MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments

SHA256 hash: d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
SHA3-384 hash: d0b5e6e9c88ddecce0904dbe5d96bb9dd8b90a1e39ef29509bc8b8713c429c9a21be351148db7732d1df492140f0f433
SHA1 hash: 4ac0d40abb71e9fcff34c8f67511fc590f495f3e
MD5 hash: 310eb5bd45ac9c5767d28e63ab64635b
humanhash: seven-failed-oranges-minnesota
File name:CryptoMiner.exe
Download: download sample
Signature RedLineStealer
File size:1'579'064 bytes
First seen:2022-05-05 01:27:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efad26290bf4d1a676b7ad79139e8cdb (1 x RedLineStealer)
ssdeep 24576:07L4j8tb74F0xt7ruJV/QujUOycEvgyJrDybsxXX+ZVGNVooHI9s5KCfj2:07L4jIIct7w/QujMvOgUwLoKIG2
Threatray 2'261 similar samples on MalwareBazaar
TLSH T1EC75ADB7384C859AE91B8E70C834E6620B5F9D238F55089652DC3DA7B83B1F0647DD8B
File icon (PE):PE icon
dhash icon f8c4cac8ecb4cccc (1 x Formbook, 1 x RedLineStealer)
Reporter @Galaxy79146064
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:*.elo.com
Issuer:Certum Domain Validation CA SHA2
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-28T15:03:57Z
Valid to:2022-10-28T15:03:56Z
Serial number: 01ca3a6dbd89e3ba09a6983260fe8f96
Thumbprint Algorithm:SHA256
Thumbprint: ff8f3ad6662949e8feb753daa023fc4ddefe4c275bb98bcb9cfa1d225cbcbea8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
236
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
CryptoMiner.exe
Verdict:
Malicious activity
Analysis date:
2022-05-05 01:28:35 UTC
Tags:
trojan rat redline loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620659 Sample: CryptoMiner.exe Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 8 other signatures 2->60 9 CryptoMiner.exe 2->9         started        process3 signatures4 68 Writes to foreign memory regions 9->68 70 Allocates memory in foreign processes 9->70 72 Injects a PE file into a foreign processes 9->72 12 InstallUtil.exe 15 8 9->12         started        process5 dnsIp6 40 65.21.213.209, 32936, 49796 CP-ASDE United States 12->40 42 45.9.20.31, 49802, 80 DEDIPATH-LLCUS Russian Federation 12->42 34 C:\Users\user\AppData\Local\Temp\fname.exe, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\...\filename.exe, PE32+ 12->36 dropped 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->74 76 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->76 78 Tries to harvest and steal browser information (history, passwords, etc) 12->78 80 Tries to steal Crypto Currency Wallets 12->80 17 fname.exe 1 12->17         started        20 filename.exe 2 12->20         started        file7 signatures8 process9 signatures10 44 Antivirus detection for dropped file 17->44 46 Multi AV Scanner detection for dropped file 17->46 48 Query firmware table information (likely to detect VMs) 17->48 52 4 other signatures 17->52 22 AppLaunch.exe 14 3 17->22         started        26 conhost.exe 17->26         started        50 Machine Learning detection for dropped file 20->50 28 cmd.exe 1 20->28         started        process11 dnsIp12 38 ip-api.com 208.95.112.1, 49832, 80 TUT-ASUS United States 22->38 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->62 64 May check the online IP address of the machine 22->64 66 Encrypted powershell cmdline option found 28->66 30 powershell.exe 14 28->30         started        32 conhost.exe 28->32         started        signatures13 process14
Threat name:
Win32.Spyware.RedLine
Status:
Malicious
First seen:
2022-05-05 01:28:09 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
13 of 25 (52.00%)
Threat level:
  2/5
Result
Malware family:
redline
Score:
  10/10
Tags:
family:redline botnet:@watercloudrobot - oblako za 8500 evasion infostealer spyware trojan
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
65.21.213.209:32936
Unpacked files
SH256 hash:
f401d612dfa3d758f52c543b1098867f88c713360eea461a0d97cae2adbe0ad6
MD5 hash:
5f85abbebd62389480103edf09c0fe32
SHA1 hash:
6e3d7b06954cfb8f132e0a0e0da8be9926a2df81
SH256 hash:
2c46ee5f7ff0e3b6857d4680fef3c5b4a267292a6256135b9cbb0ebe2dd66690
MD5 hash:
4c478dc1cbb7e6e69c1183b65b1e8e53
SHA1 hash:
ef2f1209fcb915aa223311577e9a4a9aea7f2d6c
SH256 hash:
2116951fef29fd6160d93f0f6007816b610240e18f7b53c9acc09324efdc2276
MD5 hash:
959e7da71dfbc7f80f1b830dfd5afe25
SHA1 hash:
623e4cb934ad6d4b41e68b42b2e04f24f128d0f2
SH256 hash:
d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
MD5 hash:
310eb5bd45ac9c5767d28e63ab64635b
SHA1 hash:
4ac0d40abb71e9fcff34c8f67511fc590f495f3e

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:malware_shellcode_hash
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.21.213.209:32936 https://threatfox.abuse.ch/ioc/548171

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6

(this sample)

  
Delivery method
Distributed via web download

Comments