MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0
SHA3-384 hash: 753021ed6c4bfd5ad3e10df481b284825f91477ed718d3518df01cbd7653d407a50a40ee820c5b6855c5f36308ba66ad
SHA1 hash: 5c884c26a76630a76e1efa9c4695959bc8c263ba
MD5 hash: c20afa6d829ac6e72b1444ffad4d13ae
humanhash: william-failed-burger-carolina
File name:f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:597'267 bytes
First seen:2021-10-28 17:21:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 12288:pANwRo+mv8QD4+0V16f9LrTnxPdRj7blVOplTWob8Xekh+rlMmVFO:pAT8QE+kK5rDJdRbqV3kh6BVw
Threatray 398 similar samples on MalwareBazaar
TLSH T1EAC4F135B281857AC0620A358C87D3B6B53EBA045F7C64CFB7DD0D2C99333562A7639A
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
18.190.26.16:61391

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
18.190.26.16:61391 https://threatfox.abuse.ch/ioc/239334/

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201009/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Launching a service
Creating a file in the Windows subdirectories
Connecting to a non-recommended domain
Replacing files
Reading critical registry keys
Launching a tool to kill processes
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f38c90b-390b-431b-9d74-2840d9cfbf43
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878773
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates HTML files with .exe extension (expired dropper behavior)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies Chrome's extension installation force list
Multi AV Scanner detection for dropped file
Opens network shares
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511207 Sample: f30dab44e1b3c177c002b35c5e9... Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 114 110.t.keepitpumpin.io 163.172.204.15 OnlineSASFR United Kingdom 2->114 116 111.t.keepitpumpin.io 212.83.141.61 OnlineSASFR France 2->116 118 7 other IPs or domains 2->118 140 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->140 142 Antivirus detection for URL or domain 2->142 144 Antivirus detection for dropped file 2->144 146 5 other signatures 2->146 9 f30dab44e1b3c177c002b35c5e9a933b79345c378dbf4.exe 18 9 2->9         started        13 msiexec.exe 2->13         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 78 C:\Program Files (x86)\FastPc\...\Faster.exe, PE32 9->78 dropped 80 C:\Program Files (x86)\FastPc\...\Fast_.exe, PE32 9->80 dropped 82 C:\Program Files (x86)\FastPc\...\FastPCV.exe, PE32 9->82 dropped 84 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 9->84 dropped 158 Modifies Chrome's extension installation force list 9->158 20 FastPCV.exe 2 9->20         started        23 Faster.exe 14 5 9->23         started        27 Fast_.exe 5 9->27         started        39 2 other processes 9->39 86 C:\...\Windows Updater.exe, PE32 13->86 dropped 88 C:\...\AdvancedWindowsManager.exe, PE32+ 13->88 dropped 90 C:\Windows\Installer\MSIFE72.tmp, PE32 13->90 dropped 92 14 other files (none is malicious) 13->92 dropped 29 msiexec.exe 13->29         started        31 msiexec.exe 13->31         started        33 msiexec.exe 13->33         started        160 Changes security center settings (notifications, updates, antivirus, firewall) 15->160 35 MpCmdRun.exe 15->35         started        112 115.t.keepitpumpin.io 212.83.166.214, 49782, 8080 OnlineSASFR France 17->112 37 conhost.exe 17->37         started        file6 signatures7 process8 dnsIp9 64 C:\Users\user\AppData\Local\...\FastPCV.tmp, PE32 20->64 dropped 41 FastPCV.tmp 20 19 20->41         started        120 source7.boys4dayz.com 172.67.148.61, 443, 49768 CLOUDFLARENETUS United States 23->120 122 duzlwewk2uk96.cloudfront.net 13.224.89.68, 49900, 80 AMAZON-02US United States 23->122 124 192.168.2.1 unknown unknown 23->124 66 C:\Users\user\AppData\Local\Temp\vpn.exe, PE32 23->66 dropped 68 C:\Users\user\AppData\Local\...\installer.exe, PE32 23->68 dropped 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->148 46 installer.exe 23->46         started        48 vpn.exe 23->48         started        126 18.190.26.16, 49774, 61391 AMAZON-02US United States 27->126 150 Tries to harvest and steal browser information (history, passwords, etc) 27->150 152 Tries to steal Crypto Currency Wallets 27->152 70 C:\Users\user\AppData\Local\...\shiE452.tmp, PE32 29->70 dropped 72 C:\Users\user\AppData\Local\...\shiE2CA.tmp, PE32 29->72 dropped 154 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 29->154 156 Opens network shares 29->156 128 psttbk.com 206.81.21.194, 49824, 80 DIGITALOCEAN-ASNUS United States 31->128 130 collect.installeranalytics.com 3.209.18.1, 443, 49826, 49832 AMAZON-AESUS United States 31->130 74 C:\Users\user\AppData\Local\Temp\shiA29.tmp, PE32 31->74 dropped 76 C:\Users\user\AppData\Local\Temp\shi69E.tmp, PE32 31->76 dropped 50 taskkill.exe 31->50         started        52 conhost.exe 35->52         started        54 conhost.exe 39->54         started        56 conhost.exe 39->56         started        58 taskkill.exe 39->58         started        file10 signatures11 process12 dnsIp13 132 ipinfo.io 34.117.59.81, 443, 49769, 49770 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 41->132 134 otisrebe.xyz 92.38.184.204, 49772, 49773, 80 GCOREAT Austria 41->134 136 proxycheck.io 104.26.9.187, 49771, 80 CLOUDFLARENETUS United States 41->136 94 C:\Users\user\AppData\...\itdownload.dll, PE32 41->94 dropped 96 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->96 dropped 98 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->98 dropped 108 2 other files (none is malicious) 41->108 dropped 162 May check the online IP address of the machine 41->162 164 Creates HTML files with .exe extension (expired dropper behavior) 41->164 166 Performs DNS queries to domains with low reputation 41->166 138 collect.installeranalytics.com 46->138 100 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 46->100 dropped 102 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 46->102 dropped 104 C:\Users\user\AppData\...\Windows Updater.exe, PE32 46->104 dropped 110 4 other files (none is malicious) 46->110 dropped 60 msiexec.exe 46->60         started        106 C:\Users\user\AppData\Local\Temp\...\vpn.tmp, PE32 48->106 dropped 62 conhost.exe 50->62         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 17:22:06 UTC
AV detection:
21 of 44 (47.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mg2wrhbwpaxpqacwnof5guthn4tixbxrw7ugs4w3zrakg53d2ya._file
Verdict:
malicious
Similar samples:
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
RedLineStealer
9405f9084c8ec3eff442b83c20928fceb3e6372d504381b0527a7512a9889231
RedLineStealer
d7480662bc7ee6dc38227ea381978553b1774774e4a0a70ea3bf6aebbca48622
RedLineStealer
e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c
RedLineStealer
e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2bdea925c9bdb6aa1f43
RedLineStealer
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
RedLineStealer
+ 388 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1045 botnet:fast discovery infostealer spyware stealer suricata upx
Link:
https://tria.ge/reports/211028-vxkpraggbm/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Vidar Stealer
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
18.190.26.16:61391
https://mas.to/@lilocc
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/04a2a369-bb0e-4760-8f49-d344d0de8d2b/
SH256 hash:
f4508465678014fe3f598ff94cc8f55675f758e835f5cb5c63ea70e6a5e63417
MD5 hash:
927d3851fae21588cee40b05caecee16
SHA1 hash:
961820d9f86173ca1d063e6d28b6211ce736e3a7
Link:
https://www.unpac.me/results/04a2a369-bb0e-4760-8f49-d344d0de8d2b/
SH256 hash:
f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0
MD5 hash:
c20afa6d829ac6e72b1444ffad4d13ae
SHA1 hash:
5c884c26a76630a76e1efa9c4695959bc8c263ba
Link:
https://www.unpac.me/results/04a2a369-bb0e-4760-8f49-d344d0de8d2b/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f30dab44e1b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f30dab44e1b3c177c002b35c5e9a933b79345c378dbf434b96de62051bbb1eb0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/201009/

Comments