MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e
SHA3-384 hash: 09e0eb2e2ad9eb9e2a5752ee5d35e4993bec2e010d18f16712455bc90faa07dd84dc13e6b6ec031d2c52976a24d5885f
SHA1 hash: de01fcb76fbabf23a120cee47467b0256704e37a
MD5 hash: 53186ce79e6468105c773438acbe87f1
humanhash: north-freddie-happy-bakerloo
File name:53186ce79e6468105c773438acbe87f1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'732'458 bytes
First seen:2021-08-09 04:46:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:SunqyEbov0BhJ/0xMW5InyH/tp/pmBCXjn98XEEibJcXDNX:SKqycMnpfzh/n9IiA
Threatray 1'922 similar samples on MalwareBazaar
TLSH T177C512C7B78C43FDC5B2DD7405F19661AC782C112E2B8ACA4394FDF94E302925A25AB7
dhash icon f0f0e8dcdce8f0f0 (1 x RedLineStealer, 1 x GCleaner)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
53186ce79e6468105c773438acbe87f1.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 04:58:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/18c40ef3-af3b-4c1f-9f5d-e1b022d680f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177357/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Creating a file in the %AppData% directory
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Reading critical registry keys
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a file in the system32 directory
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c798100c-b0c3-48c2-8fbd-ec04bb807ed9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828972
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Creates files with lurking names (e.g. Crack.exe)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is protected by VMProtect
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 461398 Sample: mTnpSr3BhZ.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 134 104.21.87.184 CLOUDFLARENETUS United States 2->134 136 google.vrthcobj.com 2->136 150 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->150 152 Multi AV Scanner detection for domain / URL 2->152 154 Antivirus detection for dropped file 2->154 156 13 other signatures 2->156 13 mTnpSr3BhZ.exe 14 2->13         started        17 services64.exe 2->17         started        signatures3 process4 file5 114 C:\Users\user\AppData\Local\...\smpub3.exe, PE32 13->114 dropped 116 C:\Users\user\AppData\Local\...\md1_1eaf.exe, PE32 13->116 dropped 118 C:\Users\user\AppData\Local\...\KiffApp2.exe, PE32 13->118 dropped 120 3 other malicious files 13->120 dropped 202 Creates files with lurking names (e.g. Crack.exe) 13->202 19 GloryWsetp.exe 4 13->19         started        23 Crack.exe 2 13->23         started        25 KiffApp2.exe 13->25         started        204 Adds a directory exclusion to Windows Defender 17->204 signatures6 process7 dnsIp8 92 C:\Users\user\AppData\...behaviorgraphloryWSetp.exe, PE32 19->92 dropped 94 C:\Users\user\AppData\Local\...\Chrome3.exe, PE32+ 19->94 dropped 96 C:\Users\user\AppData\...behaviorgraphloryWsetp.exe.log, ASCII 19->96 dropped 158 Multi AV Scanner detection for dropped file 19->158 160 Machine Learning detection for dropped file 19->160 28 Chrome3.exe 5 19->28         started        32 GloryWSetp.exe 15 7 19->32         started        162 Creates processes via WMI 23->162 35 conhost.exe 23->35         started        37 Crack.exe 23->37         started        138 detacher.xyz 25->138 140 detacher.xyz 45.90.58.90, 443, 49716, 49717 GREENFLOID-ASUA Bulgaria 25->140 142 kiff.tech 25->142 98 C:\Users\user\AppData\...\PlsWnEU2.exe, PE32 25->98 dropped 164 Performs DNS queries to domains with low reputation 25->164 file9 signatures10 process11 dnsIp12 102 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 28->102 dropped 188 Multi AV Scanner detection for dropped file 28->188 190 Machine Learning detection for dropped file 28->190 192 Adds a directory exclusion to Windows Defender 28->192 39 cmd.exe 28->39         started        41 cmd.exe 1 28->41         started        124 music-sec.xyz 32->124 126 iplogger.org 88.99.66.31, 443, 49719, 49723 HETZNER-ASDE Germany 32->126 128 music-sec.xyz 104.21.92.87, 443, 49715 CLOUDFLARENETUS United States 32->128 104 C:\Users\user\AppData\Roaming\2264162.exe, PE32 32->104 dropped 106 C:\Users\user\AppData\Roaming\1400952.exe, PE32 32->106 dropped 108 C:\Users\user\AppData\Roaming\8641526.exe, PE32 32->108 dropped 110 C:\Users\user\AppData\Roaming\1235383.exe, PE32 32->110 dropped 194 Detected unpacking (changes PE section rights) 32->194 196 May check the online IP address of the machine 32->196 198 Performs DNS queries to domains with low reputation 32->198 44 1400952.exe 32->44         started        47 2264162.exe 32->47         started        50 8641526.exe 32->50         started        52 cmd.exe 35->52         started        130 live.goatgame.live 172.67.222.125, 443, 49712 CLOUDFLARENETUS United States 37->130 132 192.168.2.1 unknown unknown 37->132 112 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 37->112 dropped 54 conhost.exe 37->54         started        file13 signatures14 process15 dnsIp16 56 svchost64.exe 39->56         started        60 conhost.exe 39->60         started        168 Uses schtasks.exe or at.exe to add and modify task schedules 41->168 170 Adds a directory exclusion to Windows Defender 41->170 62 conhost.exe 41->62         started        64 powershell.exe 24 41->64         started        144 212.224.105.106 DE-FIRSTCOLOwwwfirst-colonetDE Germany 44->144 146 104.26.13.31 CLOUDFLARENETUS United States 44->146 172 Detected unpacking (changes PE section rights) 44->172 174 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->174 176 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->176 178 2 other signatures 44->178 122 C:\Users\user\AppData\...\WinHoster.exe, PE32 47->122 dropped 148 104.21.68.16 CLOUDFLARENETUS United States 50->148 66 conhost.exe 52->66         started        68 powershell.exe 52->68         started        file17 signatures18 process19 file20 100 C:\Windows\System32\services64.exe, PE32+ 56->100 dropped 180 Multi AV Scanner detection for dropped file 56->180 182 Machine Learning detection for dropped file 56->182 184 Drops executables to the windows directory (C:\Windows) and starts them 56->184 70 services64.exe 56->70         started        73 cmd.exe 56->73         started        75 cmd.exe 56->75         started        186 Adds a directory exclusion to Windows Defender 62->186 signatures21 process22 signatures23 166 Adds a directory exclusion to Windows Defender 70->166 77 cmd.exe 70->77         started        80 conhost.exe 73->80         started        82 schtasks.exe 73->82         started        84 conhost.exe 75->84         started        86 choice.exe 75->86         started        process24 signatures25 200 Adds a directory exclusion to Windows Defender 77->200 88 conhost.exe 77->88         started        90 powershell.exe 77->90         started        process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e/
Threat name:
ByteCode-MSIL.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 10:52:20 UTC
AV detection:
34 of 46 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tw67vo6jsvbodsklpiu6v5bxw75ezcmmjloruz33cjrfplsu7fha._file
Verdict:
malicious
Similar samples:
06a2b3dae21085aa5cad1105ec7ae822e4e785c1adf314e3554d515474a322f4
RedLineStealer
26e94627a3abe752072319b8eca4f68029a27090f89de5b92d4f700fc0f4f0b2
RedLineStealer
52ac1e4535281dcbc751114fcd6cf12656d1754269bce5f24bfdae5be9640108
RedLineStealer
56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d
RedLineStealer
685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757
RedLineStealer
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
RedLineStealer
bb9377d30a6a0abe24b7eca70250745afc078f116871bb94b5d617a207b37a9c
RedLineStealer
f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19
RedLineStealer
+ 1'912 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig botnet:newbildww discovery infostealer miner persistence spyware stealer suricata
Link:
https://tria.ge/reports/210809-3a7g51281j/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
Process spawned unexpected child process
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
xmrig
Malware Config
C2 Extraction:
xietharria.xyz:80
Unpacked files
SH256 hash:
daad3387292d486fcea90435de576c6d75de05af37c1530e0a59562e436715f7
MD5 hash:
a6cd6b56627e3fc20e5d12166e12b4a7
SHA1 hash:
0eca33c39c5015ddf383536374f1c25be390ecf1
Link:
https://www.unpac.me/results/78d0e179-9447-4afc-9b8d-06f5f786f783/
SH256 hash:
9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e
MD5 hash:
53186ce79e6468105c773438acbe87f1
SHA1 hash:
de01fcb76fbabf23a120cee47467b0256704e37a
Link:
https://www.unpac.me/results/78d0e179-9447-4afc-9b8d-06f5f786f783/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9dbdfabbc995/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177357/

Comments