MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e30a1364d31fa94f982d6bd6c6cef84360e40c8fcbc909b27420047e2be27ff1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e30a1364d31fa94f982d6bd6c6cef84360e40c8fcbc909b27420047e2be27ff1
SHA3-384 hash: 8e3032586e23f180e8b4a3e8d9d27f297b17975b570ca2c317b0ba59bdac63368e76f38187ddbac6d86f344da88f18c1
SHA1 hash: cb6881373203e1a5fe7af26fbcc285ca2df4fc26
MD5 hash: d3c8140de21a9419fbd414f5d96416f4
humanhash: purple-robin-sad-jersey
File name:driver_booster_setup.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:31'189'504 bytes
First seen:2021-11-15 19:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 786432:OpVIvg2CrlDjUiM+82mTIV98sVLAnyU2A9ELfeAXgDQ1r3tJb:NbCRDjb824IV98synNXGGqgE1r3t
Threatray 1'602 similar samples on MalwareBazaar
TLSH T1A7673382DBA62E30EBED1076BC5711C752C01B9D2EE544CB3260732D6A63EC0EE7E655
dhash icon c0d4ec80b0b4b4e4 (5 x RaccoonStealer, 4 x RedLineStealer, 4 x LummaStealer)
Reporter tech_skeech
Tags:CoinMiner.XMRig exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Enabling the 'hidden' option for files in the %temp% directory
Searching for the window
Searching for the Windows task manager window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% directory
Running batch commands
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Unauthorized injection to a recently created process
Blocking the User Account Control
Stealing user critical data
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi packed
Link:
https://www.filescan.io/uploads/6192b411a00afa9663a89da9/reports/ce637b40-1452-4f7b-a244-b0729aeec060/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889960
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522431 Sample: driver_booster_setup.exe Startdate: 16/11/2021 Architecture: WINDOWS Score: 100 58 cs833182181.wpc.etacdn.net 152.199.20.140, 49762, 49763, 49764 EDGECASTUS United States 2->58 60 update.iobit.com 2->60 62 2 other IPs or domains 2->62 72 Antivirus / Scanner detection for submitted sample 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 12 other signatures 2->78 8 driver_booster_setup.exe 6 2->8         started        11 svchost.exe 2->11         started        14 svchost.exe 9 1 2->14         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 42 C:\Users\user\AppData\...\Uofnehseyogw.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\...\Mhbcnuhkst.exe, PE32 8->44 dropped 46 C:\Users\...\driver_booster_setup.exe.log, ASCII 8->46 dropped 19 Uofnehseyogw.exe 7 8->19         started        23 Mhbcnuhkst.exe 2 8->23         started        100 Changes security center settings (notifications, updates, antivirus, firewall) 11->100 68 127.0.0.1 unknown unknown 14->68 70 192.168.2.1 unknown unknown 17->70 file6 signatures7 process8 file9 34 C:\Users\user\Downloads\JavaUpdate.exe, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 19->36 dropped 38 C:\Users\user\AppData\...\JavaSheduler.exe, PE32 19->38 dropped 80 Antivirus detection for dropped file 19->80 82 Detected unpacking (overwrites its own PE header) 19->82 84 Machine Learning detection for dropped file 19->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->86 25 dllhost.exe 19->25         started        29 JavaUpdate.exe 5 19->29         started        40 C:\Users\user\AppData\...\Mhbcnuhkst.tmp, PE32 23->40 dropped 88 Obfuscated command line found 23->88 32 Mhbcnuhkst.tmp 21 23->32         started        signatures10 process11 dnsIp12 64 dontreachme.duckdns.org 136.144.41.189, 12208, 49760, 49780 WORLDSTREAMNL Netherlands 25->64 66 api.ip.sb 25->66 90 Antivirus detection for dropped file 25->90 92 System process connects to network (likely due to code injection or exploit) 25->92 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->94 98 3 other signatures 25->98 48 C:\Users\user\Microsoft\services.exe, PE32+ 29->48 dropped 96 Drops PE files with benign system names 29->96 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 32->50 dropped 52 C:\Users\user\AppData\Local\...\RdZone.dll, PE32 32->52 dropped 54 C:\Users\user\AppData\...\DriverBooster.exe, PE32 32->54 dropped 56 2 other files (none is malicious) 32->56 dropped file13 signatures14
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 19:25:06 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
RedLineStealer
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
RedLineStealer
323a27a7f2a664921d46c965f0c8d5977fb6c8fce20ba04e208c2945b7abdbba
RedLineStealer
4bb96e7c641e9f343965704cf4e7327e4448b83fc97cf1766f82ce61ac54d48a
RedLineStealer
8c057a0bb64a3efe6bbff66d91c61e3a8dc3137c736bdbff08893a56a1eec3fe
RedLineStealer
9535b07e3af3a051c0de3169f11aed4e5f7dd52d651e739f16db250bc631def5
RedLineStealer
9cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
RedLineStealer
bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9
RedLineStealer
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
RedLineStealer
+ 1'592 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig discovery evasion infostealer miner spyware stealer trojan
Link:
https://tria.ge/reports/211115-x4ylasbcd9/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner Payload
RedLine
RedLine Payload
UAC bypass
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e30a1364d31fa94f982d6bd6c6cef84360e40c8fcbc909b27420047e2be27ff1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe e30a1364d31fa94f982d6bd6c6cef84360e40c8fcbc909b27420047e2be27ff1

(this sample)

  
Delivery method
Distributed via web download

Comments