MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dee5fa01f5f31868f131fb518880eae43324acc873b2c04f8bcd98bf771be3af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dee5fa01f5f31868f131fb518880eae43324acc873b2c04f8bcd98bf771be3af
SHA3-384 hash: c0127fe888ba439e45db5706fa00f4445a7d0e89c36ef4fda74e6df0be54ca02e4cc0de27efc08df4c2fd0cafd479565
SHA1 hash: 968544b86796f3093fed796d983a2f95b3ac08c7
MD5 hash: 4dcd1c35a04c602df955d37ec566e0b9
humanhash: queen-juliet-eleven-failed
File name:4dcd1c35a04c602df955d37ec566e0b9
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:9'397'650 bytes
First seen:2021-12-23 12:28:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:oyfkWg9EUeX5DnIeyrDV2p0/MAKdiZW7qm9vvu7B5dA:oysW6ZMbUxKCZbmc77dA
TLSH T1DE963312FA945170D710143169B2F7B20DB835232F284DBBD3A152EDE9365C2AF36B6B
File icon (PE):PE icon
dhash icon 88133369292b0780 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4dcd1c35a04c602df955d37ec566e0b9
Verdict:
Malicious activity
Analysis date:
2021-12-23 12:30:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7d7d9210-dabf-4ade-baae-a550e6dfa86c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215955/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3015/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut enigma greyware overlay packed
Link:
https://www.filescan.io/uploads/61c46b924ab5c44cbf4dffbb/reports/bf5e1696-18ad-4379-b41f-163eac9f19b2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49b7805e-2060-4e37-a818-81d1497f0979
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912007
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544485 Sample: 75XsDbZ7Dn Startdate: 23/12/2021 Architecture: WINDOWS Score: 100 120 github.com 2->120 138 Malicious sample detected (through community Yara rule) 2->138 140 Multi AV Scanner detection for dropped file 2->140 142 Multi AV Scanner detection for submitted file 2->142 144 8 other signatures 2->144 11 75XsDbZ7Dn.exe 10 2->11         started        14 RegHost.exe 2->14         started        18 services64.exe 2->18         started        20 13 other processes 2->20 signatures3 process4 dnsIp5 108 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 11->108 dropped 110 C:\Users\user\AppData\...\6156156151.exe, PE32 11->110 dropped 22 6156156151.exe 11->22         started        25 installer.exe 5 11->25         started        132 github.com 14->132 174 Multi AV Scanner detection for dropped file 14->174 176 Detected unpacking (overwrites its own PE header) 14->176 178 Machine Learning detection for dropped file 14->178 28 cmd.exe 14->28         started        30 cmd.exe 14->30         started        32 conhost.exe 14->32         started        180 Detected unpacking (changes PE section rights) 18->180 182 Hides threads from debuggers 18->182 34 cmd.exe 18->34         started        134 140.82.121.4, 443, 49779, 49780 GITHUBUS United States 20->134 136 github.com 20->136 184 Changes security center settings (notifications, updates, antivirus, firewall) 20->184 36 MpCmdRun.exe 20->36         started        38 WerFault.exe 20->38         started        40 2 other processes 20->40 file6 signatures7 process8 file9 146 Multi AV Scanner detection for dropped file 22->146 148 Machine Learning detection for dropped file 22->148 150 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 22->150 158 3 other signatures 22->158 42 AppLaunch.exe 15 7 22->42         started        47 WerFault.exe 22->47         started        104 C:\Users\user\Microsoft\services64.exe, PE32+ 25->104 dropped 106 C:\Users\user\AppData\...\installer.exe.log, ASCII 25->106 dropped 152 Detected unpacking (changes PE section rights) 25->152 154 Hides threads from debuggers 25->154 49 cmd.exe 25->49         started        51 cmd.exe 25->51         started        53 cmd.exe 25->53         started        55 conhost.exe 28->55         started        57 conhost.exe 30->57         started        156 Encrypted powershell cmdline option found 34->156 59 conhost.exe 36->59         started        signatures10 process11 dnsIp12 122 95.143.178.139, 49742, 9006 RHTEC-ASrh-tecIPBackboneDE Russian Federation 42->122 124 cdn.discordapp.com 162.159.133.233, 443, 49747 CLOUDFLARENETUS United States 42->124 126 192.168.2.1 unknown unknown 42->126 112 C:\Users\user\AppData\Local\Temp\5.exe, PE32+ 42->112 dropped 162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->162 164 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->164 166 Tries to harvest and steal browser information (history, passwords, etc) 42->166 168 Tries to steal Crypto Currency Wallets 42->168 61 5.exe 42->61         started        66 services64.exe 49->66         started        68 conhost.exe 49->68         started        170 Encrypted powershell cmdline option found 51->170 172 Uses schtasks.exe or at.exe to add and modify task schedules 51->172 70 conhost.exe 51->70         started        72 powershell.exe 51->72         started        74 powershell.exe 51->74         started        76 conhost.exe 53->76         started        78 schtasks.exe 53->78         started        file13 signatures14 process15 dnsIp16 130 github.com 140.82.121.3, 443, 49749, 49750 GITHUBUS United States 61->130 114 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 61->114 dropped 186 Multi AV Scanner detection for dropped file 61->186 188 Detected unpacking (overwrites its own PE header) 61->188 190 Machine Learning detection for dropped file 61->190 80 cmd.exe 61->80         started        82 cmd.exe 61->82         started        84 cmd.exe 61->84         started        89 2 other processes 61->89 116 C:\Users\user\AppData\...\sihost64.exe, PE32+ 66->116 dropped 118 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 66->118 dropped 192 Modifies the context of a thread in another process (thread injection) 66->192 194 Sample is not signed and drops a device driver 66->194 196 Hides threads from debuggers 66->196 198 Injects a PE file into a foreign processes 66->198 86 cmd.exe 66->86         started        file17 signatures18 process19 signatures20 91 curl.exe 80->91         started        94 conhost.exe 80->94         started        96 conhost.exe 82->96         started        98 conhost.exe 84->98         started        160 Encrypted powershell cmdline option found 86->160 100 conhost.exe 86->100         started        102 powershell.exe 86->102         started        process21 dnsIp22 128 api.telegram.org 149.154.167.220, 443, 49748 TELEGRAMRU United Kingdom 91->128
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dee5fa01f5f31868f131fb518880eae43324acc873b2c04f8bcd98bf771be3af/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-12-22 23:23:20 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
24 of 43 (55.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33s7uapv6mmgr4jr7niyrahk4qzsjlgioozmat4lzwml65y34oxq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211223-pnw4jaaefq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
205558c3c767303b6e0ea560c46c850efc8b3c26286c33987958589c32bf2db5
MD5 hash:
e23693f24dcd8d5dee0f10f17ecfdd39
SHA1 hash:
8293a13c118bdad7efd1df21b96050734ef139e7
Link:
https://www.unpac.me/results/d096fc13-251f-4ee0-8e49-150d291e8e37/
SH256 hash:
6d1dde1c04e843e1372ff116de7cf1ef613fc8f571c70f906ec8d959a1fddc91
MD5 hash:
22bedd49526039f016e60fa215962a7b
SHA1 hash:
626651a637b396cb2426578247f4ce96b920f1bb
Link:
https://www.unpac.me/results/d096fc13-251f-4ee0-8e49-150d291e8e37/
SH256 hash:
dee5fa01f5f31868f131fb518880eae43324acc873b2c04f8bcd98bf771be3af
MD5 hash:
4dcd1c35a04c602df955d37ec566e0b9
SHA1 hash:
968544b86796f3093fed796d983a2f95b3ac08c7
Link:
https://www.unpac.me/results/d096fc13-251f-4ee0-8e49-150d291e8e37/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dee5fa01f5f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dee5fa01f5f31868f131fb518880eae43324acc873b2c04f8bcd98bf771be3af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe dee5fa01f5f31868f131fb518880eae43324acc873b2c04f8bcd98bf771be3af

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215955/
  
URLhaus
https://urlhaus.abuse.ch/url/1914039/

Comments


Avatar
zbet commented on 2021-12-23 12:28:34 UTC

url : hxxp://data-file-data-7.com/files/3378_1640198956_5226.exe