MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c75f0df898d06490ef6cf165a0462a40effa56f37ce5840e284666a253bb6ac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c75f0df898d06490ef6cf165a0462a40effa56f37ce5840e284666a253bb6ac5
SHA3-384 hash: 22f7c1f5e128c2ab59c562d7b21823d43216cba3e90b1242857b8d7944b871f411aef6de0d051b9e4a08ea5926d9a5b8
SHA1 hash: 08b92b8916a1c273d680b8e1e223574cf34e46e4
MD5 hash: 75adcf794cf086e354c4534f2a6f2369
humanhash: speaker-nine-oklahoma-victor
File name:75adcf794cf086e354c4534f2a6f2369
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:364'440 bytes
First seen:2021-11-12 03:27:57 UTC
Last seen:2021-11-12 07:19:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 3072:Z1oiv/KCnysacpGalL6tZScInxwXZjbbivejJh99gu+otmWr3em2fbHxlQ9AEI/o:hviCTnjlmtZScgMPPh99gJ0NyR17QOrM
Threatray 2'862 similar samples on MalwareBazaar
TLSH T1D374CD422F9CF65DF0E17E3347CBAA2197A29CD64E3259E61E0C9A061730941AE7373D
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.86.102.63:62907 https://threatfox.abuse.ch/ioc/246887/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205153/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.39783.5530.18681.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/618ddf453edf00a722cfab9a/reports/1366a59c-27ea-45d9-89c2-104dded74bd6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5006c88a-7e51-4816-b3ff-84403bc3bde4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887881
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520354 Sample: 9VOtuH4mfW Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 74 Multi AV Scanner detection for submitted file 2->74 76 Machine Learning detection for sample 2->76 78 Sigma detected: Powershell Defender Exclusion 2->78 10 9VOtuH4mfW.exe 14 7 2->10         started        15 services32.exe 6 2->15         started        process3 dnsIp4 70 185.215.113.109, 44059, 49759 WHOLESALECONNECTIONSNL Portugal 10->70 72 cdn.discordapp.com 162.159.133.233, 443, 49762 CLOUDFLARENETUS United States 10->72 64 C:\Users\user\AppData\Local\...\filename.exe, PE32+ 10->64 dropped 66 C:\Users\user\AppData\...\9VOtuH4mfW.exe.log, ASCII 10->66 dropped 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->104 106 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->106 108 Tries to harvest and steal browser information (history, passwords, etc) 10->108 110 Tries to steal Crypto Currency Wallets 10->110 17 filename.exe 4 10->17         started        68 C:\Windows\System32\...\sihost32.exe, PE32+ 15->68 dropped 112 Antivirus detection for dropped file 15->112 114 Multi AV Scanner detection for dropped file 15->114 116 Machine Learning detection for dropped file 15->116 118 Adds a directory exclusion to Windows Defender 15->118 21 cmd.exe 1 15->21         started        file5 signatures6 process7 file8 62 C:\Windows\System32\services32.exe, PE32+ 17->62 dropped 80 Antivirus detection for dropped file 17->80 82 Multi AV Scanner detection for dropped file 17->82 84 Machine Learning detection for dropped file 17->84 23 cmd.exe 17->23         started        26 cmd.exe 1 17->26         started        28 cmd.exe 1 17->28         started        86 Adds a directory exclusion to Windows Defender 21->86 30 conhost.exe 21->30         started        32 powershell.exe 21->32         started        34 powershell.exe 21->34         started        signatures9 process10 signatures11 98 Drops executables to the windows directory (C:\Windows) and starts them 23->98 36 services32.exe 23->36         started        39 conhost.exe 23->39         started        100 Uses schtasks.exe or at.exe to add and modify task schedules 26->100 102 Adds a directory exclusion to Windows Defender 26->102 41 powershell.exe 21 26->41         started        43 conhost.exe 26->43         started        45 powershell.exe 26->45         started        47 conhost.exe 28->47         started        49 schtasks.exe 1 28->49         started        process12 signatures13 94 Drops executables to the windows directory (C:\Windows) and starts them 36->94 96 Adds a directory exclusion to Windows Defender 36->96 51 sihost32.exe 36->51         started        54 cmd.exe 36->54         started        process14 signatures15 88 Antivirus detection for dropped file 51->88 90 Multi AV Scanner detection for dropped file 51->90 92 Adds a directory exclusion to Windows Defender 54->92 56 conhost.exe 54->56         started        58 powershell.exe 54->58         started        60 powershell.exe 54->60         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c75f0df898d06490ef6cf165a0462a40effa56f37ce5840e284666a253bb6ac5/
Threat name:
ByteCode-MSIL.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-12 03:28:06 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5pq36ey2bsjb33m6fs2arrkidx7uvxtptsyidriiztkeu53nlcq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
RedLineStealer
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
RedLineStealer
786cd9f43e76702fd26319d85239b17c6acf79e5afda1a3ab82d95e46bbceff7
RedLineStealer
79f54a550f13781f7b9b3589c83295608d9e89b25deb2ffca656f406862aa8b9
RedLineStealer
979489468d527202ce55a465799013a16fccfcc838d523707a016e064a0e85a1
RedLineStealer
c6110583978af41e0ec6705f89b4c6c0acccb6b314b6376052f1b984bd282456
RedLineStealer
d3971de408a80057671d1f39dd0aafcb4501903b6c9cf7f5fb51fffc0ab43599
RedLineStealer
dc0ea72a8f4a4006bd93dd68cec4eaecf1ab781a068a26e5922ba0b6eed61e75
RedLineStealer
f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc
RedLineStealer
f89908f8594a0dccfb5e52b295075ff63be86c0f5584f990d39dfe2b2c2f9c08
RedLineStealer
+ 2'852 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:34b5c357572382155552cb40207e952f9f95264b botnet:xxluchxx1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211112-d1cd4shfep/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.215.113.109:44059
212.86.102.63:62907
Unpacked files
SH256 hash:
a29536f07b02150aca708b8e1bd804502e91ed4a45c488865a6e8853dea6a962
MD5 hash:
5eec2623bf31e7381fe1bb4ba1c16007
SHA1 hash:
57d3f3ba61bb7abb813e7403e557f70f9b33433f
Link:
https://www.unpac.me/results/24db2b52-1aa6-4bfc-adb7-0a0e3acbe834/
SH256 hash:
c75f0df898d06490ef6cf165a0462a40effa56f37ce5840e284666a253bb6ac5
MD5 hash:
75adcf794cf086e354c4534f2a6f2369
SHA1 hash:
08b92b8916a1c273d680b8e1e223574cf34e46e4
Link:
https://www.unpac.me/results/24db2b52-1aa6-4bfc-adb7-0a0e3acbe834/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c75f0df898d06490ef6cf165a0462a40effa56f37ce5840e284666a253bb6ac5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c75f0df898d06490ef6cf165a0462a40effa56f37ce5840e284666a253bb6ac5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1778583/
Cape
Cape
https://www.capesandbox.com/analysis/205153/

Comments


Avatar
zbet commented on 2021-11-12 03:27:59 UTC

url : hxxp://154.16.148.41/myblog/posts/242.exe