MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d81d5f7e16e9f2e0eccc0c65c3d71781d73b6640f9e6c0cce7e50458cb545c3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d81d5f7e16e9f2e0eccc0c65c3d71781d73b6640f9e6c0cce7e50458cb545c3d
SHA3-384 hash: dd8aa769489e78b8c5e148d30ef07c8d71bd325725ce6ac0b274e0e23d4a42203cb86bf9cc784ae6fce67f73053a5644
SHA1 hash: 43a014e73a7fd1ee883d6c4efa38f7e3643a3c87
MD5 hash: 3253df39a04c0d28145b6d7534277f05
humanhash: arkansas-snake-tango-nuts
File name:D81D5F7E16E9F2E0ECCC0C65C3D71781D73B6640F9E6C.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:825'792 bytes
First seen:2022-04-30 03:10:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ca1086ed6eee177a87646b0229f08c6 (1 x RedLineStealer)
ssdeep 12288:6q4IxNFrja3zwWKRqRr47TPqwGrOnpwU6gHHs1vdnrz:6J0//a38W6orCTJGrF8s1vd
Threatray 652 similar samples on MalwareBazaar
TLSH T1E005C0D07C52AE49DF831FF50561F728A7BE2FFE1AD6E818F920EB49F4329902109915
File icon (PE):PE icon
dhash icon 7070fec4a4b0c0c9 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.201:21921

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.201:21921 https://threatfox.abuse.ch/ioc/542131/

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
D81D5F7E16E9F2E0ECCC0C65C3D71781D73B6640F9E6C.exe
Verdict:
Malicious activity
Analysis date:
2022-04-30 03:11:00 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/3bab1fb5-9119-41e2-bc9f-58ec00359b47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/267949/
Detection(s):
Win.Malware.Obsidium-9940946-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Changing a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/626ca8c75c1970f8bbe26a49/reports/28859169-54d3-4fa3-ad0d-316a9f277f72/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6f066b8-908d-4066-b621-9e7889de5356
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/985829
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 618322 Sample: D81D5F7E16E9F2E0ECCC0C65C3D... Startdate: 30/04/2022 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected RedLine Stealer 2->66 68 5 other signatures 2->68 10 D81D5F7E16E9F2E0ECCC0C65C3D71781D73B6640F9E6C.exe 8 2->10         started        15 dllhost.exe 2->15         started        process3 dnsIp4 58 smileeducationconsultancy.com 172.105.52.100, 49739, 49746, 49773 LINODE-APLinodeLLCUS United States 10->58 60 blackhk1.beget.tech 5.101.153.227, 49738, 80 BEGET-ASRU Russian Federation 10->60 40 C:\Users\user\AppData\Local\Temp\AJDC4.exe, PE32 10->40 dropped 42 C:\Users\user\AppData\...\91I7D618FED1562.exe, PE32+ 10->42 dropped 44 C:\Users\user\AppData\Local\Temp\6GL9K.exe, PE32 10->44 dropped 46 2 other files (1 malicious) 10->46 dropped 88 Creates HTML files with .exe extension (expired dropper behavior) 10->88 90 Tries to evade debugger and weak emulator (self modifying code) 10->90 92 Hides threads from debuggers 10->92 94 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->94 17 0E38B.exe 2 10->17         started        21 6GL9K.exe 4 10->21         started        23 AJDC4.exe 16 4 10->23         started        26 3 other processes 10->26 96 Antivirus detection for dropped file 15->96 98 Detected unpacking (changes PE section rights) 15->98 100 Machine Learning detection for dropped file 15->100 file5 signatures6 process7 dnsIp8 48 185.215.113.201, 21921, 49797 WHOLESALECONNECTIONSNL Portugal 17->48 70 Multi AV Scanner detection for dropped file 17->70 72 Detected unpacking (changes PE section rights) 17->72 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->74 86 4 other signatures 17->86 50 193.150.103.38, 40169, 49784 ASGENERALTELRU Russian Federation 21->50 76 Machine Learning detection for dropped file 21->76 78 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->78 80 Tries to evade debugger and weak emulator (self modifying code) 21->80 52 yandex.ru 5.255.255.60, 443, 49777 YANDEXRU Russian Federation 23->52 54 192.168.2.1 unknown unknown 23->54 36 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 23->36 dropped 82 Antivirus detection for dropped file 23->82 56 iplogger.org 148.251.234.83, 443, 49798 HETZNER-ASDE Germany 26->56 38 C:\Users\user\AppData\Local\...\kt_q9wWO.J8R, PE32 26->38 dropped 84 May check the online IP address of the machine 26->84 28 control.exe 26->28         started        file9 signatures10 process11 process12 30 rundll32.exe 28->30         started        process13 32 rundll32.exe 30->32         started        process14 34 rundll32.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d81d5f7e16e9f2e0eccc0c65c3d71781d73b6640f9e6c0cce7e50458cb545c3d/
Threat name:
Win32.Dropper.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 23:03:28 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
31 of 42 (73.81%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3aov67qw5hzob3gmbrs4hvyxqhltwzsa7htmbthh4ucfrs2ulq6q._file
Verdict:
malicious
Similar samples:
2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527
RedLineStealer
3c3bf835742e7a36b7a7c7866965e351077c08c48479f2cd988133bf65f22cef
RedLineStealer
3d616db3bac20e1f2aeb4aa9ad6c53a64fb2ae692ddd4dfbca34e7552a772c13
RedLineStealer
423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979
RedLineStealer
505e0842e4977d13d918dbfaab8f0fe4dcc229afa36c8881b558efcd6cc41b86
RedLineStealer
8b3e4b4ebbb727564e6aea41a152f83c45ea37fbf2e26db6ce458083252a950a
RedLineStealer
b91e73e932fd097108875528989b0f29938b02af751c72a9e81b98757af60fab
RedLineStealer
d23a3aae9a1c5b8d5502b108856f0360a4af56c79fe421ca9125ba6bc259420d
RedLineStealer
+ 642 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/220430-dplhmsegd7/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
7f3075b0616ccab48a9d1140d49f33d6d4fbc1b321482f6334e816c658b5237d
MD5 hash:
864d1f0f1214d3e697a0ef8c0c17e74a
SHA1 hash:
22d89f8d107002dd731818f3fcee5a8d18a5c2e3
Link:
https://www.unpac.me/results/8031d93f-74a5-423c-8ec1-f74fe7944fd5/
SH256 hash:
d81d5f7e16e9f2e0eccc0c65c3d71781d73b6640f9e6c0cce7e50458cb545c3d
MD5 hash:
3253df39a04c0d28145b6d7534277f05
SHA1 hash:
43a014e73a7fd1ee883d6c4efa38f7e3643a3c87
Link:
https://www.unpac.me/results/8031d93f-74a5-423c-8ec1-f74fe7944fd5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d81d5f7e16e9f2e0eccc0c65c3d71781d73b6640f9e6c0cce7e50458cb545c3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:NETDIC208_NOCEX
Create hunting rule
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:NETDIC_208
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/267949/

Comments