MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 981cb297d710406688345951378aff3a6399a46e187816718ba8c0c9a277e591. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 981cb297d710406688345951378aff3a6399a46e187816718ba8c0c9a277e591
SHA3-384 hash: 7169e371903ce4ee32578654e93e061855584d8cbd4853900fb67c5a0e1cc3b9a34977c7e15614260a448e94cf78db7b
SHA1 hash: 3390dc74811e7321c82e2c84238426d5dcf1387c
MD5 hash: 59e705cbf8834562af81752ebe3c7d4c
humanhash: equal-social-earth-minnesota
File name:59E705CBF8834562AF81752EBE3C7D4C.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'297'876 bytes
First seen:2021-04-03 22:05:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 196608:RdDzo/xpQneHFepsa8Zty0dEjDJLZ9odBpk5:RdDk/mU8sXZbKpjodBpE
Threatray 525 similar samples on MalwareBazaar
TLSH 26563341FBB998F3C8330A3555316716657E79300F30884F63C20E79DA78BE2666BE66
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.251.25.225:6677/IRemotePanel

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.251.25.225:6677/IRemotePanel https://threatfox.abuse.ch/ioc/6687/

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
59E705CBF8834562AF81752EBE3C7D4C.exe
Verdict:
Malicious activity
Analysis date:
2021-04-03 22:06:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17539400-57bc-4d98-a6eb-69fce30b9412

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132037/
Detection(s):
SecuriteInfo.com.LuheRARDropper.19200.30796.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a UDP request
DNS request
Launching a process
Creating a file
Sending an HTTP POST request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Forced system process termination
Unauthorized injection to a recently created process
Stealing user critical data
Launching a tool to kill processes
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/000ad519-1485-4ff3-8b23-17db3a4c2721
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665351
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381599 Sample: dAbE67VwvD.exe Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 4 other signatures 2->60 9 dAbE67VwvD.exe 12 2->9         started        process3 file4 34 C:\Users\user\AppData\Local\...\start.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\skin111.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\skin11.exe, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\skin1.exe, PE32 9->40 dropped 12 start.exe 15 3 9->12         started        process5 dnsIp6 48 f.happyfox6.ru 81.177.140.169, 443, 49714 RTCOMM-ASRU Russian Federation 12->48 62 Multi AV Scanner detection for dropped file 12->62 16 AddInProcess32.exe 15 16 12->16         started        20 AddInProcess32.exe 12->20         started        signatures7 process8 dnsIp9 42 www.geoplugin.net 16->42 44 185.251.25.225, 49722, 6677 EXPRESSKREDYT-ASUA Russian Federation 16->44 46 4 other IPs or domains 16->46 50 Tries to harvest and steal browser information (history, passwords, etc) 16->50 22 cmd.exe 1 16->22         started        24 iexplore.exe 2 83 16->24         started        52 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->52 signatures10 process11 process12 26 taskkill.exe 1 22->26         started        28 conhost.exe 22->28         started        30 choice.exe 1 22->30         started        32 iexplore.exe 54 24->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/981cb297d710406688345951378aff3a6399a46e187816718ba8c0c9a277e591/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 05:15:34 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=taolff6xcbagncbulfitpcx7hjrztjdodb4bm4mlvdamtitx4wiq._file
Verdict:
malicious
Similar samples:
1620114c000809b11104adbadb3df7ac989d9c7bc5e7da5acb0ffc9c5cb05c14
RedLineStealer
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
RedLineStealer
18393a15374dcaf5d3f244117efd2a58283547d1def2087bb02f1e0be4aae829
RedLineStealer
289bb9f2125f62945f3960f0fe72381aea008539b1c6ea29a81ad66bd2f247a9
RedLineStealer
30898e79c019a359c6bc25a0217531494c12cfe62384beadc861eb622b811378
RedLineStealer
555f84812f700d1448fd200f04200ae9d17413652be94c54ba442fccdf9104dc
RedLineStealer
5623df29bdeb9756ab512f3c77dd11725878939a0b8d98726798d8604ab60dfa
RedLineStealer
78c42daa9bd978e2e2ca039a54f167f5090681124f402fa9c9bd69a2dd23bc26
RedLineStealer
c87a719713c51891fa7b0def4b093441934d9f60ef8bd52951e2efb9a030f59c
RedLineStealer
d461810943d78b803fbc9a0ea85d16325af10764243d7d3d6b7b24d52efe685c
RedLineStealer
+ 515 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer
Link:
https://tria.ge/reports/210403-3rgqd2mxcs/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
RedLine
RedLine Payload
Unpacked files
SH256 hash:
d82356965428c7542083ec1e71cd82b09ec883bccf91db931c438e2b4aeca4ec
MD5 hash:
cdc0f37014a4c760c964ee05e85e7426
SHA1 hash:
acf3434780b9643bdc2c8550c5822695578bec14
Link:
https://www.unpac.me/results/6ab5a04b-d824-4d00-89f3-e1931c385fa1/
SH256 hash:
31081b9f1937f5966cdeff6eb747e0595fbda15130af7a02b49c0e2ad9d543da
MD5 hash:
98ba9b0f4d8f9dce6c08c94d850a3ef0
SHA1 hash:
47a9a0d8270f3b021752bfe90f7f62186fb6d4e0
Link:
https://www.unpac.me/results/6ab5a04b-d824-4d00-89f3-e1931c385fa1/
SH256 hash:
a56de4bafd5468ff132ff8414f8331666537ceaaed1c271bcbff09ed9406468a
MD5 hash:
c404f12f5634f954a49df698f953c738
SHA1 hash:
1b9ae02ec930786d44b2389db6237ce2a4558bdb
Link:
https://www.unpac.me/results/6ab5a04b-d824-4d00-89f3-e1931c385fa1/
SH256 hash:
f634584ce4141c19234b7ca768420f3198d7beaafdbd56473075cb2434a62c42
MD5 hash:
3bc9842a1e1bdc67dcb4812ae89e143b
SHA1 hash:
17b49a7a978a301298bca0ecb66697449bc254f9
Link:
https://www.unpac.me/results/6ab5a04b-d824-4d00-89f3-e1931c385fa1/
SH256 hash:
981cb297d710406688345951378aff3a6399a46e187816718ba8c0c9a277e591
MD5 hash:
59e705cbf8834562af81752ebe3c7d4c
SHA1 hash:
3390dc74811e7321c82e2c84238426d5dcf1387c
Link:
https://www.unpac.me/results/6ab5a04b-d824-4d00-89f3-e1931c385fa1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/981cb297d710406688345951378aff3a6399a46e187816718ba8c0c9a277e591

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132037/

Comments