MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
SHA3-384 hash: 793cedd94c8429dad258b26a4aac869c6236736475c4c67806ce725501edab62cf67c11c516f9dc37c5f79b8b245ee32
SHA1 hash: 0a4d2250a4d47e4e9993e0e806545d8731fe5b35
MD5 hash: 9e410393702b6902abde53fc8b588527
humanhash: colorado-harry-asparagus-michigan
File name:9E410393702B6902ABDE53FC8B588527.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'414'615 bytes
First seen:2021-07-25 00:10:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:T5+hFWEgvZOoHORKRqwywWWQTQMNJdcxiz8lVHTIioOFZQ+X:T5aFW5OIORX7wRaJixiqZ7X
Threatray 939 similar samples on MalwareBazaar
TLSH T171B5236068C681B7C1E33B3048989B11B5F7F7321B5B3ACF4361541BE9123E6D6BE64A
dhash icon 72bed353d392ec01 (4 x RedLineStealer, 1 x XWorm)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
212.224.105.98:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.224.105.98:80 https://threatfox.abuse.ch/ioc/162766/

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9E410393702B6902ABDE53FC8B588527.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-25 00:13:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bee1ba0f-66f8-420e-b5c2-f111ba867896

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173956/
Detection(s):
Win.Trojan.Generic-9874371-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81ec01fc-8823-4600-ac09-6ce3f2be076f
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821365
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453776 Sample: ZQTnI5sZKp.exe Startdate: 25/07/2021 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->97 99 Multi AV Scanner detection for domain / URL 2->99 101 Antivirus detection for URL or domain 2->101 103 10 other signatures 2->103 10 ZQTnI5sZKp.exe 7 2->10         started        15 MicrosoftApi.exe 2->15         started        process3 dnsIp4 85 192.168.2.1 unknown unknown 10->85 73 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 10->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 10->75 dropped 131 Contains functionality to register a low level keyboard hook 10->131 17 cmd.exe 2 10->17         started        87 51.254.241.28, 49765, 49766, 49767 OVHFR France 15->87 77 C:\Users\user\AppData\...\ScreanDriver.exe, PE32+ 15->77 dropped 133 Query firmware table information (likely to detect VMs) 15->133 135 Hides threads from debuggers 15->135 137 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->137 20 ScreanDriver.exe 15->20         started        file5 signatures6 process7 file8 89 Uses schtasks.exe or at.exe to add and modify task schedules 17->89 91 Adds a directory exclusion to Windows Defender 17->91 23 @menvzlomali.exe 15 37 17->23         started        28 7z.exe 2 17->28         started        30 7z.exe 2 17->30         started        32 6 other processes 17->32 65 C:\Users\user\...\ScreanDriver.exe.log, ASCII 20->65 dropped 93 Multi AV Scanner detection for dropped file 20->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->95 signatures9 process10 dnsIp11 79 xetadycami.xyz 23->79 81 pc-updatings.su 185.26.122.54, 49748, 80 HOSTLANDRU Russian Federation 23->81 83 2 other IPs or domains 23->83 67 C:\Users\user\AppData\Local\Temp\mine.exe, PE32+ 23->67 dropped 69 C:\Users\user\AppData\Local\Temp\clip.exe, PE32 23->69 dropped 121 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->121 123 Performs DNS queries to domains with low reputation 23->123 125 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->125 127 2 other signatures 23->127 34 mine.exe 2 5 23->34         started        38 clip.exe 2 23->38         started        40 MicrosoftApi.exe 28->40         started        71 C:\Users\user\AppData\...\@menvzlomali.exe, PE32 32->71 dropped file12 signatures13 process14 file15 59 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 34->59 dropped 61 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 34->61 dropped 105 Query firmware table information (likely to detect VMs) 34->105 107 Hides threads from debuggers 34->107 109 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->109 111 Machine Learning detection for dropped file 38->111 63 C:\Users\user\AppData\...\tmpB31F.tmp.cmd, DOS 40->63 dropped 113 Multi AV Scanner detection for dropped file 40->113 115 Detected unpacking (changes PE section rights) 40->115 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->117 119 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->119 42 cmd.exe 40->42         started        45 cmd.exe 40->45         started        signatures16 process17 signatures18 129 Adds a directory exclusion to Windows Defender 42->129 47 conhost.exe 42->47         started        49 timeout.exe 42->49         started        51 powershell.exe 42->51         started        53 conhost.exe 45->53         started        55 timeout.exe 45->55         started        57 schtasks.exe 45->57         started        process19
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 21:34:43 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rg47vyux3n5tlilut4fgy3rsfkzrvz67zduhptki52pqcgp6stba._file
Verdict:
malicious
Similar samples:
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
RedLineStealer
2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc
RedLineStealer
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
RedLineStealer
41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
RedLineStealer
4daba398d1d338f7eb29eef55e1afa4595dde813b27b33dcfb48ceff27e7e8b0
RedLineStealer
8346802296fc33b77a434c410fee9e054ce3f670a74907d603a521128465b90b
RedLineStealer
a0ee463632a3799ed2b21d598d1fa8c4ed7198f3debd175a1eb89b2055b57ccd
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
RedLineStealer
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
RedLineStealer
+ 929 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@menvzlomali discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210725-9te4m6zab6/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
xetadycami.xyz:80
Unpacked files
SH256 hash:
2dd3b98dd48265cf57e72827cc6687e1e6b2774e5361b00674176de92f055f28
MD5 hash:
95cb47dd1ccb14d06aeb91b52bd4cbec
SHA1 hash:
7bf7b426f223e9dea142cf7b1cb84e64ab7d12de
Link:
https://www.unpac.me/results/04086bfd-9569-49b7-81b7-7dcdf4669a23/
SH256 hash:
89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
MD5 hash:
9e410393702b6902abde53fc8b588527
SHA1 hash:
0a4d2250a4d47e4e9993e0e806545d8731fe5b35
Link:
https://www.unpac.me/results/04086bfd-9569-49b7-81b7-7dcdf4669a23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173956/

Comments