MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84
SHA3-384 hash: ad474a54ed437be122fd6e8800764bb819e00dde184c4e55812202f30d6daeae88b7350f9b1246fcabb1b3c5a45ba8bd
SHA1 hash: 2557bf9d890e4e0832fb03474657dae9c0037db3
MD5 hash: 375c1ffe19f2fba6ff5f32b4000cdea4
humanhash: burger-kentucky-nine-ten
File name:375C1FFE19F2FBA6FF5F32B4000CDEA4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:646'144 bytes
First seen:2021-08-16 23:50:52 UTC
Last seen:2021-08-17 01:01:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d0f5faff0d9a42cffdcdc1bfda477ddc (2 x DiamondFox, 1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 12288:s36SNp0mWujfyGGNcR6+mgGak6H3lP3XJik0YhBhrfz0:s3m7r+876j0KDrr0
Threatray 204 similar samples on MalwareBazaar
TLSH T19DD45A3155A4F8A6F4A50CB8A1A6E3B698386F758AD78053F2B0773F86323C17C64537
dhash icon 31f8ce8282c0e001 (3 x DiamondFox, 3 x AgentTesla, 2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
159.69.178.36:37556

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
159.69.178.36:37556 https://threatfox.abuse.ch/ioc/190411/
45.66.8.61:58416 https://threatfox.abuse.ch/ioc/190418/

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
375C1FFE19F2FBA6FF5F32B4000CDEA4.exe
Verdict:
No threats detected
Analysis date:
2021-08-16 23:51:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3b6e8cb-3adb-4862-9891-a057cca83170

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179789/
Detection(s):
SecuriteInfo.com.Trojan.DiamondFox.19.10023.79.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a UDP request
Sending a custom TCP request
Sending an HTTP GET request
DNS request
Creating a file
Deleting a recently created file
Reading critical registry keys
Connection attempt to an infection source
Sending a TCP request to an infection source
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6602822a-500f-4ddc-9a7a-e9ea6dd57ecd
Result
Threat name:
DanaBot Metasploit RedLine SmokeLoader V
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833975
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DanaBot stealer dll
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 466403 Sample: DIxFEr1Q5T.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 39 213.166.68.170 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 2->39 41 172.67.146.70 CLOUDFLARENETUS United States 2->41 43 135.125.172.201 AVAYAUS United States 2->43 57 Antivirus detection for URL or domain 2->57 59 Antivirus detection for dropped file 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 10 other signatures 2->63 7 DIxFEr1Q5T.exe 4 78 2->7         started        signatures3 process4 dnsIp5 45 185.233.185.134 YURTEH-ASUA Russian Federation 7->45 47 37.0.11.8 WKD-ASIE Netherlands 7->47 49 16 other IPs or domains 7->49 31 C:\Users\...\zTMHxM651NtxJlBu6TXHBnmg.exe, PE32 7->31 dropped 33 C:\Users\...\ysfG9BM90ZZkKWheoroBNiTi.exe, PE32 7->33 dropped 35 C:\Users\...\wRF9ZY6xOQCXmSoDbxBIqjOU.exe, PE32 7->35 dropped 37 53 other files (48 malicious) 7->37 dropped 65 Drops PE files to the document folder of the user 7->65 67 Creates HTML files with .exe extension (expired dropper behavior) 7->67 69 Tries to harvest and steal browser information (history, passwords, etc) 7->69 71 Disable Windows Defender real time protection (registry) 7->71 12 ZG7eubqgThQ4pYGoKpeHQgwu.exe 7->12         started        15 DCdAYT9DE7ygRqsTqeSMohY0.exe 1 14 7->15         started        19 SFbA72Ht5rj56twFujzrd6dq.exe 6 5 7->19         started        21 4 other processes 7->21 file6 signatures7 process8 dnsIp9 73 Detected unpacking (changes PE section rights) 12->73 75 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->75 77 Maps a DLL or memory area into another process 12->77 79 2 other signatures 12->79 51 208.95.112.1 TUT-ASUS United States 15->51 53 45.136.151.102 ENZUINC-US Latvia 15->53 55 172.67.176.199 CLOUDFLARENETUS United States 15->55 23 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 15->23 dropped 25 C:\Users\user\AppData\...\aaa_v010[1].dll, DOS 15->25 dropped 27 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 19->27 dropped 29 C:\Users\...\ur_MTIFPr8LKkAHFFOMHNbWc.tmp, PE32 21->29 dropped file10 signatures11
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 21:47:27 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xh3zxs2mb2u6sontlaj6qb75umeloa4pdxvgcpt5ro6x7yjhvsca._file
Verdict:
malicious
Similar samples:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
RedLineStealer
31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f
RedLineStealer
3d93d1e45579a47c3a3425fd16319c5a004396a2d98b7cf170ed009dad29c247
RedLineStealer
5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96
RedLineStealer
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
RedLineStealer
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
RedLineStealer
6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740
RedLineStealer
a81accafde181c4afdc35a0c9221f12aafaf2b6b3351dde1f4cb4d7ef25355fc
RedLineStealer
b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
RedLineStealer
+ 194 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:vidar botnet:171b0ea0beebb33c2d9043b095edfe8ec188b323 botnet:4 botnet:937 botnet:@xmercuryx botnet:dibild botnet:forinstalls2 botnet:ls4 botnet:ww backdoor dropper evasion infostealer loader spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210816-brbk3bytl6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
159.69.178.36:37556
135.148.139.222:33569
ighaisexel.xyz:80
77.220.213.35:52349
213.166.68.170:16810
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/
91.228.56.223:20793
Unpacked files
SH256 hash:
b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84
MD5 hash:
375c1ffe19f2fba6ff5f32b4000cdea4
SHA1 hash:
2557bf9d890e4e0832fb03474657dae9c0037db3
Link:
https://www.unpac.me/results/9512c0df-fb74-4752-9aa9-c1cb08f6a916/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b9f79bcb4c0e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179789/

Comments