MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
SHA3-384 hash: 40c8ecb4b93f685cfc7da3e976871d2e4504dc0f6d868df83b894fef5851c88e8e5759d91758682b6ea04db2a8806fec
SHA1 hash: a351cbd1c56f74115473c831442588653351231d
MD5 hash: 5263f286e45a03c8309fc8bb49e0f19a
humanhash: wolfram-bluebird-tennis-utah
File name:5263f286e45a03c8309fc8bb49e0f19a.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:357'376 bytes
First seen:2022-01-12 07:05:43 UTC
Last seen:2022-01-12 09:16:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 6144:D5aWbksiNTB6534zpo1j22P5Qvs4iiOBk2m65O3UlNwA9ju99Hm:D5atNT85AMevs4iPC2m6eoNwA9jujHm
TLSH T13F740201B5D201F7E5F2093112FA612FA731A2189714E9DBC78C3E43A957AC19B7D2ED
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5263f286e45a03c8309fc8bb49e0f19a.exe
Verdict:
Malicious activity
Analysis date:
2022-01-12 07:10:47 UTC
Tags:
evasion loader
Link:
https://app.any.run/tasks/d2d02665-e143-416f-a873-c4989c37e6c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218524/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.41903412.23037.4057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Searching for analyzing tools
Creating a file in the %AppData% subdirectories
Forced system process termination
Moving a file to the %AppData% subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49723547-de12-4e6b-b595-7337f504a57c
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/918940
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses BatToExe to download additional code
Writes to foreign memory regions
Yara detected BatToExe compiled binary
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551419 Sample: DmpOiwahZV.exe Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 88 Sigma detected: Xmrig 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 Yara detected RedLine Stealer 2->92 94 11 other signatures 2->94 8 DmpOiwahZV.exe 10 2->8         started        12 dllhost.exe 2->12         started        14 setup_s.exe 2->14         started        16 7 other processes 2->16 process3 dnsIp4 68 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 8->68 dropped 70 C:\Users\user\AppData\Local\Temp\...\FD4E.bat, ASCII 8->70 dropped 134 Potential malicious VBS script found (suspicious strings) 8->134 19 cmd.exe 3 6 8->19         started        23 conhost.exe 8->23         started        136 Antivirus detection for dropped file 12->136 138 Multi AV Scanner detection for dropped file 12->138 140 Detected unpacking (changes PE section rights) 12->140 142 Machine Learning detection for dropped file 12->142 144 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->144 146 Tries to evade analysis by execution special instruction which cause usermode exception 14->146 148 Hides threads from debuggers 14->148 72 127.0.0.1 unknown unknown 16->72 25 Driver.exe 16->25         started        27 Driver.exe 16->27         started        30 WerFault.exe 16->30         started        file5 signatures6 process7 dnsIp8 66 C:\Users\user\AppData\Local\Temp\...\123.vbs, ASCII 19->66 dropped 122 Potential malicious VBS script found (suspicious strings) 19->122 124 Command shell drops VBS files 19->124 126 Uses BatToExe to download additional code 19->126 32 setup_m.exe 16 4 19->32         started        37 setup_s.exe 19->37         started        39 setup_c.exe 19->39         started        47 6 other processes 19->47 128 Multi AV Scanner detection for dropped file 25->128 130 Detected unpacking (changes PE section rights) 25->130 41 conhost.exe 25->41         started        43 WerFault.exe 25->43         started        82 104.140.244.186, 3333, 49782 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 27->82 84 pool.supportxmr.com 27->84 86 pool-nyc.supportxmr.com 27->86 45 conhost.exe 27->45         started        file9 132 Detected Stratum mining protocol 82->132 signatures10 process11 dnsIp12 74 yandex.ru 77.88.55.50, 443, 49761 YANDEXRU Russian Federation 32->74 52 C:\Users\user\AppData\Roaming\...\dllhost.exe, MS-DOS 32->52 dropped 96 Antivirus detection for dropped file 32->96 98 Multi AV Scanner detection for dropped file 32->98 100 Detected unpacking (changes PE section rights) 32->100 102 Machine Learning detection for dropped file 32->102 54 C:\Users\user\AppData\...\setup_s.exe (copy), MS-DOS 37->54 dropped 56 C:\Users\user\AppData\Roaming\...\Driver.exe, MS-DOS 37->56 dropped 58 C:\Users\user\AppData\Roaming\...\Driver.url, MS 37->58 dropped 104 Creates multiple autostart registry keys 37->104 106 Tries to evade analysis by execution special instruction which cause usermode exception 37->106 108 Hides threads from debuggers 37->108 110 Writes to foreign memory regions 39->110 112 Allocates memory in foreign processes 39->112 114 Injects a PE file into a foreign processes 39->114 116 Contains functionality to detect sleep reduction / modifications 39->116 49 RegSvcs.exe 2 39->49         started        76 a0620531.xsph.ru 141.8.192.58, 49758, 49759, 49760 SPRINTHOSTRU Russian Federation 47->76 78 iplogger.org 148.251.234.83, 443, 49757 HETZNER-ASDE Germany 47->78 60 C:\Users\user\AppData\Local\...\setup_c.exe, PE32 47->60 dropped 62 C:\Users\user\AppData\Local\...\setup_s.exe, MS-DOS 47->62 dropped 64 C:\Users\user\AppData\Local\...\setup_m.exe, MS-DOS 47->64 dropped 118 System process connects to network (likely due to code injection or exploit) 47->118 120 May check the online IP address of the machine 47->120 file13 signatures14 process15 dnsIp16 80 65.108.76.11, 37014, 49771, 49781 ALABANZA-BALTUS United States 49->80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0/
Threat name:
Win32.Trojan.Doris
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 07:06:11 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
28 of 43 (65.12%)
Threat level:
  5/5
Result
Malware family:
mimikatz
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot family:mimikatz loader miner persistence upx
Link:
https://tria.ge/reports/220112-hw34gsbfdm/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
LoaderBot executable
mimikatz is an open source tool to dump credentials on Windows
LoaderBot
Mimikatz
Unpacked files
SH256 hash:
a1f96b40bb59a4e751735205b2159f8b3c80309f88163da1b3ee8d39d1bb4a5d
MD5 hash:
1e2fcc758e849ca0d275f4988850692e
SHA1 hash:
8de94a0e9e5f4a70b32d0f87a9f034bfd3651671
Link:
https://www.unpac.me/results/ad1639f6-ec2b-439c-81bf-7f25357fd175/
SH256 hash:
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
MD5 hash:
5263f286e45a03c8309fc8bb49e0f19a
SHA1 hash:
a351cbd1c56f74115473c831442588653351231d
Link:
https://www.unpac.me/results/ad1639f6-ec2b-439c-81bf-7f25357fd175/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/218524/

Comments