MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6db191fc2aa0285fe4036d91817fa468e688823d90c9134a59b7e257e956040. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6db191fc2aa0285fe4036d91817fa468e688823d90c9134a59b7e257e956040
SHA3-384 hash: f051e6be9f1e2ece28ab87893fe3031501627febb9d46a4677603bad978a3fe8f932f6cf2dcd428831e677f1cf6f35a4
SHA1 hash: 350c94fe8f902264ab87b8748e098aab7057e90d
MD5 hash: 5334fc5de9c7f81c71c59c65768ee158
humanhash: two-twelve-eleven-pennsylvania
File name:5334FC5DE9C7F81C71C59C65768EE158.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'999'498 bytes
First seen:2021-07-23 00:45:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:Eg9vAUcB0lYrlxCf2cy5Y+ihiHNLeUNkpoUzHji:JVA5B0lYBgu6+VtLZNuoUz2
Threatray 211 similar samples on MalwareBazaar
TLSH T1A89533DB0495E47FD493C3715A392EC2AE1D7D5708AF878657CA060DAEA4B502C0F3BA
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
77.220.213.35:52349

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.220.213.35:52349 https://threatfox.abuse.ch/ioc/162067/
185.244.182.34:22602 https://threatfox.abuse.ch/ioc/162201/

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5334FC5DE9C7F81C71C59C65768EE158.exe
Verdict:
No threats detected
Analysis date:
2021-07-23 00:46:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5fd1d0cb-0e27-4a51-be17-25157d516387

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173462/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a435392c-4b1b-4e62-9951-e80844f53bf3
Result
Threat name:
Cookie Stealer Ficker Stealer Glupteba R
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820476
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Cookie Stealer
Yara detected Ficker Stealer
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452887 Sample: hMv2Mcka5B.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 99 37.0.8.225 WKD-ASIE Netherlands 2->99 101 54.225.78.40 AMAZON-AESUS United States 2->101 103 google.vrthcobj.com 2->103 125 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->125 127 Antivirus detection for URL or domain 2->127 129 Antivirus detection for dropped file 2->129 131 20 other signatures 2->131 12 hMv2Mcka5B.exe 10 2->12         started        signatures3 process4 file5 81 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->81 dropped 15 setup_installer.exe 10 12->15         started        process6 file7 91 C:\Users\user\AppData\...\setup_install.exe, PE32 15->91 dropped 93 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->93 dropped 95 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->95 dropped 97 5 other files (none is malicious) 15->97 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 105 wxkeww.xyz 172.67.179.203, 49722, 80 CLOUDFLARENETUS United States 18->105 107 127.0.0.1 unknown unknown 18->107 133 Detected unpacking (changes PE section rights) 18->133 135 Performs DNS queries to domains with low reputation 18->135 22 cmd.exe 1 18->22         started        24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        signatures10 process11 process12 28 karotima_1.exe 4 56 22->28         started        33 karotima_2.exe 2 24->33         started        dnsIp13 119 37.0.11.41, 49727, 80 WKD-ASIE Netherlands 28->119 121 136.144.41.201, 49729, 49731, 80 WORLDSTREAMNL Netherlands 28->121 123 10 other IPs or domains 28->123 83 C:\Users\...\rtcedtwSbQmtJb_l_8EN4bzj.exe, PE32 28->83 dropped 85 C:\Users\...\nPCXI3c7nqDXQBNOhDBQx39z.exe, PE32 28->85 dropped 87 C:\Users\...\jGkpy5kZuwYv5GxqFc9izbOa.exe, PE32 28->87 dropped 89 33 other files (26 malicious) 28->89 dropped 161 Drops PE files to the document folder of the user 28->161 163 May check the online IP address of the machine 28->163 165 Disable Windows Defender real time protection (registry) 28->165 35 YsOr3YrBhbiprAuqxbcJFj6W.exe 28->35         started        40 bKAdFNWgxDNpJVesfbFNzauo.exe 28->40         started        42 9dOS76UP16A_Sa1JGOFKrNH9.exe 28->42         started        46 15 other processes 28->46 167 Creates processes via WMI 33->167 44 karotima_2.exe 5 33->44         started        file14 signatures15 process16 dnsIp17 109 116.202.183.50 HETZNER-ASDE Germany 35->109 111 74.114.154.18 AUTOMATTICUS Canada 35->111 63 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 35->63 dropped 65 C:\Users\user\AppData\...\mozglue[1].dll, PE32 35->65 dropped 67 C:\Users\user\AppData\...\softokn3[1].dll, PE32 35->67 dropped 79 9 other files (none is malicious) 35->79 dropped 137 Detected unpacking (changes PE section rights) 35->137 139 Detected unpacking (overwrites its own PE header) 35->139 141 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->141 159 2 other signatures 35->159 143 Query firmware table information (likely to detect VMs) 40->143 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->145 147 Tries to detect virtualization through RDTSC time measurements 40->147 149 Hides threads from debuggers 42->149 151 Tries to detect sandboxes / dynamic malware analysis system (registry check) 42->151 69 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 44->69 dropped 48 conhost.exe 44->48         started        113 91.241.19.12 REDBYTES-ASRU Russian Federation 46->113 115 208.95.112.1 TUT-ASUS United States 46->115 117 6 other IPs or domains 46->117 71 C:\Users\...\ZC29wpDXHHGvfEUrATq5QsBr.exe, PE32 46->71 dropped 73 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 46->73 dropped 75 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 46->75 dropped 77 C:\Users\user\AppData\...\aaa_v005[1].dll, DOS 46->77 dropped 153 Drops PE files to the document folder of the user 46->153 155 Sample uses process hollowing technique 46->155 157 Injects a PE file into a foreign processes 46->157 50 SGHmCTfCtALesvI2YO8GlETp.exe 46->50         started        53 conhost.exe 46->53         started        55 conhost.exe 46->55         started        57 conhost.exe 46->57         started        file18 signatures19 process20 file21 59 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 50->59 dropped 61 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 50->61 dropped
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d6db191fc2aa0285fe4036d91817fa468e688823d90c9134a59b7e257e956040/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 06:06:56 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23nrsh6cvibil7sag3mrqf72i2hgrcbd3egjcnfftn7ck7uvmbaa._file
Verdict:
unknown
Similar samples:
11296d96cfdba7c5323c3d0167bfb7d9d84b39757f58f2e6581cac42cbb0fcbc
RedLineStealer
161127df64e41b5ccce3553ec1f4ca9fcf1cfe5b0faf8a8d38043e53f2b4c4dc
RedLineStealer
2916c38c3ff4c0e36fbf895409db7b41fd9555cebf6a33cbf5867be8b54e73db
RedLineStealer
30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
RedLineStealer
36ae4637dfb47d17615a49a16a8eadeb29eb5ad5357ae86bad683402a4b0993d
RedLineStealer
3a9e17be4ef9e2cd297c58f11abcd72f0b3c2c18e9ef581e1990ec9b9dfd6498
RedLineStealer
3f53579a490ec07fe7518fdbae105b2dd4192e5ca2234af801d7ecfe42be3179
RedLineStealer
a16ed450732a91d7e929fa2ff06158c7160e3201123469e99abc0bd026dad44f
RedLineStealer
b035ee9ead48cdfdfa1d7110cc84204df3571d6843aedc4c44edc73f59b013c0
RedLineStealer
+ 201 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer family:glupteba family:metasploit family:redline family:socelars family:vidar botnet:19_7_r botnet:865 botnet:build_last botnet:sel19 aspackv2 backdoor discovery dropper evasion infostealer loader spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210723-47xfm2kn36/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Fickerstealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
Malware Config
C2 Extraction:
dwarimlari.xyz:80
45.14.49.71:18845
xtarweanda.xyz:80
37.0.8.225:80
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
9cd2c29c364ce1a4aa551a601ac153fc459eb17be7e646dfeb31bd276e80c64a
MD5 hash:
536b1f2e11e2e3cb332e2667b4c416bc
SHA1 hash:
ba645005f7f56042881c3dec0bc60c09119b1967
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
SH256 hash:
a1d82cc7d4af1c8584f909c36b8b2cc8bd5d68791a5c9af0940e36a9887538f6
MD5 hash:
953230955b0863d81f382d5163a4badc
SHA1 hash:
9c3fd08863f631a2e8aa921ff4d299105e085460
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
SH256 hash:
6077090485420aa9af33270dcc4d6d6bce4a242791b157e2aa3a275de1d9b775
MD5 hash:
074a053b34846fe7bda0d5f07230375a
SHA1 hash:
44727158e3b8c3a1e2df0b9c3e11447707ed6d1b
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
SH256 hash:
d6db191fc2aa0285fe4036d91817fa468e688823d90c9134a59b7e257e956040
MD5 hash:
5334fc5de9c7f81c71c59c65768ee158
SHA1 hash:
350c94fe8f902264ab87b8748e098aab7057e90d
Link:
https://www.unpac.me/results/84a19325-6443-4065-b1bd-a63b46f0c4ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6db191fc2aa0285fe4036d91817fa468e688823d90c9134a59b7e257e956040

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173462/

Comments