MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5
SHA3-384 hash: aaa4c5b357b9f653cdefc789222fb160dac0110e59c75075cf9f963de8de43fb09c68b7205e4391de14738ccc26ed0cf
SHA1 hash: 421c69e803b07e02edf9313a2a57e0cec5dc7f72
MD5 hash: 2ad14030f346e261e407b2ca45850572
humanhash: hotel-arizona-queen-idaho
File name:2ad14030f346e261e407b2ca45850572.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:694'904 bytes
First seen:2021-05-03 21:30:06 UTC
Last seen:2021-05-03 22:56:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:AvC7ZnQ31th/RQrE3Owg1EVfN7/P8SykoddrvkEPhtC1eHSzd0o6y2/3+:o31tt+6g1Ew1drXCSSR0o6y2/O
Threatray 8 similar samples on MalwareBazaar
TLSH B4E4C5DA6DC88EC0D9A2F2F0A04A866207A41D55E88C47CC4EF97D7E49755A7EC1B03F
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.112:5006

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.112:5006 https://threatfox.abuse.ch/ioc/28057/

Intelligence

File Origin
# of uploads :
3
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/149459/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46217935.17693.11700.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Creating a process from a recently created file
Connection attempt to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/709226
Signature
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403537 Sample: TT1eJMw4qZ.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 68 Found malware configuration 2->68 70 Sigma detected: Scheduled temp file as task from temp location 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 6 other signatures 2->74 9 TT1eJMw4qZ.exe 3 2->9         started        process3 file4 42 C:\Users\user\AppData\...\TT1eJMw4qZ.exe.log, ASCII 9->42 dropped 80 Writes to foreign memory regions 9->80 82 Allocates memory in foreign processes 9->82 84 Sample uses process hollowing technique 9->84 86 Injects a PE file into a foreign processes 9->86 13 AddInProcess32.exe 15 34 9->13         started        signatures5 process6 dnsIp7 62 185.215.113.112, 49713, 49715, 49716 WHOLESALECONNECTIONSNL Portugal 13->62 64 149.154.167.80, 443, 49717 TELEGRAMRU United Kingdom 13->64 66 172.67.135.135 CLOUDFLARENETUS United States 13->66 52 C:\Users\user\AppData\...\WindowsHost.exe, PE32 13->52 dropped 54 C:\Users\user\AppData\...\tsetup.2.6.1.exe, PE32 13->54 dropped 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->88 90 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->90 92 Tries to harvest and steal browser information (history, passwords, etc) 13->92 94 Tries to steal Crypto Currency Wallets 13->94 18 WindowsHost.exe 6 13->18         started        22 tsetup.2.6.1.exe 2 13->22         started        file8 signatures9 process10 file11 36 C:\Users\user\AppData\Local\...\tmp77F2.tmp, XML 18->36 dropped 38 C:\Users\user\AppData\...\LDCcFiZcOlurb.exe, PE32 18->38 dropped 76 Machine Learning detection for dropped file 18->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 18->78 24 schtasks.exe 18->24         started        26 WindowsHost.exe 18->26         started        40 C:\Users\user\AppData\...\tsetup.2.6.1.tmp, PE32 22->40 dropped 28 tsetup.2.6.1.tmp 30 22 22->28         started        signatures12 process13 file14 31 conhost.exe 24->31         started        44 C:\Users\user\AppData\...\is-TBRQA.tmp, PE32 28->44 dropped 46 C:\Users\user\AppData\...\is-141VO.tmp, PE32 28->46 dropped 48 C:\Users\user\AppData\...\is-07CTV.tmp, PE32 28->48 dropped 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->50 dropped 33 Telegram.exe 28->33         started        process15 dnsIp16 56 149.154.175.100 TELEGRAM_MESSENGERRU United Kingdom 33->56 58 149.154.175.50 TELEGRAM_MESSENGERRU United Kingdom 33->58 60 5 other IPs or domains 33->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-05-02 09:30:45 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wd54bs4ptufqmvbz4hhof7gzruba6ov6ktyjid7wmgzzklkkklsq._file
Verdict:
malicious
Similar samples:
024a40f640bdc729927fe33cb35b94d1b715dd8ee5dda0134d66dc66d9f823cd
RedLineStealer
1137baf67a25b1656ec0233661cc32469173634110eac14330f64111bb10500d
RedLineStealer
458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253
RedLineStealer
5e8bdea8e7d50a3d4f35d4242b02abe2a3aa8141f276a7df5be3141bd594a101
RedLineStealer
61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b
RedLineStealer
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
RedLineStealer
827a427d329e934f5ff7826d647034818a56a69445aa97d08cc74bf801fcf0c2
RedLineStealer
d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be
RedLineStealer
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mmmonster kill infostealer spyware
Link:
https://tria.ge/reports/210503-ew63xcdffj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
neverknow.xyz:5006
Unpacked files
SH256 hash:
2100488498916be4565758a8abe91fdc3545e2a549ce6fb83ee9a273bdea8a06
MD5 hash:
a5964b73b3556510db9654f62d1638e6
SHA1 hash:
9703afa2a62d665c550d14c031c7ef34940636ac
Link:
https://www.unpac.me/results/7441225b-2290-4a7d-8e0c-47d546e02bc2/
SH256 hash:
78d0e342b73bb8dc0a32ad2ecc6d352c8e6b16444b2513c3280e73126dd7c7ca
MD5 hash:
df980684e81769acf6e2144dba21d99a
SHA1 hash:
27a5ea30be7b244dd1fe1d336f6526af64ece67f
Link:
https://www.unpac.me/results/7441225b-2290-4a7d-8e0c-47d546e02bc2/
SH256 hash:
b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5
MD5 hash:
2ad14030f346e261e407b2ca45850572
SHA1 hash:
421c69e803b07e02edf9313a2a57e0cec5dc7f72
Link:
https://www.unpac.me/results/7441225b-2290-4a7d-8e0c-47d546e02bc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/b0fbc0cb8f9d0b065439e1cee2fcd98d020f3abe54f0940ff661b3952d4a52e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149459/

Comments