MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0
SHA3-384 hash: bb37d7aae1550c2cda8c4b3d6f805e223d0f13a26c1576bea4c0813cbd04d187489dbb6da0d7509ee2a02364b67f52f9
SHA1 hash: f84e7dd7494139988462ae737eb7773b64b02cf3
MD5 hash: acffdb5120632725f25ffd44d6e225b7
humanhash: maine-beer-floor-alanine
File name:acffdb5120632725f25ffd44d6e225b7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'385'510 bytes
First seen:2021-08-03 15:55:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c61e193ad83beb9c6707bb817822229 (5 x RedLineStealer, 1 x Pony, 1 x CoinMiner)
ssdeep 49152:cNYkpnWkXwMlI49BfltQViyTzRhmpxiz8lVHTIioOFZQ+e:cNjWkXwMlz9BfAV1ypxiqZ7e
Threatray 4'072 similar samples on MalwareBazaar
TLSH T1FEB533103BDECDF8C8AB15B1094E2F2659A569321B00F7CF53E09807BA15BD5CB7939A
dhash icon 98e5676565a5a59a (4 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.14.12.90:52072

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.14.12.90:52072 https://threatfox.abuse.ch/ioc/165490/

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
acffdb5120632725f25ffd44d6e225b7.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-03 15:56:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a9188fd5-db2d-43da-946b-173361b7c81e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176123/
Detection(s):
Win.Malware.Vaultcrypt-7536195-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Enabling the 'hidden' option for files in the %temp% directory
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Connection attempt to an infection source
Searching for analyzing tools
Searching for the window
Sending an HTTP GET request
Unauthorized injection to a recently created process
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b20f341-3a7d-4388-be2a-7ce90b5d0751
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826321
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to register a low level keyboard hook
Drops batch files with force delete cmd (self deletion)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458753 Sample: Z06maMhQlw.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 66 iplogger.org 2->66 68 bitbucket.org 2->68 80 Antivirus detection for URL or domain 2->80 82 Antivirus detection for dropped file 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 9 other signatures 2->86 9 Z06maMhQlw.exe 7 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 9 1 2->15         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 54 C:\Users\user\AppData\Local\Temp\...\main.bat, Little-endian 9->54 dropped 56 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 9->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 9->58 dropped 104 Drops batch files with force delete cmd (self deletion) 9->104 106 Contains functionality to register a low level keyboard hook 9->106 20 cmd.exe 2 9->20         started        108 Changes security center settings (notifications, updates, antivirus, firewall) 13->108 76 127.0.0.1 unknown unknown 15->76 78 192.168.2.1 unknown unknown 18->78 file6 signatures7 process8 process9 22 qqqqqry.exe 15 33 20->22         started        27 7z.exe 2 20->27         started        29 7z.exe 3 20->29         started        31 12 other processes 20->31 dnsIp10 70 n8.miraimibun.ru 217.107.34.191, 443, 49724, 49725 RTCOMM-ASRU Russian Federation 22->70 72 45.14.12.90, 49715, 49719, 49722 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 22->72 74 2 other IPs or domains 22->74 48 C:\Users\user\AppData\...\1483691116.exe, PE32 22->48 dropped 50 C:\Users\user\AppData\...\1380029568.exe, PE32 22->50 dropped 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->96 98 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->98 100 Tries to harvest and steal browser information (history, passwords, etc) 22->100 102 Tries to steal Crypto Currency Wallets 22->102 33 1483691116.exe 22->33         started        38 conhost.exe 22->38         started        52 C:\Users\user\AppData\Local\...\qqqqqry.exe, PE32 27->52 dropped file11 signatures12 process13 dnsIp14 60 iplogger.org 88.99.66.31, 443, 49727, 49728 HETZNER-ASDE Germany 33->60 62 bitbucket.org 104.192.141.1, 443, 49729 AMAZON-02US United States 33->62 64 3 other IPs or domains 33->64 40 C:\ProgramData\Microsoft Network\System.exe, PE32 33->40 dropped 42 C:\ProgramData\Systemd\old.exe (copy), PE32+ 33->42 dropped 44 C:\ProgramData\...\SecurityHealthsys.exe, PE32+ 33->44 dropped 46 2 other files (none is malicious) 33->46 dropped 88 Multi AV Scanner detection for dropped file 33->88 90 Query firmware table information (likely to detect VMs) 33->90 92 May check the online IP address of the machine 33->92 94 4 other signatures 33->94 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0/
Threat name:
ByteCode-MSIL.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 00:13:00 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mb4zron6birjtw64rm5b5tl6o2crymqktroh4pqahmukmzkw3aa._file
Verdict:
malicious
Similar samples:
02b2395502a744108c7c09bafafb58af53016603294bdb780d667bb91c484363
RedLineStealer
4eb5daa7a830db220c094818f7e5f3bce013271465ceb32e13b66a5dcf36641a
RedLineStealer
530656ad87a4e5c0f07998323ebca34348af7c7a2e585196f2d0c73580832e36
RedLineStealer
6aa436d8c7a5205a40ae1a806dec9d00c2161029fcd16aee21575e246e5c474c
RedLineStealer
9fe2c85a1401d69c00fcecc28fbe3e0ae8c190ae32512fe4cd61bea320528a3b
RedLineStealer
a2ed4456865129f69ed876a3262526d1193bc881708d46d86be1528f23c1b749
RedLineStealer
f1575bdf38e3eda22550fbc6653dac3fd357576d2a79975f7739358534aec935
RedLineStealer
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
RedLineStealer
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
RedLineStealer
f9ea5610c7a0bb3fcf4380200e3056266e06819f0ae956ee96961211b1ef98a5
RedLineStealer
+ 4'062 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@qqqqqry discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210803-grgl4yy8l6/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.14.12.90:52072
Unpacked files
SH256 hash:
0cd079927222848d5e2b875b2abc05ebf111293bb104cec5ea3d2930787ca390
MD5 hash:
74f85212e94e5d7b2320604851bbc966
SHA1 hash:
f09fa09b0d56e936e6f45bc54733d50d81a1cab9
Link:
https://www.unpac.me/results/1f7601c8-51f3-4678-b7f1-19e15df56077/
SH256 hash:
f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0
MD5 hash:
acffdb5120632725f25ffd44d6e225b7
SHA1 hash:
f84e7dd7494139988462ae737eb7773b64b02cf3
Link:
https://www.unpac.me/results/1f7601c8-51f3-4678-b7f1-19e15df56077/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Microsoft_7z_SFX_Combo
Create hunting rule
Author:Florian Roth
Description:Detects a suspicious file that has a Microsoft copyright and is a 7z SFX
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176123/

Comments