MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
SHA3-384 hash: d0b5e6e9c88ddecce0904dbe5d96bb9dd8b90a1e39ef29509bc8b8713c429c9a21be351148db7732d1df492140f0f433
SHA1 hash: 4ac0d40abb71e9fcff34c8f67511fc590f495f3e
MD5 hash: 310eb5bd45ac9c5767d28e63ab64635b
humanhash: seven-failed-oranges-minnesota
File name:CryptoMiner.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'579'064 bytes
First seen:2022-05-05 01:27:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efad26290bf4d1a676b7ad79139e8cdb (1 x RedLineStealer)
ssdeep 24576:07L4j8tb74F0xt7ruJV/QujUOycEvgyJrDybsxXX+ZVGNVooHI9s5KCfj2:07L4jIIct7w/QujMvOgUwLoKIG2
Threatray 2'261 similar samples on MalwareBazaar
TLSH T1EC75ADB7384C859AE91B8E70C834E6620B5F9D238F55089652DC3DA7B83B1F0647DD8B
File icon (PE):PE icon
dhash icon f8c4cac8ecb4cccc (1 x Formbook, 1 x RedLineStealer)
Reporter @Galaxy79146064
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:*.elo.com
Issuer:Certum Domain Validation CA SHA2
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-28T15:03:57Z
Valid to:2022-10-28T15:03:56Z
Serial number: 01ca3a6dbd89e3ba09a6983260fe8f96
Thumbprint Algorithm:SHA256
Thumbprint: ff8f3ad6662949e8feb753daa023fc4ddefe4c275bb98bcb9cfa1d225cbcbea8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
CryptoMiner.exe
Verdict:
Malicious activity
Analysis date:
2022-05-05 01:28:35 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/c19a4226-5073-4151-bdb3-5a32474648c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268746/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.23425.5531.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16369/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6273284162b1ae4451d886ae/reports/fa09c9e2-8f34-47c3-aa78-4b93048f9050/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63eb66ea-6e37-435e-bc3a-575a5f3ac6d4
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988163
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620659 Sample: CryptoMiner.exe Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 8 other signatures 2->60 9 CryptoMiner.exe 2->9         started        process3 signatures4 68 Writes to foreign memory regions 9->68 70 Allocates memory in foreign processes 9->70 72 Injects a PE file into a foreign processes 9->72 12 InstallUtil.exe 15 8 9->12         started        process5 dnsIp6 40 65.21.213.209, 32936, 49796 CP-ASDE United States 12->40 42 45.9.20.31, 49802, 80 DEDIPATH-LLCUS Russian Federation 12->42 34 C:\Users\user\AppData\Local\Temp\fname.exe, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\...\filename.exe, PE32+ 12->36 dropped 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->74 76 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->76 78 Tries to harvest and steal browser information (history, passwords, etc) 12->78 80 Tries to steal Crypto Currency Wallets 12->80 17 fname.exe 1 12->17         started        20 filename.exe 2 12->20         started        file7 signatures8 process9 signatures10 44 Antivirus detection for dropped file 17->44 46 Multi AV Scanner detection for dropped file 17->46 48 Query firmware table information (likely to detect VMs) 17->48 52 4 other signatures 17->52 22 AppLaunch.exe 14 3 17->22         started        26 conhost.exe 17->26         started        50 Machine Learning detection for dropped file 20->50 28 cmd.exe 1 20->28         started        process11 dnsIp12 38 ip-api.com 208.95.112.1, 49832, 80 TUT-ASUS United States 22->38 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->62 64 May check the online IP address of the machine 22->64 66 Encrypted powershell cmdline option found 28->66 30 powershell.exe 14 28->30         started        32 conhost.exe 28->32         started        signatures13 process14
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-05-05 01:28:09 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
13 of 25 (52.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://www.spamhaus.org/query/hash/2hlcfyy5ectj7rx6udmytftap437miclwatclp5tfhh5xohnw3ta._file
Verdict:
malicious
Similar samples:
200fade8a686306db978fb4092b3dff5793f6fbafdfd216b2c3973393aa2619a
RedLineStealer
4533be3c5e3a43774233b4c8216cf5723f2968adc86f33a20bc487566bc69375
RedLineStealer
5ddc2cf610e2d96fd8c46286bf28c201d3435f2e848302657376ff6feace226b
RedLineStealer
8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a
RedLineStealer
90daff6ddaed3c5624b21e62f402c98e46d1fac4839ea42cc85ed7cfb50e95a0
RedLineStealer
955bce112c0abfd0b1c695f51f3300bc2ff9cfc85bcae914abd435d564432c86
RedLineStealer
a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
RedLineStealer
b3af5a1af48b27b5ac7647d5bf81941c9abf6be899372119cb5eb887026e1409
RedLineStealer
d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf
RedLineStealer
e6fca45846eca1bcaedded82438aa64968717c4f0dab149c32c5db6d08210f39
RedLineStealer
+ 2'251 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@watercloudrobot - oblako za 8500 evasion infostealer spyware trojan
Link:
https://tria.ge/reports/220505-bvntvahfap/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
65.21.213.209:32936
Unpacked files
SH256 hash:
f401d612dfa3d758f52c543b1098867f88c713360eea461a0d97cae2adbe0ad6
MD5 hash:
5f85abbebd62389480103edf09c0fe32
SHA1 hash:
6e3d7b06954cfb8f132e0a0e0da8be9926a2df81
Link:
https://www.unpac.me/results/b69bca2d-57fd-478f-9ec8-469d0e56e74d/
SH256 hash:
2c46ee5f7ff0e3b6857d4680fef3c5b4a267292a6256135b9cbb0ebe2dd66690
MD5 hash:
4c478dc1cbb7e6e69c1183b65b1e8e53
SHA1 hash:
ef2f1209fcb915aa223311577e9a4a9aea7f2d6c
Link:
https://www.unpac.me/results/b69bca2d-57fd-478f-9ec8-469d0e56e74d/
SH256 hash:
2116951fef29fd6160d93f0f6007816b610240e18f7b53c9acc09324efdc2276
MD5 hash:
959e7da71dfbc7f80f1b830dfd5afe25
SHA1 hash:
623e4cb934ad6d4b41e68b42b2e04f24f128d0f2
Link:
https://www.unpac.me/results/b69bca2d-57fd-478f-9ec8-469d0e56e74d/
SH256 hash:
d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
MD5 hash:
310eb5bd45ac9c5767d28e63ab64635b
SHA1 hash:
4ac0d40abb71e9fcff34c8f67511fc590f495f3e
Link:
https://www.unpac.me/results/b69bca2d-57fd-478f-9ec8-469d0e56e74d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1d622e31d20/report/overview.html
AV coverage:
20.59%
AV detections:
14 / 68
Link:
https://www.virustotal.com/gui/file/d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6/detection/f-d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6-1651713998
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6

YARA Signatures

MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.21.213.209:32936 https://threatfox.abuse.ch/ioc/548171

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/268746/

Comments