MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae
SHA3-384 hash: 4875fb342b8c27293d130c4974ba7dd59ad13ad68ed12d8ec5b01a44667c99ce2240652af790576a8846a4b4d6023bf0
SHA1 hash: 0ffd3cc4904c0d034c04b6dbb1fb7bc77bce85ff
MD5 hash: ad965803e0e2dcaf2ae92226cfeb29de
humanhash: november-earth-spaghetti-sixteen
File name:ad965803e0e2dcaf2ae92226cfeb29de.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:26'367'988 bytes
First seen:2021-03-23 08:56:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 393216:orAeGGGw+mzr7DfKfMnGQTYKITHmmpaMm5KfKc4V4Ibj24pyI30HLPrc26wjGb1:le/PfofyOTHmmgJc7ajv3af3Gb1
Threatray 302 similar samples on MalwareBazaar
TLSH 3B473319BAAD8BD5C1A41C3C33B50DE012E47CE8423D7AD1632CBB863CBAE574C5DA56
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://135.181.121.237:35200/IRemotePanel

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://135.181.121.237:35200/IRemotePanel https://threatfox.abuse.ch/ioc/4615/

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
DNS request
Deleting a recently created file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Result
Threat name:
Quasar RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/649625
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Tries to detect debuggers (CloseHandle check)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Quasar RAT
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373772 Sample: mcRrjT7JMX.exe Startdate: 23/03/2021 Architecture: WINDOWS Score: 100 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 7 other signatures 2->129 11 mcRrjT7JMX.exe 40 2->11         started        14 wscript.exe 2->14         started        process3 file4 79 C:\Users\user\AppData\Local\Temp\wersa.exe, PE32 11->79 dropped 81 C:\Users\user\AppData\Local\...\version.exe, PE32 11->81 dropped 83 C:\Users\user\AppData\Local\Temp\t-rex.exe, PE32+ 11->83 dropped 85 C:\Users\user\AppData\Local\Temp\README.md, ASCII 11->85 dropped 16 version.exe 8 11->16         started        19 wersa.exe 8 11->19         started        21 t-rex.exe 1 11->21         started        process5 signatures6 107 Multi AV Scanner detection for dropped file 16->107 109 Contains functionality to register a low level keyboard hook 16->109 23 cmd.exe 1 16->23         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 19->27         started        29 cmd.exe 1 19->29         started        111 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->111 113 Tries to detect debuggers by setting the trap flag for special instructions 21->113 115 Tries to detect debuggers (CloseHandle check) 21->115 117 2 other signatures 21->117 32 conhost.exe 21->32         started        process7 signatures8 34 cmd.exe 2 23->34         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 cmd.exe 2 27->41         started        43 conhost.exe 27->43         started        143 Submitted sample is a known malware sample 29->143 145 Obfuscated command line found 29->145 147 Uses ping.exe to sleep 29->147 149 Uses ping.exe to check the status of other devices and networks 29->149 45 conhost.exe 29->45         started        process9 signatures10 131 Obfuscated command line found 34->131 133 Uses ping.exe to sleep 34->133 47 Impaziente.com 34->47         started        50 findstr.exe 1 34->50         started        53 PING.EXE 34->53         started        56 Gabbie.com 41->56         started        58 PING.EXE 1 41->58         started        60 findstr.exe 1 41->60         started        process11 dnsIp12 151 Drops PE files with a suspicious file extension 47->151 62 Impaziente.com 47->62         started        75 C:\Users\user\AppData\...\Impaziente.com, Targa 50->75 dropped 95 192.168.2.1 unknown unknown 53->95 67 Gabbie.com 1 56->67         started        97 127.0.0.1 unknown unknown 58->97 77 C:\Users\user\AppData\Roaming\...behaviorgraphabbie.com, Targa 60->77 dropped file13 signatures14 process15 dnsIp16 103 pPwMtCbmMw.pPwMtCbmMw 62->103 87 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 62->87 dropped 89 C:\Users\user\AppData\...\cwbQmqkFVQ.com, PE32 62->89 dropped 91 C:\Users\user\AppData\...\cwbQmqkFVQ.url, MS 62->91 dropped 119 Writes to foreign memory regions 62->119 121 Maps a DLL or memory area into another process 62->121 69 RegAsm.exe 62->69         started        105 ZrCBClHgBrWRMpfFaRNkKkaROjP.ZrCBClHgBrWRMpfFaRNkKkaROjP 67->105 93 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 67->93 dropped 73 RegAsm.exe 67->73         started        file17 signatures18 process19 dnsIp20 99 135.181.121.237, 111, 35200, 49746 HETZNER-ASDE Germany 69->99 101 ip-api.com 208.95.112.1, 49744, 80 TUT-ASUS United States 69->101 135 May check the online IP address of the machine 69->135 137 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 69->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 69->139 141 Installs a global keyboard hook 69->141 signatures21
Gathering data
Threat name:
Win32.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-03-15 00:50:48 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkrfvhzhcmogfn6xrtmscnrzfq3ldqbsgccge44czafr2y43yoxa._file
Verdict:
malicious
Similar samples:
08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b
RedLineStealer
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
RedLineStealer
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
RedLineStealer
5c525f83e1414e33353169d89e84a5e22857c55727a30aa1c78fc1ccfb83900f
RedLineStealer
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
RedLineStealer
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
RedLineStealer
872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f
RedLineStealer
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
RedLineStealer
bb73a38d0a3977b6a7e548f33ff5bd687ea19f9230bb822bb3b9669b71d34879
RedLineStealer
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
RedLineStealer
+ 292 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:redline infostealer spyware trojan
Link:
https://tria.ge/reports/210323-e8efcqrbds/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Quasar Payload
Quasar RAT
RedLine
RedLine Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Rule name:XMRIG_Miner
Create hunting rule
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments