MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd60511c7b930911ed7edb22ca6bae15995f00b2ecdfd009322a04f5c82a851d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd60511c7b930911ed7edb22ca6bae15995f00b2ecdfd009322a04f5c82a851d
SHA3-384 hash: 8c6ac4f08566369ab83d37e8fa5a9d5d4fdbf511a7209459acb5682cca47ef50fc8e149155e983016a6976e7998f584b
SHA1 hash: 6ae12172b3d01a9b1d080135711f9254075fa672
MD5 hash: 172f0e84c19ed26ad000fa7c5e0273f3
humanhash: hydrogen-kentucky-north-moon
File name:172F0E84C19ED26AD000FA7C5E0273F3.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'585'683 bytes
First seen:2021-06-20 16:30:44 UTC
Last seen:2021-06-20 17:34:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:6IoGyWvhjqQdmtU9su3K0m8n6s3nwE68zGn8ivuV2PHqX/8hILmt:6I6Wvhj3jyppCzG8ivRKXEY2
Threatray 278 similar samples on MalwareBazaar
TLSH 5526334129EA84F1F3716F3198F26BDD08385971E5E41E28A277EE0E7C20587EC95B1B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
95.217.140.35:50845

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.217.140.35:50845 https://threatfox.abuse.ch/ioc/137729/

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
172F0E84C19ED26AD000FA7C5E0273F3.exe
Verdict:
No threats detected
Analysis date:
2021-06-20 16:35:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e640cbf3-8916-47cf-a559-be172ac3a4f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167206/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.59767.19271.19166.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7fc3a440-a01b-4494-a331-333d264dd5b1
Result
Threat name:
Quasar RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804955
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Deletes shadow drive data (may be related to ransomware)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell creates an autostart link
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Quasar RAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437366 Sample: c1N9BQCa8l.exe Startdate: 20/06/2021 Architecture: WINDOWS Score: 100 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for dropped file 2->108 110 13 other signatures 2->110 10 c1N9BQCa8l.exe 36 2->10         started        13 mshta.exe 2->13         started        process3 file4 82 C:\Users\user\AppData\Local\...\lolMiner.exe, PE32+ 10->82 dropped 84 C:\Users\user\AppData\Local\Temp\color.exe, PE32 10->84 dropped 86 C:\Users\user\AppData\Local\Temp\clerit.exe, PE32 10->86 dropped 15 color.exe 2 10->15         started        18 clerit.exe 2 10->18         started        20 lolMiner.exe 1 10->20         started        22 MSBuild.exe 13->22         started        process5 signatures6 134 Multi AV Scanner detection for dropped file 15->134 24 powershell.exe 1 23 15->24         started        28 powershell.exe 1 20 18->28         started        136 Antivirus detection for dropped file 20->136 138 Machine Learning detection for dropped file 20->138 31 conhost.exe 20->31         started        33 csc.exe 22->33         started        35 conhost.exe 22->35         started        process7 dnsIp8 96 i.imgur.com 24->96 72 C:\Users\user\iologmsg.lnk, UTF-8 24->72 dropped 74 PowerShell_transcr....20210620183213.txt, UTF-8 24->74 dropped 37 MSBuild.exe 24->37         started        40 conhost.exe 24->40         started        98 ipv4.imgur.map.fastly.net 151.101.12.193, 443, 49727, 49728 FASTLYUS United States 28->98 100 192.168.2.1 unknown unknown 28->100 102 i.imgur.com 28->102 76 C:\Users\user\ifsutilx.lnk, UTF-8 28->76 dropped 78 PowerShell_transcr....20210620183213.txt, UTF-8 28->78 dropped 132 Powershell creates an autostart link 28->132 42 MSBuild.exe 12 28->42         started        45 conhost.exe 28->45         started        80 C:\Users\user\AppData\Local\...\jpabrsgq.dll, PE32 33->80 dropped 47 cvtres.exe 33->47         started        file9 signatures10 process11 file12 124 Sample uses process hollowing technique 37->124 49 RegAsm.exe 37->49         started        53 csc.exe 37->53         started        56 conhost.exe 37->56         started        88 C:\Users\user\AppData\...\mmaktjpf.cmdline, UTF-8 42->88 dropped 126 Contains functionality to inject code into remote processes 42->126 128 Writes to foreign memory regions 42->128 130 Injects a PE file into a foreign processes 42->130 58 RegAsm.exe 42->58         started        60 csc.exe 42->60         started        62 conhost.exe 42->62         started        signatures13 process14 dnsIp15 90 95.217.140.35, 1307, 49737, 49738 HETZNER-ASDE Germany 49->90 92 api.ip.sb 49->92 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->112 114 May check the online IP address of the machine 49->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->116 122 3 other signatures 49->122 68 C:\Users\user\AppData\Local\...\4x1rz3uc.dll, PE32 53->68 dropped 64 cvtres.exe 53->64         started        94 ip-api.com 208.95.112.1, 49736, 80 TUT-ASUS United States 58->94 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 58->118 120 Installs a global keyboard hook 58->120 70 C:\Users\user\AppData\Local\...\mmaktjpf.dll, PE32 60->70 dropped 66 cvtres.exe 60->66         started        file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd60511c7b930911ed7edb22ca6bae15995f00b2ecdfd009322a04f5c82a851d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 03:43:12 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvqfchd3smerd3l63mrmu25ocwmv6afs5tp5acjsficplsbkquoq._file
Verdict:
malicious
Similar samples:
08dbec2319a6dc6fc42ac20e63560ff2796b9106ab9cfd4ea3974b45460f4c6b
RedLineStealer
16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
RedLineStealer
3c7744b3236b34b32adf0b3a3d5b7874533878c34d200d2c07fe0e0e37cb16f6
RedLineStealer
57372f78f979ab331a3ce1ebd9154c6eb4674db4de60c5c6b521934d7b9463ac
RedLineStealer
5c525f83e1414e33353169d89e84a5e22857c55727a30aa1c78fc1ccfb83900f
RedLineStealer
91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
RedLineStealer
a4fcf02ada330a1e50982618833ae730d5238adbf9407e303cc6c05fa8270ba5
RedLineStealer
b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae
RedLineStealer
d8cacda848bd2a780b1a081222e0eb609794e309b13327fb5fc59231022aba81
RedLineStealer
f32dd96babd3723f5a6bc5a917f72c7a349887b6605e74502916d49a5c9a3651
RedLineStealer
+ 268 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:redline botnet:office discovery infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/210620-vf6qp6p7ln/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
Quasar Payload
Quasar RAT
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.217.140.35:1307
Unpacked files
SH256 hash:
bd60511c7b930911ed7edb22ca6bae15995f00b2ecdfd009322a04f5c82a851d
MD5 hash:
172f0e84c19ed26ad000fa7c5e0273f3
SHA1 hash:
6ae12172b3d01a9b1d080135711f9254075fa672
Link:
https://www.unpac.me/results/dbf28049-f363-4eaa-a52f-e35848ed6913/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd60511c7b930911ed7edb22ca6bae15995f00b2ecdfd009322a04f5c82a851d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MSILStealer
Create hunting rule
Author:https://github.com/hwvs
Description:Detects strings from C#/VB Stealers and QuasarRat
Reference:https://github.com/quasar/QuasarRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Vermin_Keylogger_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Vermin Keylogger
Reference:https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Rule name:xRAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Patchwork malware
Reference:https://goo.gl/Pg3P4W

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167206/

Comments