MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5dbd687e03ca05e79cc90bb069df6fad6c379b99fca6e0366934a690322bfad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5dbd687e03ca05e79cc90bb069df6fad6c379b99fca6e0366934a690322bfad
SHA3-384 hash: 92a2155b7bdd7d1be92d9672b1cc91c22ab7dac5597a5a9fe4b4d5c9e966b2a457d8727ff88c251e6592beab9ac1ea1e
SHA1 hash: efa4e22bd103a57dd8218f9d0d28ce8868c4d15d
MD5 hash: 66029e6310d878c3cf1407727cfb3a88
humanhash: butter-arkansas-victor-uncle
File name:66029e6310d878c3cf1407727cfb3a88.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:449'821 bytes
First seen:2021-10-03 06:45:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:e8klT97igBMJM8Ajhq/dK98KGa4YR1HK53f8hit3hDyYhE:eD7jhm5
Threatray 171 similar samples on MalwareBazaar
TLSH T136A4EF28687FC019C5E3EEB52DDCA8BAD99A55E3640C703701B4633B8B52B84DE4F479
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.245.253.52:38439

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.245.253.52:38439 https://threatfox.abuse.ch/ioc/229690/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
66029e6310d878c3cf1407727cfb3a88.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-03 07:56:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1173185e-f4d9-479c-ad36-100af64a3cb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194299/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.972-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/615c2eaa98a6280f39324f97/reports/fe79e19b-881d-4bea-94a9-0c0e8ac2bf3b/overview
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd0c346f-a1b0-4e6e-9126-5db3d9d8ecd5
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863352
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495780 Sample: 2GQL8eREln.exe Startdate: 03/10/2021 Architecture: WINDOWS Score: 100 155 Malicious sample detected (through community Yara rule) 2->155 157 Antivirus detection for dropped file 2->157 159 Antivirus / Scanner detection for submitted sample 2->159 161 12 other signatures 2->161 10 2GQL8eREln.exe 2 2->10         started        14 System.exe 2->14         started        17 svchost.exe 2->17         started        19 9 other processes 2->19 process3 dnsIp4 109 C:\Users\user\AppData\...\2GQL8eREln.exe.log, ASCII 10->109 dropped 167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->167 169 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->169 171 Injects a PE file into a foreign processes 10->171 21 2GQL8eREln.exe 15 26 10->21         started        26 conhost.exe 10->26         started        135 iplogger.org 14->135 137 bitbucket.org 14->137 111 C:\ProgramData\Systemd\old.exe02 (copy), PE32+ 14->111 dropped 113 C:\ProgramData\Systemd\old.exe. (copy), PE32+ 14->113 dropped 115 C:\ProgramData\Systemd\old.exe (copy), PE32+ 14->115 dropped 117 C:\ProgramData\Systemd\note3dll.exe, PE32+ 14->117 dropped 28 cmd.exe 14->28         started        30 cmd.exe 14->30         started        32 cmd.exe 14->32         started        40 44 other processes 14->40 173 Changes security center settings (notifications, updates, antivirus, firewall) 17->173 34 MpCmdRun.exe 17->34         started        139 127.0.0.1 unknown unknown 19->139 36 conhost.exe 19->36         started        38 taskkill.exe 19->38         started        file5 signatures6 process7 dnsIp8 123 91.245.253.52, 38439, 49749 V4ESCROW-ASRO Romania 21->123 125 cdn.discordapp.com 162.159.129.233, 443, 49753 CLOUDFLARENETUS United States 21->125 127 api.ip.sb 21->127 107 C:\Users\user\AppData\Local\...107etFrame.exe, PE32+ 21->107 dropped 163 Tries to harvest and steal browser information (history, passwords, etc) 21->163 165 Tries to steal Crypto Currency Wallets 21->165 42 NetFrame.exe 38 21->42         started        47 taskkill.exe 28->47         started        49 conhost.exe 28->49         started        51 taskkill.exe 30->51         started        53 conhost.exe 30->53         started        55 conhost.exe 32->55         started        57 taskkill.exe 32->57         started        59 conhost.exe 34->59         started        61 53 other processes 40->61 file9 signatures10 process11 dnsIp12 129 iplogger.org 88.99.66.31, 443, 49754, 49755 HETZNER-ASDE Germany 42->129 131 bitbucket.org 104.192.141.1, 443, 49756, 49763 AMAZON-02US United States 42->131 133 3 other IPs or domains 42->133 119 C:\ProgramData\Microsoft Network\System.exe, PE32+ 42->119 dropped 121 C:\ProgramData\Systemd\old.exeba (copy), PE32+ 42->121 dropped 175 Multi AV Scanner detection for dropped file 42->175 177 May check the online IP address of the machine 42->177 179 Machine Learning detection for dropped file 42->179 181 Adds a directory exclusion to Windows Defender 42->181 63 note3dll.exe 42->63         started        67 cmd.exe 42->67         started        69 cmd.exe 42->69         started        77 56 other processes 42->77 71 conhost.exe 47->71         started        73 taskkill.exe 47->73         started        75 conhost.exe 51->75         started        file13 signatures14 process15 dnsIp16 141 131.153.142.106, 443, 49759 SSASN2US United States 63->141 143 192.168.2.1 unknown unknown 63->143 145 pool.hashvault.pro 63->145 147 Antivirus detection for dropped file 63->147 149 Multi AV Scanner detection for dropped file 63->149 151 Query firmware table information (likely to detect VMs) 63->151 153 Machine Learning detection for dropped file 63->153 79 taskkill.exe 67->79         started        81 conhost.exe 67->81         started        83 taskkill.exe 69->83         started        85 conhost.exe 69->85         started        87 conhost.exe 77->87         started        89 conhost.exe 77->89         started        91 conhost.exe 77->91         started        93 72 other processes 77->93 signatures17 process18 process19 95 conhost.exe 79->95         started        97 taskkill.exe 79->97         started        99 conhost.exe 83->99         started        101 conhost.exe 87->101         started        103 conhost.exe 89->103         started        105 conhost.exe 91->105         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5dbd687e03ca05e79cc90bb069df6fad6c379b99fca6e0366934a690322bfad/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 06:46:09 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxn5nb7ahsqf46omsc5qnhpw7llmg6nzt7fg4a3gsnfgsazcx6wq._file
Verdict:
malicious
Similar samples:
11c3fab1232b6a7140342361c919f4f41bc1bf086cd2bc370a0a4eb7cf87b95e
RedLineStealer
56c26a2b13759364f9cc066e2d876bcca463ea1c699b0fe63774686922029f72
RedLineStealer
9d80ac1d36bafd7802a133c1f220b8ef880d806ff54692a36a6eae335be38f0e
RedLineStealer
a19c6c6ababd9decea2b6b842586a9e17b55554924a0e9a29f8abb7bd7b4980e
RedLineStealer
a9b301d360e5c630bcfe0759d9479ae8f31f02117233061fda2492b5a21cafa5
RedLineStealer
c44f4f19f854e3a7312d262f8225024d3eb235fc580f4175ab923a4acd0231ff
RedLineStealer
dd015fe4a916f31b5b650bd6d787c594119b09ee523f046a68dbdd725ba04c5f
RedLineStealer
+ 161 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:new discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211003-hjmwqsfbgr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.245.253.52:38439
Unpacked files
SH256 hash:
69b3bf0d519e5c64a81c7bf8893aa5b72a1b9471e5614ac19c85d0c9b048e1e4
MD5 hash:
661e617b3c4ef722f6a7a57f253adb6c
SHA1 hash:
ca39d9237f826dbee1c845ea9f364215f57357da
Link:
https://www.unpac.me/results/d12a4e17-0510-4876-97bc-0118014d9d85/
SH256 hash:
b5dbd687e03ca05e79cc90bb069df6fad6c379b99fca6e0366934a690322bfad
MD5 hash:
66029e6310d878c3cf1407727cfb3a88
SHA1 hash:
efa4e22bd103a57dd8218f9d0d28ce8868c4d15d
Link:
https://www.unpac.me/results/d12a4e17-0510-4876-97bc-0118014d9d85/
Malware family:
XMRIG
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b5dbd687e03c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/b5dbd687e03ca05e79cc90bb069df6fad6c379b99fca6e0366934a690322bfad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194299/

Comments