MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RedLineStealer
Vendor detections: 12
| SHA256 hash: | 7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191 |
|---|---|
| SHA3-384 hash: | c425a230559aff7493fccb3ead4100b4de229bc486782602ec8f6a5b2381631fe893256047462fda9694ba8c94a9ac58 |
| SHA1 hash: | 7d3d18501a0480e99a44a6b3cfa5a686cfe1930d |
| MD5 hash: | a6a62f2848be6b0d8cdb1372f5ed58d4 |
| humanhash: | oven-glucose-nineteen-tennessee |
| File name: | a6a62f2848be6b0d8cdb1372f5ed58d4.exe |
| Download: | download sample |
| Signature | RedLineStealer |
| File size: | 7'349'157 bytes |
| First seen: | 2021-05-04 23:26:06 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer) |
| ssdeep | 196608:it/gPIbxAZAevGMV8SEuBtmzqdD78U/i9InW5Ft:ogPyuZNvGMVZ+qdD7xK9ld |
| Threatray | 49 similar samples on MalwareBazaar |
| TLSH | 8A76336DB05261B2D4361831495E53B2F2297E009B3C2D4A3FCE1B3E497174B6B791EE |
| Reporter |  abuse_ch |
| Tags: | exe RedLineStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 37.1.219.52:11965 | https://threatfox.abuse.ch/ioc/29048/ |
| 193.203.203.54:81 | https://threatfox.abuse.ch/ioc/29049/ |
| 93.115.21.41:50755 | https://threatfox.abuse.ch/ioc/29050/ |
| 87.251.71.193:20119 | https://threatfox.abuse.ch/ioc/29054/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Creating a file in the Program Files directory
Creating a file in the Windows subdirectories
Launching a process
DNS request
Sending a UDP request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine Socelars Vidar Xmrig
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Detection:
raccoon
Threat name:
Win32.Trojan.Ranumbot
Status:
Malicious
First seen:
2021-05-04 03:12:47 UTC
AV detection:
29 of 47 (61.70%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 39 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Score:
10/10
Tags:
family:fickerstealer family:redline family:vidar family:xmrig botnet:baskarservnew botnet:ruzki discovery infostealer miner persistence stealer upx vmprotect
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
XMRig Miner Payload
RedLine
RedLine Payload
Vidar
fickerstealer
xmrig
Malware Config
C2 Extraction:
87.251.71.193:20119
Sthellete.xyz:80
truzen.site:80
Sthellete.xyz:80
truzen.site:80
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
SH256 hash:
75461f4fc98833b79f13accefa9d59b42d773a2c79c4606fefb7381b47b6de0c
MD5 hash:
0bf5f9ba97f9830120336796eb664be9
SHA1 hash:
c11d986275a59160d4bad5fdcc9999122520e73c
SH256 hash:
7eb7481df159b177041c13927fecd26d95e2c07d039249444cdcbbee7f4ea3fb
MD5 hash:
9198c7935cf52f671951de2d6807c265
SHA1 hash:
bc145bb3a954e7c75dab4a68a10a9ba224668f71
SH256 hash:
102d2189b4295cd67309fa35a2b1db7a70b2031065216587bfe63dd497625e08
MD5 hash:
17bf5b455794e708b91c771fea689f7f
SHA1 hash:
e18a2de4781974c322bde4ccaf27aaebab8a0ddb
SH256 hash:
6449146d8ddc6e67cf99c8c18d49191f861b44890bbf5a45519f2f51bcdbdf46
MD5 hash:
aff1141277f37aabf79778f2b32fd71c
SHA1 hash:
92bf4eac8b1e916f7b3489d0fb8e0d00f1739dc5
SH256 hash:
b9ef6e3343109391be7f9fed736bc551175d9c2ca6f02d54f61d46455f878860
MD5 hash:
0b47faed5fb9610134c24f3617e43090
SHA1 hash:
428491eafe93db521345a910d34fd23df317c3d7
SH256 hash:
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d
MD5 hash:
fe60ddbeab6e50c4f490ddf56b52057c
SHA1 hash:
6a71fdf73761a1192fd9c6961f66754a63d6db17
SH256 hash:
a19b74c05faf61695402b68dc95e95b5cf21250b643726b60c75e7c46b85dbe1
MD5 hash:
775bf67a237ebec83d063de6d20aed2e
SHA1 hash:
f386f774c3ecd3f1fa876f90d297a7417bc78f5f
Detections:
win_vidar_auto
SH256 hash:
e842c9abba101b6a1395a7707275e7048707a37ce9ad3ff36bd7267c83001d46
MD5 hash:
458269eb39423695d836375f52bb7e37
SHA1 hash:
23b6f1d23e1a8aec5ae95d919a44939beca74ab7
SH256 hash:
6003cbfa1625b550060582aa8c10e3f897588ff8ed03b210354d2fc8c8ca3fd3
MD5 hash:
2b181175241a15f2d128581a88a3dace
SHA1 hash:
4f5de2b7947c85e6ebd0e34586738b45f484e634
Detections:
win_socelars_auto
SH256 hash:
627f2b979bc04c4c52288379e7dd14c87fd420a83f264bcb4c3c5313f72fc54d
MD5 hash:
7a84ed8f00c4536c55f5d9872c839048
SHA1 hash:
31a44fb55dac0a18d57173f39cc9420997c80eec
SH256 hash:
3fbd5a0eed88e2a40ac758900ddde29d212fc1039b1d94d553fb99755decfe7c
MD5 hash:
13611c862088e4d5423e2908913fbc16
SHA1 hash:
3d4619bf8f004b7394d6d2a1c9c472acd47171d5
SH256 hash:
4338f52daa35e682c475b989b01bbec643227f989a02dad7f23253a8117da8b5
MD5 hash:
a4d083e80688c6c315fbfc38fe4e8cb1
SHA1 hash:
987c81eb6942b7d8f5b637b7453602a5f60aa9dc
SH256 hash:
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
MD5 hash:
a6a62f2848be6b0d8cdb1372f5ed58d4
SHA1 hash:
7d3d18501a0480e99a44a6b3cfa5a686cfe1930d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture |
|---|---|
| Author: | ditekSHen |
| Description: | Detect executables with stomped PE compilation timestamp that is greater than local current time |
| Rule name: | IPPort_combo_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
| Rule name: | MALWARE_Win_Fabookie |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Fabookie / ElysiumStealer |
| Rule name: | MALWARE_Win_HyperPro03 |
|---|---|
| Author: | ditekSHen |
| Description: | Hunt HyperPro IronTiger / LuckyMouse / APT27 malware |
| Rule name: | MALWARE_Win_RedLine |
|---|---|
| Author: | ditekshen |
| Description: | Detects RedLine infostealer |
| Rule name: | MALWARE_Win_Vidar |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Vidar / ArkeiStealer |
| Rule name: | pe_imphash |
|---|
| Rule name: | Ping_Del_method_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | cmd ping IP nul del |
| Rule name: | redline_stealer |
|---|---|
| Author: | jeFF0Falltrades |
| Description: | This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021) |
| Rule name: | Select_from_enumeration |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Steam_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Steam in files like avemaria |
| Rule name: | SUSP_XORed_MSDOS_Stub_Message |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious XORed MSDOS stub message |
| Reference: | https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings |
| Rule name: | Telegram_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Telegram in files like avemaria |
| Rule name: | Vidar |
|---|---|
| Author: | kevoreilly |
| Description: | Vidar Payload |
| Rule name: | win_vidar_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [F0002.002] Collection::Polling
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
5) [C0032.001] Data Micro-objective::CRC32::Checksum
6) [C0060] Data Micro-objective::Compression Library
7) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0046] File System Micro-objective::Create Directory
10) [C0048] File System Micro-objective::Delete Directory
11) [C0047] File System Micro-objective::Delete File
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0051] File System Micro-objective::Read File
14) [C0050] File System Micro-objective::Set File Attributes
15) [C0052] File System Micro-objective::Writes File
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
18) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
19) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
20) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
21) [C0017] Process Micro-objective::Create Process
22) [C0041] Process Micro-objective::Set Thread Local Storage Value
23) [C0018] Process Micro-objective::Terminate Process