MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14
SHA3-384 hash: 088a86c0bde632b982e1f7e1903becfec649a7590a23377e4194a349da1de6f5dc77edb4d14b11cde3b099b4bc3a8685
SHA1 hash: 31e9a270b849ce51ecdd274ae72c4be2490322fa
MD5 hash: 5b6110f5767aba1d8f06be7f854250e9
humanhash: harry-zebra-december-quebec
File name:5B6110F5767ABA1D8F06BE7F854250E9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'583'358 bytes
First seen:2021-05-05 03:26:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 196608:J5aFsmXV/+lmefLXegGqjQp7hkteWW9KbmnWt:J5aWQV2HfhG2QpFkMWW9KCm
Threatray 260 similar samples on MalwareBazaar
TLSH 138612812D40CEEDC17A1DF62494D9CAE6D3706D3E1E81FA928D56398CF4121EF16FA2
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
172.67.133.141:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.67.133.141:80 https://threatfox.abuse.ch/ioc/29063/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149882/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/711282
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404568 Sample: zJ59h2gGia.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 92 58 crownnest.cyou 2->58 60 raw.githubusercontent.com 2->60 80 Found malware configuration 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected RedLine Stealer 2->84 11 zJ59h2gGia.exe 12 2->11         started        signatures3 process4 signatures5 94 Contains functionality to register a low level keyboard hook 11->94 14 cmd.exe 1 11->14         started        16 cmd.exe 1 11->16         started        process6 signatures7 19 cmd.exe 7 14->19         started        22 conhost.exe 14->22         started        72 Submitted sample is a known malware sample 16->72 74 Obfuscated command line found 16->74 76 Uses ping.exe to sleep 16->76 78 Uses ping.exe to check the status of other devices and networks 16->78 24 conhost.exe 16->24         started        process8 signatures9 86 Obfuscated command line found 19->86 88 Uses ping.exe to sleep 19->88 26 Alzeremo.exe.com 19->26         started        28 Aprano.exe.com 19->28         started        30 PING.EXE 1 19->30         started        33 4 other processes 19->33 process10 dnsIp11 36 Alzeremo.exe.com 1 26->36         started        41 Aprano.exe.com 28->41         started        70 127.0.0.1 unknown unknown 30->70 52 C:\Users\user\AppData\...\Aprano.exe.com, Targa 33->52 dropped 54 C:\Users\user\AppData\...\Alzeremo.exe.com, Targa 33->54 dropped 43 Animazione.exe.com 33->43         started        file12 process13 dnsIp14 62 tcBtUbYArzPgCRXzyGHBr.tcBtUbYArzPgCRXzyGHBr 36->62 56 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 36->56 dropped 90 Writes to foreign memory regions 36->90 92 Injects a PE file into a foreign processes 36->92 45 RegAsm.exe 2 36->45         started        64 xBClidtxMI.xBClidtxMI 41->64 47 Aprano.exe.com 41->47         started        66 192.168.2.1 unknown unknown 43->66 68 LByBZilSQhpvxCLYFcVMSwJ.LByBZilSQhpvxCLYFcVMSwJ 43->68 50 Animazione.exe.com 43->50         started        file15 signatures16 process17 signatures18 96 Tries to harvest and steal browser information (history, passwords, etc) 47->96
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 01:56:00 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2wtpjltkhqackly74crku2omqmt5oixwz5utrcwsn5jefadw7ika._file
Verdict:
malicious
Similar samples:
2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc
RedLineStealer
2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
RedLineStealer
41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
RedLineStealer
7817a0794693ad5eaffdc86ca9d8cf7350f9159433d376840e9f6cb6b9c60edc
RedLineStealer
872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f
RedLineStealer
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
RedLineStealer
b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
RedLineStealer
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
RedLineStealer
+ 250 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:eumix4 evasion infostealer spyware stealer
Link:
https://tria.ge/reports/210505-xr9lrcmsjj/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies RDP port number used by Windows
Modifies Windows Firewall
Grants admin privileges
RedLine
RedLine Payload
Malware Config
C2 Extraction:
crownnest.cyou:80
Unpacked files
SH256 hash:
411e47130090fdffd85a41b13ec583eb3e00d245e89445b2b35d94dd315d9206
MD5 hash:
ea68df6f028b3fb05a0d911f88902fcb
SHA1 hash:
fa0fb8aac40a1d2e848407b2414c26cfaea5accb
Link:
https://www.unpac.me/results/1e442832-90ce-4568-a1d2-9323f8c99a04/
SH256 hash:
e0736b134e2c5bd81e363cf0f78a063202f92f864b49cb8679bbdf0504710cd2
MD5 hash:
21a198ef245238ac45a7cfdc2b8b515c
SHA1 hash:
919f1c2b90724ed95ef5cfec6569e52a3683eb67
Link:
https://www.unpac.me/results/1e442832-90ce-4568-a1d2-9323f8c99a04/
SH256 hash:
d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14
MD5 hash:
5b6110f5767aba1d8f06be7f854250e9
SHA1 hash:
31e9a270b849ce51ecdd274ae72c4be2490322fa
Link:
https://www.unpac.me/results/1e442832-90ce-4568-a1d2-9323f8c99a04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5a6f4ae6a3c00252f1fe0a2aa69cc8327d722f6cf69388ad26f52428076fa14

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149882/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 04:00:26 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0002.001] Collection::Application Hook
1) [F0002.002] Collection::Polling
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0017] Process Micro-objective::Create Process
15) [C0038] Process Micro-objective::Create Thread
16) [C0054] Process Micro-objective::Resume Thread
17) [C0018] Process Micro-objective::Terminate Process