MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
SHA3-384 hash: b1df52e845e8691aa6eb4634192db3a11fd25fb31a02c15a955ee0ddedf109f46b52ec74a67d167b6344185e4e570406
SHA1 hash: 8e5ee6bf51999c1ad2ee57a97deca83063938582
MD5 hash: bd27aa9df63cc83a10927cc1945c6c52
humanhash: emma-network-alaska-chicken
File name:96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:861'696 bytes
First seen:2021-10-28 11:11:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 835da68f7e7e29ef9a08f899d20e0925 (7 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 24576:kgJHq9Y/k9jCpnhy7xa6XSvESnLkLbRapWwm1F2F:kgJHq+/2edhqa6X3ekHApWXa
TLSH T182053AC6F1B3608ED7A3B0790F0515964A471D7A5B12DAF8AF359A6A21F3791CAC3303
File icon (PE):PE icon
dhash icon 10b2b269d8d0c4c6 (4 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
195.238.126.94:30418

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.238.126.94:30418 https://threatfox.abuse.ch/ioc/239230/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200900/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.35576.13147.22576.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
DNS request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm packed
Link:
https://www.filescan.io/uploads/617a85849a5a1e91c5d9aa66/reports/50d59bb7-2654-42ff-b855-390f4f269bfa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49e41c46-aa67-4230-b1da-a3ea73845c04
Result
Threat name:
BitCoin Miner RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878518
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510957 Sample: 96ad89ff084cb88f1bd0bf8f104... Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 130 Sigma detected: Xmrig 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Multi AV Scanner detection for submitted file 2->134 136 10 other signatures 2->136 12 96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f1.exe 15 8 2->12         started        17 DisplayDriver.exe 2->17         started        19 HealthService.exe 2->19         started        21 9 other processes 2->21 process3 dnsIp4 120 antivirus.windowsdefenderautoupdater.me 195.238.126.94, 30418, 3333, 49756 IBERNAPES Iran (ISLAMIC Republic Of) 12->120 122 zippyshare.cc 104.21.63.72, 443, 49761 CLOUDFLARENETUS United States 12->122 124 172.67.170.66, 443, 49762 CLOUDFLARENETUS United States 12->124 114 C:\Users\user\...\healthservicerun.exe, PE32+ 12->114 dropped 116 C:\Users\user\...\driverservicerun.exe, PE32+ 12->116 dropped 118 96ad89ff084cb88f1b...f26157aa9f1.exe.log, ASCII 12->118 dropped 188 Detected unpacking (creates a PE file in dynamic memory) 12->188 190 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->190 192 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->192 212 2 other signatures 12->212 23 healthservicerun.exe 12->23         started        26 driverservicerun.exe 12->26         started        194 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->194 196 Writes to foreign memory regions 17->196 198 Tries to evade analysis by execution special instruction which cause usermode exception 17->198 200 Tries to detect virtualization through RDTSC time measurements 17->200 28 conhost.exe 17->28         started        202 Tries to detect debuggers (CloseHandle check) 19->202 204 Hides threads from debuggers 19->204 206 Creates a thread in another existing process (thread injection) 19->206 30 conhost.exe 19->30         started        126 127.0.0.1 unknown unknown 21->126 208 Changes security center settings (notifications, updates, antivirus, firewall) 21->208 32 MpCmdRun.exe 21->32         started        file5 210 Detected Stratum mining protocol 120->210 signatures6 process7 signatures8 150 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->150 152 Writes to foreign memory regions 23->152 154 Tries to evade analysis by execution special instruction which cause usermode exception 23->154 156 Creates a thread in another existing process (thread injection) 23->156 34 conhost.exe 4 23->34         started        158 Tries to detect debuggers (CloseHandle check) 26->158 160 Tries to detect virtualization through RDTSC time measurements 26->160 162 Hides threads from debuggers 26->162 37 conhost.exe 3 26->37         started        39 sihost32.exe 28->39         started        42 cmd.exe 28->42         started        44 sihost64.exe 30->44         started        46 cmd.exe 30->46         started        48 conhost.exe 32->48         started        process9 file10 104 C:\Users\user\AppData\...\HealthService.exe, PE32+ 34->104 dropped 50 cmd.exe 1 34->50         started        52 cmd.exe 1 34->52         started        106 C:\Users\user\AppData\...\DisplayDriver.exe, PE32+ 37->106 dropped 55 cmd.exe 37->55         started        57 cmd.exe 1 37->57         started        59 conhost.exe 39->59         started        67 2 other processes 42->67 164 Writes to foreign memory regions 44->164 166 Allocates memory in foreign processes 44->166 168 Creates a thread in another existing process (thread injection) 44->168 61 conhost.exe 44->61         started        63 conhost.exe 46->63         started        65 taskkill.exe 46->65         started        signatures11 process12 signatures13 69 HealthService.exe 50->69         started        72 conhost.exe 50->72         started        138 Uses schtasks.exe or at.exe to add and modify task schedules 52->138 74 conhost.exe 52->74         started        76 schtasks.exe 1 52->76         started        78 DisplayDriver.exe 55->78         started        80 conhost.exe 55->80         started        82 conhost.exe 57->82         started        84 schtasks.exe 1 57->84         started        process14 signatures15 140 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 69->140 142 Writes to foreign memory regions 69->142 144 Tries to detect debuggers (CloseHandle check) 69->144 86 conhost.exe 69->86         started        146 Hides threads from debuggers 78->146 148 Creates a thread in another existing process (thread injection) 78->148 90 conhost.exe 78->90         started        process16 file17 108 C:\Users\user\AppData\...\sihost64.exe, PE32+ 86->108 dropped 110 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 86->110 dropped 170 Injects code into the Windows Explorer (explorer.exe) 86->170 172 Writes to foreign memory regions 86->172 174 Modifies the context of a thread in another process (thread injection) 86->174 176 2 other signatures 86->176 92 sihost64.exe 86->92         started        95 explorer.exe 86->95         started        112 C:\Users\user\AppData\...\sihost32.exe, PE32+ 90->112 dropped 98 sihost32.exe 90->98         started        signatures18 process19 dnsIp20 178 Writes to foreign memory regions 92->178 180 Allocates memory in foreign processes 92->180 182 Creates a thread in another existing process (thread injection) 92->182 100 conhost.exe 92->100         started        128 antivirus.windowsdefenderautoupdater.me 95->128 184 System process connects to network (likely due to code injection or exploit) 95->184 186 Query firmware table information (likely to detect VMs) 95->186 102 conhost.exe 98->102         started        signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 10:21:44 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2wyt7yijs4i6g6qx6hras3ujwn7eykxvkprc6cr7w74fmqfqxcq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:mix2 discovery infostealer miner spyware stealer vmprotect
Link:
https://tria.ge/reports/211028-nfzzsagbgp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Malware Config
C2 Extraction:
195.238.126.94:30418
Unpacked files
SH256 hash:
9fcbe561ba030b9b02113bebd5c78d53f9da314fa0d134edde3f60016bd8fd09
MD5 hash:
e86e986291b74f474970dcc4174cf85d
SHA1 hash:
4e9dcee2233b787c8229b0a03217a992739a2152
Link:
https://www.unpac.me/results/78401b65-7dca-453c-9734-016d3a4cbe5b/
SH256 hash:
98082cc76cccfed0227082935fc96ab134b7153bdec3944259d33e6881fad1ef
MD5 hash:
09e2e146404538bdd0453b3dc3209671
SHA1 hash:
033e0088f3a039ff12aac8e2280f29f3e2a8a3ad
Link:
https://www.unpac.me/results/78401b65-7dca-453c-9734-016d3a4cbe5b/
SH256 hash:
96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
MD5 hash:
bd27aa9df63cc83a10927cc1945c6c52
SHA1 hash:
8e5ee6bf51999c1ad2ee57a97deca83063938582
Link:
https://www.unpac.me/results/78401b65-7dca-453c-9734-016d3a4cbe5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/200900/
  
URLhaus
https://urlhaus.abuse.ch/url/1723083/
  
Delivery method
Distributed via web download

Comments