MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d561dfe74cc927428dad121c5a8d60f0289a43382e6130bc72a6b34c000b9b9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d561dfe74cc927428dad121c5a8d60f0289a43382e6130bc72a6b34c000b9b9b
SHA3-384 hash: ce644fa5339984a095713f26851d7fb512b6261bb4350b7a48048383284ca8e55145caa44e43107fc8fd6d2b8540cdc5
SHA1 hash: 8088d039c151e20ac5b9af29e1dd81116673f4b2
MD5 hash: 2f414fb976ac1d23daaa8e00aaf6beea
humanhash: juliet-jersey-artist-cardinal
File name:2F414FB976AC1D23DAAA8E00AAF6BEEA.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'288'512 bytes
First seen:2021-07-30 19:46:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 98304:G1EESMlQ/9IsCMdegeFbD+dQ5oVOAoso2iFugO+Nthm5mBz:G1EEP42s1cgzKoVK2iFtOWHmOz
Threatray 1'645 similar samples on MalwareBazaar
TLSH T1C9163312A9DE5AB2E03629309418B35B84B58F155B404BA347F93D3F0A709E9DB3F2D7
dhash icon 00c896968eaaa200 (2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
172.67.180.172:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.67.180.172:80 https://threatfox.abuse.ch/ioc/164948/

Intelligence

File Origin
# of uploads :
1
# of downloads :
584
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2F414FB976AC1D23DAAA8E00AAF6BEEA.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-30 19:47:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a68b6722-6bc0-4e53-9acf-4f43e8baf0d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175354/
Detection(s):
Win.Trojan.Generic-9874371-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d11f2e95-f101-4502-8d0a-68afe2e5947f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824674
Signature
Contains functionality to register a low level keyboard hook
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457082 Sample: 2fCrcYsEao.exe Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 62 prda.aadg.msidentity.com 2->62 64 clientconfig.passport.net 2->64 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected RedLine Stealer 2->82 84 Yara detected RedLine Stealer 2->84 86 Found many strings related to Crypto-Wallets (likely being stolen) 2->86 11 2fCrcYsEao.exe 11 2->11         started        signatures3 process4 signatures5 96 Contains functionality to register a low level keyboard hook 11->96 14 cmd.exe 1 11->14         started        17 makecab.exe 1 11->17         started        process6 signatures7 98 Submitted sample is a known malware sample 14->98 100 Obfuscated command line found 14->100 102 Uses ping.exe to sleep 14->102 104 Uses ping.exe to check the status of other devices and networks 14->104 19 cmd.exe 7 14->19         started        23 conhost.exe 14->23         started        25 conhost.exe 17->25         started        process8 file9 58 C:\Users\user\AppData\Roaming\...\R, ASCII 19->58 dropped 88 Obfuscated command line found 19->88 90 Uses ping.exe to sleep 19->90 27 Rifiutare.exe.com 19->27         started        29 Uno.exe.com 19->29         started        31 PING.EXE 1 19->31         started        34 4 other processes 19->34 signatures10 process11 dnsIp12 37 Rifiutare.exe.com 1 27->37         started        42 Uno.exe.com 29->42         started        78 127.0.0.1 unknown unknown 31->78 54 C:\Users\user\AppData\Roaming\...\Uno.exe.com, Targa 34->54 dropped 56 C:\Users\user\AppData\...\Rifiutare.exe.com, Targa 34->56 dropped 44 Inebriato.exe.com 34->44         started        file13 process14 dnsIp15 66 QPFIkBuKoDrrKMiLWzroGJvlan.QPFIkBuKoDrrKMiLWzroGJvlan 37->66 60 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 37->60 dropped 92 Writes to foreign memory regions 37->92 94 Injects a PE file into a foreign processes 37->94 46 RegAsm.exe 37->46         started        68 lYvskCQZEcQueZ.lYvskCQZEcQueZ 42->68 50 RegAsm.exe 42->50         started        70 bDbFlwFKtaJzIIkBijTv.bDbFlwFKtaJzIIkBijTv 44->70 52 RegAsm.exe 44->52         started        file16 signatures17 process18 dnsIp19 72 104.21.35.234, 49745, 49746, 80 CLOUDFLARENETUS United States 46->72 74 21jhss.club 172.67.180.172, 49743, 80 CLOUDFLARENETUS United States 46->74 76 api.ip.sb 46->76 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->108 110 Tries to harvest and steal browser information (history, passwords, etc) 46->110 112 Tries to steal Crypto Currency Wallets 46->112 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d561dfe74cc927428dad121c5a8d60f0289a43382e6130bc72a6b34c000b9b9b/
Threat name:
Win32.Dropper.7Drop
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 00:58:28 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vq57z2mzetufdnnciofvdla6aujuqzyfzqtbpdsu2zuyaaltonq._file
Verdict:
malicious
Similar samples:
2216daf252b5f3b4b00238a097e0df2a57c20780dce0ff49b418e966d63b3059
RedLineStealer
3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
RedLineStealer
41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
RedLineStealer
49025966d2dd612fc1e423b01620debfd4c97701aefe26a836cea9e2f2d6ab47
RedLineStealer
6da762e6a282e959a607c046a3b33dd71baaf6c7fe5d49c97a8e2de2a60e4c5d
RedLineStealer
7817a0794693ad5eaffdc86ca9d8cf7350f9159433d376840e9f6cb6b9c60edc
RedLineStealer
830c5c98b459bc47ddb319f2262cb248fb9999a6115182b199bb4421f0897051
RedLineStealer
90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1
RedLineStealer
d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14
RedLineStealer
ff550d834cbad023b595e724c47cb9fe47ba66af9a22992a9ea89a686fcbb66a
RedLineStealer
+ 1'635 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:adsbb discovery evasion infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210730-5q36f24xws/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Modifies WinLogon
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies RDP port number used by Windows
Modifies Windows Firewall
Sets DLL path for service in the registry
Grants admin privileges
RedLine
RedLine Payload
Malware Config
C2 Extraction:
21jhss.club:80
Unpacked files
SH256 hash:
00b339642177627432e9408b9b084bde1e4456e7045a38395492dd43b34b8b19
MD5 hash:
ad3b1a23ee2c25ef5160da22d1a3e986
SHA1 hash:
94bbfd191acef5007f31db47118ae295931f1930
Link:
https://www.unpac.me/results/a45bf0a6-d90f-4dad-b972-245933d8dd92/
SH256 hash:
d725e2e597be0a0ed94069700142e046d4f0d430d5f812aab40d27a8b4eb13eb
MD5 hash:
bec5f94ba4caa505c41667e9f4a34bda
SHA1 hash:
3fe89c59685e2730d444827cfdd14da342ff7ea0
Link:
https://www.unpac.me/results/a45bf0a6-d90f-4dad-b972-245933d8dd92/
SH256 hash:
d561dfe74cc927428dad121c5a8d60f0289a43382e6130bc72a6b34c000b9b9b
MD5 hash:
2f414fb976ac1d23daaa8e00aaf6beea
SHA1 hash:
8088d039c151e20ac5b9af29e1dd81116673f4b2
Link:
https://www.unpac.me/results/a45bf0a6-d90f-4dad-b972-245933d8dd92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d561dfe74cc927428dad121c5a8d60f0289a43382e6130bc72a6b34c000b9b9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175354/

Comments