a81658983b1f86be2
SHA1 hash:
ba75c3656561e3575340defdf07b7a9664eb1957
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
67305bf55b85bd79d73e8983fa7f2a90fd2409f13412ae336356eb0a22384499
MD5 hash:
a50491727f8be73ca93aa381f1f8979c
SHA1 hash:
ab46ddb38fefcab0e71126847c2a87012972372a
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
4503f68429a28d40b2b7fc9fc12aa64b8357313a001434900d608d32c3efb03c
MD5 hash:
4d9806bbde1050886b60cf08d0a12d11
SHA1 hash:
883ade2ad66d1552ab93aa36bf492f6c5f1476ea
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
40f8dce31beb48a500833b7d9cc5e8e2c769383560144eca987d8d518d80319b
MD5 hash:
303d125ad60ffd7f3851cdfa5e55eaeb
SHA1 hash:
18aeb3956434721c664686c0ce3a4be1f7bd74b9
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
918d6c0eefdf65105a529d1a8268871f94aa9c5342276faedcde2932e16fe1d3
MD5 hash:
8fa35c1eedb3b1aec95cb0ae4ea9f288
SHA1 hash:
cee9648cc9bd46f2c49adb511cc99f46533de3e5
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
3fccf0062245a335964b95c370581f71e24eb2c1edd231bc30ac8ddf63bbf367
MD5 hash:
721b9800ee1c7d81afbca0290b95dae9
SHA1 hash:
03dac58fa2d1aa895b37ed1d3b22fe756be73b58
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
856406c9c7b31f0c00351ad33116eef6266e808f62707dbdd452d78d87c15b49
MD5 hash:
dcb44b893efae5ddd8cb122af5c988f2
SHA1 hash:
b7a5c73b39271c594545f0d35e5c1f739f37fa7f
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
Parent samples :
71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264
33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b
b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57
6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
2a9e7bc07bd4ec39c2beaa42ff35352bbe6400f899f70be8922688db70cc5357
15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
SH256 hash:
dc2724f6e5447bb4746c4d6587844788293a372018c3c399d16fad22af31a3a4
MD5 hash:
c773417676b5c1f853daa32fb466b656
SHA1 hash:
0d5de4a2cc2ebfa43fbc90d920284174a90ea466
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
8019f2462cd90b2fc6598c58d8dd2221ad4b9b27406cfe27f782662f973d7e36
MD5 hash:
ac3020e76cc5c454c961932085bf1fc0
SHA1 hash:
90aa616b807687b64d5999cde8a0a02c626b5855
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
761cac88d23dc49adfbd2be17b51e85b99568b62074c9c65805bc3ba22fcaba1
MD5 hash:
6938b2705f565753adf391ac3810a06f
SHA1 hash:
103afdff21e09aa3b05b5727553b92c5404fe2c2
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
834f3b4a65042fcd15a3f9155f8e083e8f2a42e5bdfb4db8a3206f7f023f2239
MD5 hash:
e40f0cea85886d128ee32e840ec639f8
SHA1 hash:
09ae92d173b055d743827dbeb840a9dbc608d854
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
9a10a10618d20b7421fc561204710634dfcf7a5e7be48d54770b86e1a9750d50
MD5 hash:
e35ab85bf8cb24ae9c414521b5a8dbce
SHA1 hash:
ca6482b215cab186a0ee29a057b8af15a40e18e7
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
SH256 hash:
71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264
MD5 hash:
b51bea293772440512d9e3492c0034f0
SHA1 hash:
55ba99cf12f267086867a698181ed02110d47d0f
Link:
https://www.unpac.me/results/12f35e66-dc3f-43f4-b7dd-ec69cb309b09/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/71a117de4403/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/203015/

Comments