MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f255df45c7572d4034a214a87819554dc186a8d325f6930c0b37e15ce1d75821. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f255df45c7572d4034a214a87819554dc186a8d325f6930c0b37e15ce1d75821
SHA3-384 hash: d1cc0053cb3251e1bf1c8567ffbf74ea42b98cbdbbbef1e2966aeb8b13f262271b2cecf42f34db214076c6e7c9c68df0
SHA1 hash: 9887744c3b3b75706e361bcac576ddd4da7f478b
MD5 hash: f62d1542f4ce70146ce3799404a69e60
humanhash: saturn-georgia-kentucky-solar
File name:f62d1542f4ce70146ce3799404a69e60.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:16'384 bytes
First seen:2021-05-24 13:45:58 UTC
Last seen:2021-05-24 14:01:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:nCXvlXNuVWn2Yh5ZaZta/R0oB+6inplcF:nCXtiUh5sZta/vIXnPcF
Threatray 412 similar samples on MalwareBazaar
TLSH 8C726300B2F83531E99BCA7517E7AAB4DAA571311D23256F0354E29D5A212F70FF22F1
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
162.248.225.14:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.248.225.14:80 https://threatfox.abuse.ch/ioc/58305/

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f62d1542f4ce70146ce3799404a69e60.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-24 13:55:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98168a4e-fa0c-4638-87ed-f4cdb561e4c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161477/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Sending a custom TCP request
Delayed reading of the file
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790402
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell creates an autostart link
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Csc.exe Source File Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 422801 Sample: W6DkFm55kO.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Antivirus detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 7 other signatures 2->58 9 W6DkFm55kO.exe 2 2->9         started        process3 file4 36 C:\Users\user\AppData\...\W6DkFm55kO.exe.log, ASCII 9->36 dropped 12 powershell.exe 2 23 9->12         started        process5 dnsIp6 48 ipv4.imgur.map.fastly.net 151.101.112.193, 443, 49714 FASTLYUS United States 12->48 50 i.imgur.com 12->50 40 C:\Users\user\sdfgs.lnk, ASCII 12->40 dropped 72 Powershell creates an autostart link 12->72 17 MSBuild.exe 11 12->17         started        21 conhost.exe 12->21         started        file7 signatures8 process9 file10 34 C:\Users\user\AppData\...\q3shy5l3.cmdline, UTF-8 17->34 dropped 60 Writes to foreign memory regions 17->60 62 Injects a PE file into a foreign processes 17->62 23 RegAsm.exe 15 27 17->23         started        27 csc.exe 4 17->27         started        30 conhost.exe 17->30         started        signatures11 process12 dnsIp13 42 xcvsrtv201.xyz 89.191.233.253, 49726, 49728, 80 MGNHOST-ASRU Russian Federation 23->42 44 162.248.225.14, 49729, 80 HOSTING-SOLUTIONSUS United States 23->44 46 api.ip.sb 23->46 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->64 66 Performs DNS queries to domains with low reputation 23->66 68 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->68 70 2 other signatures 23->70 38 C:\Users\user\AppData\Local\...\q3shy5l3.dll, PE32 27->38 dropped 32 cvtres.exe 1 27->32         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f255df45c7572d4034a214a87819554dc186a8d325f6930c0b37e15ce1d75821/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 11:39:49 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jk56rohk4wuanfccsuhqgkvjxaynkgtex3jgdalg7qvzyoxlaqq._file
Verdict:
malicious
Similar samples:
1ac03c1e098aa881d52b14a760d52cb9da9b6e7e67db9677b9b7106a4cdfc8e3
RedLineStealer
3d29b2a1a23b12a5134fbe8b17fe5ba0c87549e5671232eb9e842c2a55ad8f2b
RedLineStealer
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
RedLineStealer
95cd8d4bc79853ac7a2a8b7b990cd33937db02fb3ee7b4650d5add5609687e91
RedLineStealer
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
RedLineStealer
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
RedLineStealer
d297909c5beef3cdc63c28a941d7e14e90472bee97389f7021bcc2b9b4be21f4
RedLineStealer
f037bf66b6f50392119e4c163d9b0fbea6d2fec0d9f1c6338889cc9de619887e
RedLineStealer
f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3
RedLineStealer
fb4b3f42369b356e01ff430cc836d9291693cd54f7073f4293f0277c3450b500
RedLineStealer
+ 402 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:frt discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210524-yf7nr2bxge/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
RedLine
RedLine Payload
Malware Config
C2 Extraction:
xcvsrtv201.xyz:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f255df45c7572d4034a214a87819554dc186a8d325f6930c0b37e15ce1d75821

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/161477/

Comments