MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46
SHA3-384 hash: 798c18b0ccfa567caf78da0fa0a3a0371e8373dcca2507f449c3300308a3c09a1ce356592b962524d5bda05ab02850c6
SHA1 hash: 95795601cb8ae30e14180477ee67df3dee24ae95
MD5 hash: 3d512f874a02434a16a717f5abe30c5f
humanhash: summer-earth-princess-oranges
File name:3D512F874A02434A16A717F5ABE30C5F.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'423'690 bytes
First seen:2021-08-07 16:55:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:B5+hFhsi3iv2zIq3tfGFSm60Z6zzgbHFbd52jB8TUGLTjxiz8lVHTIioOFZQ+O:B5aFGqzLt0J60koJbd8l8TRLTjxiqZ7O
Threatray 338 similar samples on MalwareBazaar
TLSH T11CB523707BEDA0FAF45325322885A73463A6FB490F4154E767341702BC41AD98BFAAC7
dhash icon 6192a6a6a6a6c401 (17 x RedLineStealer, 11 x PythonStealer, 9 x DCRat)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.14.49.109:54819

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.14.49.109:54819 https://threatfox.abuse.ch/ioc/166008/

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3D512F874A02434A16A717F5ABE30C5F.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-07 16:56:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09039dde-eaa4-4aa8-bbea-758aa10e9fc0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177174/
Detection(s):
Win.Malware.Slcbg-9872083-0
Create hunting rule

Win.Trojan.Generic-9874371-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Enabling the 'hidden' option for files in the %temp% directory
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Unauthorized injection to a recently created process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07036eac-7c55-4ec2-b064-c8dfc55743c8
Result
Threat name:
Clipboard Hijacker RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828657
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461088 Sample: r29V14LmkB.exe Startdate: 07/08/2021 Architecture: WINDOWS Score: 100 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Antivirus detection for URL or domain 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 10 other signatures 2->110 11 r29V14LmkB.exe 7 2->11         started        15 MicrosoftApi.exe 2->15         started        process3 dnsIp4 82 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 11->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 11->84 dropped 126 Contains functionality to register a low level keyboard hook 11->126 18 cmd.exe 2 11->18         started        92 45.137.190.236, 49759, 49760, 49761 BITWEB-ASRU Russian Federation 15->92 128 Query firmware table information (likely to detect VMs) 15->128 130 Hides threads from debuggers 15->130 132 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->132 file5 signatures6 process7 signatures8 112 Uses schtasks.exe or at.exe to add and modify task schedules 18->112 21 @numikai.exe 15 35 18->21         started        26 7z.exe 2 18->26         started        28 7z.exe 2 18->28         started        30 5 other processes 18->30 process9 dnsIp10 86 45.14.49.109, 49729, 49737, 49739 ITGLOBAL-NL Netherlands 21->86 88 45.137.190.166, 49740, 49750, 80 BITWEB-ASRU Russian Federation 21->88 90 api.ip.sb 21->90 76 C:\Users\user\AppData\Local\Temp\mine.exe, PE32+ 21->76 dropped 78 C:\Users\user\AppData\Local\Temp\clip.exe, PE32 21->78 dropped 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->116 118 Tries to harvest and steal browser information (history, passwords, etc) 21->118 120 Tries to steal Crypto Currency Wallets 21->120 32 mine.exe 2 4 21->32         started        36 clip.exe 3 21->36         started        38 conhost.exe 21->38         started        122 Adds a directory exclusion to Windows Defender 26->122 80 C:\Users\user\AppData\Local\...\@numikai.exe, PE32 28->80 dropped 40 conhost.exe 28->40         started        42 timeout.exe 28->42         started        44 powershell.exe 28->44         started        file11 signatures12 process13 file14 74 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 32->74 dropped 94 Multi AV Scanner detection for dropped file 32->94 96 Detected unpacking (changes PE section rights) 32->96 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->98 102 3 other signatures 32->102 46 MicrosoftApi.exe 32->46         started        100 Injects a PE file into a foreign processes 36->100 49 clip.exe 36->49         started        51 clip.exe 36->51         started        53 clip.exe 36->53         started        55 clip.exe 36->55         started        signatures15 process16 signatures17 134 Multi AV Scanner detection for dropped file 46->134 136 Detected unpacking (changes PE section rights) 46->136 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->138 142 4 other signatures 46->142 57 cmd.exe 46->57         started        60 cmd.exe 46->60         started        140 Injects a PE file into a foreign processes 49->140 62 conhost.exe 49->62         started        64 clip.exe 49->64         started        66 clip.exe 49->66         started        process18 signatures19 124 Adds a directory exclusion to Windows Defender 57->124 68 conhost.exe 60->68         started        70 timeout.exe 60->70         started        72 schtasks.exe 60->72         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 12:47:52 UTC
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2b7h672atwbcocsu2y7q52pdqrbgmxmruxobso6k37sfiuwyz5da._file
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RedLineStealer
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
RedLineStealer
41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
RedLineStealer
4daba398d1d338f7eb29eef55e1afa4595dde813b27b33dcfb48ceff27e7e8b0
RedLineStealer
8346802296fc33b77a434c410fee9e054ce3f670a74907d603a521128465b90b
RedLineStealer
a0ee463632a3799ed2b21d598d1fa8c4ed7198f3debd175a1eb89b2055b57ccd
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
RedLineStealer
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
RedLineStealer
+ 328 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@numikai discovery evasion infostealer spyware stealer suricata themida trojan upx
Link:
https://tria.ge/reports/210807-zfpdn699ss/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
Malware Config
C2 Extraction:
45.14.49.109:54819
Unpacked files
SH256 hash:
e679715be57bab1fb47e1846d69bf5091124a15282972d307dc45d4f24468fc1
MD5 hash:
f641457180e408ed62d78bcc5d767172
SHA1 hash:
2ccb74208ac77eb721eda2be21c683bd23251ff8
Link:
https://www.unpac.me/results/bac75873-e716-4524-a192-4a5aec4ae5be/
SH256 hash:
d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46
MD5 hash:
3d512f874a02434a16a717f5abe30c5f
SHA1 hash:
95795601cb8ae30e14180477ee67df3dee24ae95
Link:
https://www.unpac.me/results/bac75873-e716-4524-a192-4a5aec4ae5be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177174/

Comments