MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2
SHA3-384 hash: 3a10a29d779eed28d2f04857c06aafa34a2b837f96a88e95e2b1f7f4938952ca63bc0837377bc4f8d9a282a3e89d5cd3
SHA1 hash: 9fe8ef2fab3c34bd98fade711b8256e0511a1097
MD5 hash: fb06ec887642c3c5c23fb43d9f81c93a
humanhash: muppet-pluto-wyoming-tango
File name:FB06EC887642C3C5C23FB43D9F81C93A.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:274'944 bytes
First seen:2021-05-07 15:16:49 UTC
Last seen:2021-05-07 16:15:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 52cdfb1fc764b9f5803256af308c769f (1 x RedLineStealer)
ssdeep 6144:izR6Ce2kSd8hD7BJQ1nPOjS80fzG5oXn:kY1VlhD7unPPG56
Threatray 417 similar samples on MalwareBazaar
TLSH C744C01036C2C932D48266374420D7B54EBBBDF52821A6CF7BD23EB99F362D1963074A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://morwxi05.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morwxi05.top/index.php https://threatfox.abuse.ch/ioc/31711/

Intelligence

File Origin
# of uploads :
3
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trinity Dropper V3.exe
Verdict:
Malicious activity
Analysis date:
2021-05-03 02:37:25 UTC
Tags:
evasion trojan opendir loader rat redline ficker stealer phishing
Link:
https://app.any.run/tasks/973cfa49-4b9b-4046-ad5d-04e9e11d2709

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Graftor.948386.24810.23761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/719464
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Yara detected Cryptbot
Yara detected Evader
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408657 Sample: knVeKL8T8R.exe Startdate: 09/05/2021 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 12 other signatures 2->93 9 knVeKL8T8R.exe 30 2->9         started        process3 dnsIp4 71 g-clean.in 8.209.75.180, 49712, 49713, 49715 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 9->71 73 iplogger.org 88.99.66.31, 443, 49736, 49737 HETZNER-ASDE Germany 9->73 75 2 other IPs or domains 9->75 55 C:\Users\user\AppData\...\59219431660.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...\33876392140.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\...\19611713061.exe, PE32 9->59 dropped 61 6 other files (4 malicious) 9->61 dropped 127 Detected unpacking (changes PE section rights) 9->127 129 Detected unpacking (overwrites its own PE header) 9->129 131 May check the online IP address of the machine 9->131 14 cmd.exe 1 9->14         started        16 cmd.exe 1 9->16         started        18 cmd.exe 1 9->18         started        20 cmd.exe 9->20         started        file5 signatures6 process7 process8 22 59219431660.exe 8 14->22         started        27 conhost.exe 14->27         started        29 33876392140.exe 16->29         started        31 conhost.exe 16->31         started        33 19611713061.exe 47 18->33         started        35 conhost.exe 18->35         started        37 conhost.exe 20->37         started        39 taskkill.exe 20->39         started        dnsIp9 63 nailedpizza.top 22->63 65 iplogger.org 22->65 53 C:\Users\user\AppData\...\edspolishpp.exe, PE32 22->53 dropped 95 Multi AV Scanner detection for dropped file 22->95 97 Detected unpacking (overwrites its own PE header) 22->97 99 May check the online IP address of the machine 22->99 101 Sample or dropped binary is a compiled AutoHotkey binary 22->101 41 edspolishpp.exe 22->41         started        103 Detected unpacking (changes PE section rights) 29->103 105 Injects a PE file into a foreign processes 29->105 45 33876392140.exe 15 29->45         started        67 eoshye62.top 34.106.8.84, 49755, 80 GOOGLEUS United States 33->67 69 morfar06.top 35.236.110.35, 49759, 80 GOOGLEUS United States 33->69 107 Tries to harvest and steal ftp login credentials 33->107 109 Tries to harvest and steal browser information (history, passwords, etc) 33->109 47 cmd.exe 33->47         started        file10 signatures11 process12 dnsIp13 77 xisolenoy.xyz 79.141.170.43, 49743, 49745, 49746 HZ-UK-ASGB Bulgaria 41->77 79 api.ip.sb 41->79 111 Detected unpacking (changes PE section rights) 41->111 113 Detected unpacking (overwrites its own PE header) 41->113 115 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->115 125 3 other signatures 41->125 81 truzen.site 62.113.117.9, 49727, 49735, 80 VDSINA-ASRU Russian Federation 45->81 83 elb097307-934924932.us-east-1.elb.amazonaws.com 50.16.249.42, 49725, 80 AMAZON-AESUS United States 45->83 85 2 other IPs or domains 45->85 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->117 119 Tries to steal Instant Messenger accounts or passwords 45->119 121 Tries to harvest and steal browser information (history, passwords, etc) 45->121 123 Tries to harvest and steal Bitcoin Wallet information 45->123 49 conhost.exe 47->49         started        51 timeout.exe 47->51         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 10:32:32 UTC
AV detection:
26 of 47 (55.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2aayj55orffvx7mde5y6tkja7hbztotyl2nc7cjyfvez5qzoksra._file
Verdict:
malicious
Similar samples:
0c0f298ef912b9bcd172a997fd89829b4917e91e92dfbda6135b16a0464229e6
RedLineStealer
453debcca834d384581837da8253ac5f4e2eaf7fc641407081d1e7cf57bc4266
RedLineStealer
475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2
RedLineStealer
80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4
RedLineStealer
9f3059cd216e4310893b76812fac2bd3b203a592e5604347472b71ada0150855
RedLineStealer
b2e0c72237dbad9cbd82ec93814b1b078779d3016d4e7d18b7bd5ff2cdeb9c68
RedLineStealer
b479768bf30303be4d80d2ec21ea1a5cb116307e7c637a562b28c019acd515fa
RedLineStealer
ec51c1a42099d2ebcb00e68608346ac14013c57f5a87713f6ab41b17c305b537
RedLineStealer
f59245ad196a1287780a5c9dce8200745032dabf6216accde3650b8180d14947
RedLineStealer
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
RedLineStealer
+ 407 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:fickerstealer family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210507-q6kp1z7pja/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
RedLine
RedLine Payload
fickerstealer
Malware Config
C2 Extraction:
truzen.site:80
Unpacked files
SH256 hash:
08373002f5dfd4af54963c6a1b700b57019bbca99abc7de51edc82d11fc43d38
MD5 hash:
39514fa5c79f59e09954934f7bf897b2
SHA1 hash:
286885bf61043e56785ce8bbc6856dce08067db1
Link:
https://www.unpac.me/results/fd08481b-d787-4856-a390-a00c95ad00b7/
SH256 hash:
d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2
MD5 hash:
fb06ec887642c3c5c23fb43d9f81c93a
SHA1 hash:
9fe8ef2fab3c34bd98fade711b8256e0511a1097
Link:
https://www.unpac.me/results/fd08481b-d787-4856-a390-a00c95ad00b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-07 16:05:31 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0049] File System Micro-objective::Get File Attributes
7) [C0052] File System Micro-objective::Writes File
8) [C0007] Memory Micro-objective::Allocate Memory
9) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
10) [C0040] Process Micro-objective::Allocate Thread Local Storage
11) [C0042] Process Micro-objective::Create Mutex
12) [C0041] Process Micro-objective::Set Thread Local Storage Value
13) [C0018] Process Micro-objective::Terminate Process
14) [C0039] Process Micro-objective::Terminate Thread