MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 effc707b7461da9f23cfdf850c4cea3c175cb4d2a91ce1cb3a0562369ab52494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: effc707b7461da9f23cfdf850c4cea3c175cb4d2a91ce1cb3a0562369ab52494
SHA3-384 hash: 6928db2f6944127c7f15aff0878c70d9a84c1490e8b03cfc716f42b72c4cfa489a0987daf8cb6009cda33c6fe563c189
SHA1 hash: cb6e60e5d74d3f51d629feadbc0cdbba86c738d1
MD5 hash: 4170da43bb99e67367638cc1b68d7191
humanhash: fix-cardinal-potato-white
File name:4170da43bb99e67367638cc1b68d7191.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:899'072 bytes
First seen:2022-10-12 18:01:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:9S76y90UVagQPpelcySK3YLqE3X+ShAVB0SoUMpf1CgV0EWN4pRVuD:dyJVZQPpeGySVHHVq00RPEWeuD
TLSH T1411502729EDAFC2AC57787BD40F5C182D822AC100D639652ABDD746FC931B1CAD70326
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 8ca4a46060a4048c (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
116.203.56.209:5514

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
116.203.56.209:5514 https://threatfox.abuse.ch/ioc/880468/

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
4170da43bb99e67367638cc1b68d7191.exe
Verdict:
Malicious activity
Analysis date:
2022-10-13 12:48:04 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/f674b9b7-1489-4a5b-a56a-02e576cf1136

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319510/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.31886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Launching the process to create tasks for the scheduler
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42753/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll anti-vm packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6347011b5cada2cbc6ebc83e/reports/02f469fd-c184-40cb-9da4-76453c106eb3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3bc36205-90e5-4bfd-abd9-8e354975820c
Result
Threat name:
DanaBot, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089073
Signature
DLL reload attack detected
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DanaBot stealer dll
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 721672 Sample: Jj1mqRJc4T.exe Startdate: 12/10/2022 Architecture: WINDOWS Score: 100 69 iplogger.com 2->69 99 Snort IDS alert for network traffic 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 4 other signatures 2->105 13 Jj1mqRJc4T.exe 1 5 2->13         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 119 Uses schtasks.exe or at.exe to add and modify task schedules 13->119 18 cmd.exe 1 13->18         started        21 at.exe 1 13->21         started        process6 signatures7 87 Obfuscated command line found 18->87 89 Uses ping.exe to sleep 18->89 91 Drops PE files with a suspicious file extension 18->91 93 Uses ping.exe to check the status of other devices and networks 18->93 23 cmd.exe 2 18->23         started        27 PING.EXE 1 18->27         started        30 conhost.exe 18->30         started        32 conhost.exe 21->32         started        process8 dnsIp9 65 C:\Users\user\AppData\...65ovember.exe.pif, PE32 23->65 dropped 115 Obfuscated command line found 23->115 117 Uses ping.exe to sleep 23->117 34 November.exe.pif 1 23->34         started        39 tasklist.exe 1 23->39         started        41 tasklist.exe 1 23->41         started        43 4 other processes 23->43 81 192.168.2.1 unknown unknown 27->81 file10 signatures11 process12 dnsIp13 71 eIvumjihpjDDMdmUdjhmvRgGPaA.eIvumjihpjDDMdmUdjhmvRgGPaA 34->71 63 C:\Users\user\AppData\Local\...\zvWjPeF.dll, PE32 34->63 dropped 107 DLL reload attack detected 34->107 109 Found API chain indicative of debugger detection 34->109 111 Found API chain indicative of sandbox detection 34->111 113 3 other signatures 34->113 45 jsc.exe 15 19 34->45         started        file14 signatures15 process16 dnsIp17 83 116.203.56.209, 49700, 5514 HETZNER-ASDE Germany 45->83 85 213.227.155.193, 49701, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 45->85 67 C:\Users\user\AppData\Local\Temp\sr3vs.exe, PE32 45->67 dropped 121 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->121 123 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->123 125 Tries to harvest and steal browser information (history, passwords, etc) 45->125 127 Tries to steal Crypto Currency Wallets 45->127 50 sr3vs.exe 45->50         started        53 chrome.exe 1 45->53         started        file18 signatures19 process20 dnsIp21 95 Machine Learning detection for dropped file 50->95 97 Tries to detect virtualization through RDTSC time measurements 50->97 56 7za.exe 50->56         started        73 239.255.255.250 unknown Reserved 53->73 58 chrome.exe 53->58         started        signatures22 process23 dnsIp24 61 conhost.exe 56->61         started        75 iplogger.com 148.251.234.93, 443, 49703, 49706 HETZNER-ASDE Germany 58->75 77 clients.l.google.com 142.250.184.206, 443, 49702 GOOGLEUS United States 58->77 79 4 other IPs or domains 58->79 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/effc707b7461da9f23cfdf850c4cea3c175cb4d2a91ce1cb3a0562369ab52494/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-10-09 19:29:53 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=576ha63umhnj6i6p36cqythkhqlvzngsveoodsz2avrdngvveska._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:redline botnet:666 banker infostealer persistence spyware trojan
Link:
https://tria.ge/reports/221012-wme7yseed3/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Enumerates system info in registry
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Danabot
RedLine
RedLine payload
Malware Config
C2 Extraction:
116.203.56.209:5514
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ff9c16b-c735-4323-a56c-f3fbbc83c637
Unpacked files
SH256 hash:
6dc625149ea24ccbf732c146eca0f40a43780adf22306709c125b55c6483b1fe
MD5 hash:
57ccf8ab55ddb1f6f00a3c0e2d4e3780
SHA1 hash:
7a6ee2c9a504bfc2893be46d072932b3c22226a5
Link:
https://www.unpac.me/results/8fc263f6-2be7-4d4e-99f3-b5aeb2df1d86/
SH256 hash:
effc707b7461da9f23cfdf850c4cea3c175cb4d2a91ce1cb3a0562369ab52494
MD5 hash:
4170da43bb99e67367638cc1b68d7191
SHA1 hash:
cb6e60e5d74d3f51d629feadbc0cdbba86c738d1
Link:
https://www.unpac.me/results/8fc263f6-2be7-4d4e-99f3-b5aeb2df1d86/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/effc707b7461da9f23cfdf850c4cea3c175cb4d2a91ce1cb3a0562369ab52494

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319510/

Comments