MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79ac302029ae7a3c7601260bb855725bd568f3b1c3730dca0edd74d72a5b9efb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79ac302029ae7a3c7601260bb855725bd568f3b1c3730dca0edd74d72a5b9efb
SHA3-384 hash: a481eb921bdf29732a33bbdc2ed0440226fd15988a1c9e79ed45b9f1c60da70b0412223f677c8def7a491423fa387e63
SHA1 hash: 994a595d534daa8b72aa9fd1c0e3a18d732eedc0
MD5 hash: b5c7e4e93a4f205f19c677820da1c95d
humanhash: alpha-north-mexico-indigo
File name:B5C7E4E93A4F205F19C677820DA1C95D.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:702'142 bytes
First seen:2021-06-19 10:30:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 12288:VOOfN590uu6opX+t4sPOZx4e2ym7dWqzERnVqWSU15lMf4+HhGw3cW0zFn:YOfNkuu6oLsyxr2ymhWS0DScPMfN3cNZ
Threatray 1'161 similar samples on MalwareBazaar
TLSH 39E40252FAD045B1D472187459F8D630693CBC202B398ADFA3A8762D5F304D26B37BA7
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.103.92.101:46795

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.103.92.101:46795 https://threatfox.abuse.ch/ioc/136572/

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B5C7E4E93A4F205F19C677820DA1C95D.exe
Verdict:
Malicious activity
Analysis date:
2021-06-19 10:32:17 UTC
Tags:
autoit evasion trojan stealer vidar loader rat redline
Link:
https://app.any.run/tasks/bad3990e-68ca-480b-aac5-793b6203422b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167029/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Steam.19390.13490.17676.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c088893a-c105-497f-b7de-ccd1cce60799
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804711
Signature
.NET source code contains very large strings
Binary is likely a compiled AutoIt script file
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 437122 Sample: aLbw5TFo6a.exe Startdate: 19/06/2021 Architecture: WINDOWS Score: 100 66 clientconfig.passport.net 2->66 82 Multi AV Scanner detection for domain / URL 2->82 84 Found malware configuration 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 8 other signatures 2->88 10 aLbw5TFo6a.exe 1 10 2->10         started        14 iexplore.exe 2->14         started        signatures3 process4 dnsIp5 72 192.168.2.1 unknown unknown 10->72 56 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 10->56 dropped 16 File.exe 3 20 10->16         started        21 iexplore.exe 14->21         started        file6 process7 dnsIp8 58 nikss.webtm.ru 92.53.96.150, 49707, 80 TIMEWEB-ASRU Russian Federation 16->58 44 C:\Users\Public\run2.exe, PE32 16->44 dropped 46 C:\Users\Public\run.exe, PE32 16->46 dropped 78 Binary is likely a compiled AutoIt script file 16->78 80 Drops PE files to the user root directory 16->80 23 run.exe 90 16->23         started        28 run2.exe 4 16->28         started        60 iplogger.org 88.99.66.31, 443, 49719, 49720 HETZNER-ASDE Germany 21->60 file9 signatures10 process11 dnsIp12 68 159.69.20.131, 49725, 80 HETZNER-ASDE Germany 23->68 70 bandakere.tumblr.com 74.114.154.22, 443, 49723 AUTOMATTICUS Canada 23->70 48 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 23->48 dropped 50 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 23->50 dropped 52 C:\Users\user\AppData\...\mozglue[1].dll, PE32 23->52 dropped 54 9 other files (none is malicious) 23->54 dropped 90 Detected unpacking (changes PE section rights) 23->90 92 Detected unpacking (overwrites its own PE header) 23->92 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->94 104 2 other signatures 23->104 30 cmd.exe 23->30         started        96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->96 98 Machine Learning detection for dropped file 28->98 100 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->100 102 Injects a PE file into a foreign processes 28->102 32 run2.exe 15 32 28->32         started        36 conhost.exe 28->36         started        file13 signatures14 process15 dnsIp16 38 conhost.exe 30->38         started        40 taskkill.exe 30->40         started        42 timeout.exe 30->42         started        62 94.103.92.101, 46795, 49728, 49735 VDSINA-ASRU Russian Federation 32->62 64 api.ip.sb 32->64 74 Tries to harvest and steal browser information (history, passwords, etc) 32->74 76 Tries to steal Crypto Currency Wallets 32->76 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79ac302029ae7a3c7601260bb855725bd568f3b1c3730dca0edd74d72a5b9efb/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 15:40:45 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgwdaibjvz5dy5qbeyf3qvlslpkwr45rynzq3sqo3v2noks3t35q._file
Verdict:
malicious
Similar samples:
186e9e1877c50ecf4619bf75856c84bf1305ce117ad9b2e14410a340cccfd2a0
RedLineStealer
8358e817e423f16dcdcd3f213229f7b7b63de4a1ccce5f7ab07997a57183f758
RedLineStealer
913f62676d29a2368f9f6f97a3adc623ede915b58812e05aba24a1b0177697d4
RedLineStealer
9daf087ef991160871f07d75d1577eccd34d926e1bd5d30cc30516fdcbd84b45
RedLineStealer
b751a245f558db84cf77e46e473073e2dd23fbde9f9d150d63e525bbf4b88e8c
RedLineStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RedLineStealer
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
RedLineStealer
e8a770fcbfbdf7ee350c3df44ea62a2c4e36ca523f9f14b0b770395dabea7fc4
RedLineStealer
e8da10d6d1bc9983ce35416b130f9814e346ada4ea0117fe78b4805c26c96a72
RedLineStealer
f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3
RedLineStealer
+ 1'151 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210619-af8t9ng5hj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
RedLine
RedLine Payload
Vidar
Unpacked files
SH256 hash:
9b16673d8eea04763cc9347ba12f2f17c0b887323dcc5477661568c2a39c497d
MD5 hash:
c6522583688508952c9a9efe3e1f36f8
SHA1 hash:
38dd860f9fc0257cb2c5154dd31b970fde0641b3
Link:
https://www.unpac.me/results/4c17081d-a1a9-4d1f-ba6c-0d226b7a2a43/
SH256 hash:
79ac302029ae7a3c7601260bb855725bd568f3b1c3730dca0edd74d72a5b9efb
MD5 hash:
b5c7e4e93a4f205f19c677820da1c95d
SHA1 hash:
994a595d534daa8b72aa9fd1c0e3a18d732eedc0
Link:
https://www.unpac.me/results/4c17081d-a1a9-4d1f-ba6c-0d226b7a2a43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79ac302029ae7a3c7601260bb855725bd568f3b1c3730dca0edd74d72a5b9efb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167029/

Comments