MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
SHA3-384 hash: 0ca1bc72a1b566cc541c56f52ba32c1cc00611f822dd069c1cd600a3b0f6a69eafae72b82230919f7eedde05d70b6b5a
SHA1 hash: f12ed302187e05be8a1d1e53e43f0339f920337e
MD5 hash: 05dcd8f7c49b658f25877b2c0d2289e0
humanhash: mountain-arkansas-wyoming-jersey
File name:05dcd8f7c49b658f25877b2c0d2289e0
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:13'627'080 bytes
First seen:2021-12-21 21:44:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 393216:zeiGfwFlqPtG596+0qifanFneDsm83Zf3YKFQVNeL:yNIFlqs596+0PCFneDspfIIQyL
Threatray 75 similar samples on MalwareBazaar
TLSH T1AAD63355A8E5CC72C6AE023B4C3577C062396A31BBA09DE723E4E77D9A401D5B630BD3
File icon (PE):PE icon
dhash icon 044d4849933136c9 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05dcd8f7c49b658f25877b2c0d2289e0
Verdict:
Malicious activity
Analysis date:
2021-12-21 21:48:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d4b3471-d08d-49ca-80be-382936f82111

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61c24ae3ec6c6c14a9e87442/reports/b22df6d7-e584-471d-8710-683bb813d0e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3c5c748-0828-442c-80a4-933c39256b39
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911236
Signature
Allocates memory in foreign processes
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543715 Sample: SiAZ3CEjDD Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 78 pool.hashvault.pro 131.153.56.98, 49837, 80 CWIEUS United States 2->78 98 Malicious sample detected (through community Yara rule) 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Yara detected RedLine Stealer 2->102 104 10 other signatures 2->104 11 SiAZ3CEjDD.exe 10 2->11         started        14 svchost.exe 6 8 2->14         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 72 C:\Users\user\AppData\Local\...\RustHack.exe, PE32+ 11->72 dropped 74 C:\Users\user\AppData\...\8561958615.exe, PE32 11->74 dropped 21 8561958615.exe 11->21         started        24 RustHack.exe 5 11->24         started        126 System process connects to network (likely due to code injection or exploit) 14->126 27 WerFault.exe 14->27         started        signatures6 process7 file8 106 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->106 108 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 21->108 110 Writes to foreign memory regions 21->110 118 2 other signatures 21->118 29 AppLaunch.exe 15 7 21->29         started        34 WerFault.exe 21->34         started        60 C:\Users\user\Microsoft\services64.exe, PE32+ 24->60 dropped 62 C:\Users\user\AppData\...\RustHack.exe.log, ASCII 24->62 dropped 112 Detected unpacking (changes PE section rights) 24->112 114 Machine Learning detection for dropped file 24->114 116 Hides threads from debuggers 24->116 36 cmd.exe 1 24->36         started        38 RegHost.exe 27->38         started        signatures9 process10 dnsIp11 86 95.143.178.139, 49776, 9006 RHTEC-ASrh-tecIPBackboneDE Russian Federation 29->86 88 cdn.discordapp.com 162.159.133.233, 443, 49781 CLOUDFLARENETUS United States 29->88 76 C:\Users\user\AppData\Local\Temp\5.exe, PE32+ 29->76 dropped 128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->128 130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->130 132 Tries to harvest and steal browser information (history, passwords, etc) 29->132 134 Tries to steal Crypto Currency Wallets 29->134 40 5.exe 29->40         started        90 192.168.2.1 unknown unknown 34->90 136 Encrypted powershell cmdline option found 36->136 138 Uses schtasks.exe or at.exe to add and modify task schedules 36->138 45 powershell.exe 23 36->45         started        47 conhost.exe 36->47         started        49 powershell.exe 36->49         started        92 185.199.109.133, 443, 49798, 49801 FASTLYUS Netherlands 38->92 94 raw.githubusercontent.com 38->94 96 github.com 38->96 140 Detected unpacking (changes PE section rights) 38->140 142 Detected unpacking (overwrites its own PE header) 38->142 144 Machine Learning detection for dropped file 38->144 146 Hides threads from debuggers 38->146 file12 signatures13 process14 dnsIp15 82 github.com 140.82.121.3, 443, 49784, 49785 GITHUBUS United States 40->82 84 raw.githubusercontent.com 185.199.108.133, 443, 49786, 49789 FASTLYUS Netherlands 40->84 64 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 40->64 dropped 66 C:\Users\user\AppData\Roaming\...\7z.exe, PE32+ 40->66 dropped 68 C:\Users\user\AppData\Roaming\...\7z.dll, PE32+ 40->68 dropped 70 2 other files (none is malicious) 40->70 dropped 120 Detected unpacking (overwrites its own PE header) 40->120 122 Machine Learning detection for dropped file 40->122 124 Hides threads from debuggers 40->124 51 cmd.exe 40->51         started        53 conhost.exe 40->53         started        file16 signatures17 process18 process19 55 curl.exe 51->55         started        58 conhost.exe 51->58         started        dnsIp20 80 api.telegram.org 149.154.167.220, 443, 49783 TELEGRAMRU United Kingdom 55->80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 21:45:32 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydx2er5es62ntvzb2d2u4mheiad4lzjyqlhyekw6lq5y7howxoxq._file
Verdict:
malicious
Similar samples:
17cf75eb6b87af72f6fbddbe3ce9653f74ef56718198160c454086bb87866676
RedLineStealer
33b18a85c6b49af6f5025ada7db397fad10b6e1d0c25d98b9ac557c3024a2ac4
RedLineStealer
79d53f943bc31422487463c4990423e0aeb8960c61e8608b25222c07a4066319
RedLineStealer
8d59b88d0b88becf9f74354310db278563eb469ecf535146dc0a1f2c0d79de53
RedLineStealer
c18cf6f2677277c4885ccb069d4e65b8c97c96c0ea72cee5d8e6a2d018d74ed0
RedLineStealer
c937ab727bd34bd8c83e2ea01054cd60363ca35bd99fccf46b1f1f1f119715db
RedLineStealer
ed3b91ec20184139f90c2432c7d90567dc9c47afc45a87bb4d72fa4a6c64edd9
RedLineStealer
f3a0806bf7e9030e703483f4469a2292d9595d500a2365336de454a3bf047e26
RedLineStealer
+ 65 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211221-1l3dbaefd3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
6b69c60bca0aa2820768eef04fb8557f28790f6d55e3b7457a09402c11e2816a
MD5 hash:
9adc70d003babaa27c178b9e92b454de
SHA1 hash:
04d3c6de03a9d8664bf0a8ce4e6b96d2b8b06b69
Link:
https://www.unpac.me/results/deba3ccd-2f2b-479c-aa5f-7c5b55cc0072/
SH256 hash:
3fbe96ec547ef92caaacd04a7ed0914ce61dcdb36858369bbaeae4550e95c789
MD5 hash:
063964cf44b05723ffd6805ba51ccfab
SHA1 hash:
7110c338ddfb56a66d197fc8ce5adbaf5d110bac
Link:
https://www.unpac.me/results/deba3ccd-2f2b-479c-aa5f-7c5b55cc0072/
SH256 hash:
6ad513708e21b4aeb3ab5a61a53bb267f737e3ec5b399b920cb57f10e286f33d
MD5 hash:
bebc2ee3c890c112bf56a6ac8fcab4dc
SHA1 hash:
e14ae7ff279ec217a9fb3713d655cab39110338d
Link:
https://www.unpac.me/results/deba3ccd-2f2b-479c-aa5f-7c5b55cc0072/
SH256 hash:
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
MD5 hash:
05dcd8f7c49b658f25877b2c0d2289e0
SHA1 hash:
f12ed302187e05be8a1d1e53e43f0339f920337e
Link:
https://www.unpac.me/results/deba3ccd-2f2b-479c-aa5f-7c5b55cc0072/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1908278/

Comments


Avatar
zbet commented on 2021-12-21 21:44:27 UTC

url : hxxp://data-file-data-7.com/files/8695_1640112768_6962.exe