MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d
SHA3-384 hash: 0ef6e61011410235a0bacc47cd73874c1cc56da06b73c37fec5b6644daac64eb88fea0efaa168b1bc1f97a82eb43fc31
SHA1 hash: 3b7e6914f7c05549b08f81c7220c5099773d917c
MD5 hash: c7278a4f0f53553e868f234dad31fbd3
humanhash: double-mango-early-wisconsin
File name:c7278a4f0f53553e868f234dad31fbd3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:320'512 bytes
First seen:2022-01-14 14:25:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cfc1be3ef30447c889df3bb658d73d71 (2 x RedLineStealer, 1 x CoinMiner.XMRig, 1 x Smoke Loader)
ssdeep 6144:CUY3MnekTMJJat0i9H3bwIyrAT47/Wem/ZaTd:CjMnezJFIXbryET4Semk
Threatray 3'870 similar samples on MalwareBazaar
TLSH T11C649F10A7A0C435F5B722F846B693ADB53E3AB15B2450CF22D52AEE57386E1EC31317
File icon (PE):PE icon
dhash icon 2dac1370319b9b91 (22 x Smoke Loader, 20 x RedLineStealer, 18 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
65.108.77.212:40094

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.77.212:40094 https://threatfox.abuse.ch/ioc/294752/

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7278a4f0f53553e868f234dad31fbd3.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-14 14:30:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21850932-0933-44f9-88b8-74ba2c4db4fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219346/
Detection(s):
Win.Packed.Tofsee-9935687-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4197/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware tofsee
Link:
https://www.filescan.io/uploads/61e187fef2e8ec86fefd2811/reports/7891d6da-1872-43d7-bf07-abb2cbe00283/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/729cee86-fb8e-4161-b228-e3a3d6d059fe
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader Tofse
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920790
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Command shell drops VBS files
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential malicious VBS script found (suspicious strings)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected BatToExe compiled binary
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553268 Sample: GahImDA8DA.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 113 transfer.sh 2->113 115 pool.supportxmr.com 2->115 117 8 other IPs or domains 2->117 161 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->161 163 Antivirus detection for URL or domain 2->163 165 Antivirus detection for dropped file 2->165 167 23 other signatures 2->167 12 GahImDA8DA.exe 2->12         started        14 lbpzbfoj.exe 2->14         started        17 dhjgare 2->17         started        19 5 other processes 2->19 signatures3 process4 signatures5 21 GahImDA8DA.exe 12->21         started        213 Detected unpacking (changes PE section rights) 14->213 215 Detected unpacking (overwrites its own PE header) 14->215 217 Writes to foreign memory regions 14->217 221 2 other signatures 14->221 24 svchost.exe 14->24         started        219 Machine Learning detection for dropped file 17->219 27 dhjgare 17->27         started        29 WerFault.exe 19->29         started        process6 dnsIp7 171 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->171 173 Maps a DLL or memory area into another process 21->173 175 Checks if the current machine is a virtual machine (disk enumeration) 21->175 31 explorer.exe 10 21->31 injected 121 microsoft-com.mail.protection.outlook.com 40.93.207.1, 25, 49851 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->121 123 patmushta.info 94.142.143.116, 443, 49855 IHOR-ASRU Russian Federation 24->123 177 System process connects to network (likely due to code injection or exploit) 24->177 179 Creates a thread in another existing process (thread injection) 27->179 signatures8 process9 dnsIp10 131 host-data-coin-11.com 31->131 133 cdn.discordapp.com 31->133 135 12 other IPs or domains 31->135 91 C:\Users\user\AppData\Roaming\dhjgare, PE32 31->91 dropped 93 C:\Users\user\AppData\Local\TempB.exe, PE32 31->93 dropped 95 C:\Users\user\AppData\Local\Temp9FC.exe, PE32 31->95 dropped 97 11 other malicious files 31->97 dropped 151 System process connects to network (likely due to code injection or exploit) 31->151 153 Benign windows process drops PE files 31->153 155 Deletes itself after installation 31->155 157 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->157 36 9F71.exe 31->36         started        40 A9C3.exe 31->40         started        42 EB.exe 31->42         started        44 6 other processes 31->44 file11 159 May check the online IP address of the machine 131->159 signatures12 process13 dnsIp14 103 C:\Users\user\AppData\Local\...\mjlooy.exe, PE32 36->103 dropped 181 Multi AV Scanner detection for dropped file 36->181 183 Detected unpacking (changes PE section rights) 36->183 185 Detected unpacking (overwrites its own PE header) 36->185 47 mjlooy.exe 36->47         started        105 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 40->105 dropped 107 C:\Users\user\AppData\Local\Temp\...\85E7.bat, ASCII 40->107 dropped 187 Potential malicious VBS script found (suspicious strings) 40->187 189 Machine Learning detection for dropped file 40->189 51 cmd.exe 40->51         started        54 conhost.exe 40->54         started        191 Found evasive API chain (may stop execution after checking mutex) 42->191 193 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 42->193 195 Found evasive API chain (may stop execution after checking computer name) 42->195 203 2 other signatures 42->203 125 185.163.45.70, 80 MIVOCLOUDMD Moldova Republic of 44->125 127 185.163.204.22, 49929, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 44->127 129 185.163.204.24, 49931, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 44->129 109 C:\Users\user\AppData\Local\...\lbpzbfoj.exe, PE32 44->109 dropped 111 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 44->111 dropped 197 Antivirus detection for dropped file 44->197 199 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->199 201 Uses netsh to modify the Windows network and firewall settings 44->201 205 4 other signatures 44->205 56 cmd.exe 1 44->56         started        58 cmd.exe 2 44->58         started        60 sc.exe 44->60         started        62 5 other processes 44->62 file15 signatures16 process17 dnsIp18 137 185.215.113.35, 49920, 49921, 49927 WHOLESALECONNECTIONSNL Portugal 47->137 141 Multi AV Scanner detection for dropped file 47->141 143 Machine Learning detection for dropped file 47->143 145 Uses schtasks.exe or at.exe to add and modify task schedules 47->145 64 cmd.exe 47->64         started        66 schtasks.exe 47->66         started        99 C:\Users\user\AppData\Local\Temp\...\360t.vbs, ASCII 51->99 dropped 147 Potential malicious VBS script found (suspicious strings) 51->147 149 Command shell drops VBS files 51->149 68 wscript.exe 51->68         started        72 extd.exe 51->72         started        101 C:\Windows\SysWOW64\...\lbpzbfoj.exe (copy), PE32 56->101 dropped 74 conhost.exe 56->74         started        76 conhost.exe 58->76         started        78 conhost.exe 60->78         started        139 86.107.197.138, 38133, 49909 MOD-EUNL Romania 62->139 80 conhost.exe 62->80         started        82 2 other processes 62->82 file19 signatures20 process21 dnsIp22 84 reg.exe 64->84         started        87 conhost.exe 64->87         started        89 conhost.exe 66->89         started        119 iplogger.org 148.251.234.83, 443, 49925 HETZNER-ASDE Germany 68->119 207 System process connects to network (likely due to code injection or exploit) 68->207 209 May check the online IP address of the machine 68->209 211 Multi AV Scanner detection for dropped file 72->211 signatures23 process24 signatures25 169 Creates an undocumented autostart registry key 84->169
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 14:26:13 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnmbawzrlo6wuwxznzr7rdofttpn55abgjernlsi3ytquaq6ykoq._file
Verdict:
malicious
Similar samples:
0d018bef7dc5e274d5589cd9af8e49419cbf52bdfb9cd7d19e480c63263f9dd6
RedLineStealer
1b8192ec7f52e9056f5f2c83f0a9c56c83469575fded613e6ae7c1f3505a3c1d
RedLineStealer
1d13b2332be93f6fbcb4499d1e3ccd075496b4483f610e9b996d0896d4faf435
RedLineStealer
40e53888088f51617c2460792d953c5d3a8503eb17c3389614d3f8412bf1661d
RedLineStealer
55f429935a1ccd1ded86968c7ee688a3169031789ce4b1c23ad2375daef8d911
RedLineStealer
a0f70f88c9a376e7c0f7e508c796bf1dbbf58ff8b172b9aff3421be63e2d7f78
RedLineStealer
a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5
RedLineStealer
+ 3'860 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:arkei family:raccoon family:smokeloader family:tofsee family:xmrig botnet:default backdoor collection discovery evasion miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/220114-rrv2ragff6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
UPX packed file
Arkei Stealer Payload
XMRig Miner Payload
Amadey
Arkei
Raccoon
SmokeLoader
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://file-file-host4.com/tratata.php
patmushta.info
parubey.info
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e
MD5 hash:
c36de8bc9668ec4eaafca4c349dca0d5
SHA1 hash:
ea2cadfada69b93ca3abeb8b2462c5c18891fabf
Link:
https://www.unpac.me/results/83c0e3c5-1940-4f4a-aef9-0a895a94112c/
Parent samples :
6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8
SH256 hash:
9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d
MD5 hash:
c7278a4f0f53553e868f234dad31fbd3
SHA1 hash:
3b7e6914f7c05549b08f81c7220c5099773d917c
Link:
https://www.unpac.me/results/83c0e3c5-1940-4f4a-aef9-0a895a94112c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1970217/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1950828/
Cape
Cape
https://www.capesandbox.com/analysis/219346/

Comments