MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f35ceca80969fd2b7e78808fbe17aade7468a724562bfab1a2cdd022eba84302. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f35ceca80969fd2b7e78808fbe17aade7468a724562bfab1a2cdd022eba84302
SHA3-384 hash: 810409b5db5588cc6bad9103cd8ccbe2bedc478e4cc93947c0fecb55176ef258bb211ab502c21bc34387de6f24441052
SHA1 hash: 488e94d438f196e9c156dd5c831ae7624ba511c0
MD5 hash: 031ce7a66972c49479dbb9df4e900ece
humanhash: high-steak-oven-november
File name:f35ceca80969fd2b7e78808fbe17aade7468a724562bf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:208'896 bytes
First seen:2021-07-15 15:46:09 UTC
Last seen:2021-07-15 16:44:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a76f0e7e1ce29290bdd14ac13b67a49 (1 x DarkVNC, 1 x RedLineStealer)
ssdeep 3072:ktm3cnPlp4l1XxPvg0vTFEITl1MHTKFvk7ZPkgwV5RY:ks3cnPf4l1K0vTFEwMHTykl7wp
Threatray 301 similar samples on MalwareBazaar
TLSH T1B014CF503AD1C437E6F76A30597883B06A7BBC722631D58BB644332A5E323D26AB5313
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
135.148.139.222:33569

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
135.148.139.222:33569 https://threatfox.abuse.ch/ioc/160667/

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_installer.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 16:49:26 UTC
Tags:
trojan evasion stealer loader vidar rat redline phishing raccoon ficker danabot
Link:
https://app.any.run/tasks/89dadf2a-3d9e-42f0-a97e-d1130452d3fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172039/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37231784.31184.18119.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af162a90-a4bf-4f77-8daa-fa2abf6779df
Result
Threat name:
Clipboard Hijacker RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817034
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449445 Sample: f35ceca80969fd2b7e78808fbe1... Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 70 osfnNsqepDXDVKsvd.osfnNsqepDXDVKsvd 2->70 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Multi AV Scanner detection for domain / URL 2->88 90 Found malware configuration 2->90 92 16 other signatures 2->92 10 f35ceca80969fd2b7e78808fbe17aade7468a724562bf.exe 25 2->10         started        signatures3 process4 dnsIp5 80 gcl-partners.in 176.111.174.101, 49766, 49770, 49771 WILWAWPL Russian Federation 10->80 82 hofyva06.top 47.243.129.23, 49772, 49773, 49775 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 10->82 84 4 other IPs or domains 10->84 60 C:\Users\user\AppData\...\07428899258.exe, PE32 10->60 dropped 62 C:\Users\user\AppData\Local\...\file[1].exe, PE32 10->62 dropped 64 C:\Users\user\AppData\Local\...\file[1].exe, PE32 10->64 dropped 66 3 other files (none is malicious) 10->66 dropped 104 May check the online IP address of the machine 10->104 15 cmd.exe 10->15         started        17 cmd.exe 1 10->17         started        19 WerFault.exe 9 10->19         started        21 6 other processes 10->21 file6 signatures7 process8 process9 23 07428899258.exe 15->23         started        28 conhost.exe 15->28         started        30 53419002471.exe 2 17->30         started        32 conhost.exe 17->32         started        dnsIp10 74 hofiwb05.top 23->74 76 wymbdu42.top 158.247.224.5, 49782, 80 FEWPBUS United States 23->76 78 morkus04.top 143.110.191.106, 49783, 80 COLLEGE-OF-ST-SCHOLASTICAUS United States 23->78 56 C:\Users\user\AppData\...\ReMvTSfQUMGq.exe, PE32 23->56 dropped 58 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 23->58 dropped 96 Multi AV Scanner detection for dropped file 23->96 98 Detected unpacking (changes PE section rights) 23->98 100 Detected unpacking (overwrites its own PE header) 23->100 102 3 other signatures 23->102 34 ReMvTSfQUMGq.exe 23->34         started        38 53419002471.exe 15 2 30->38         started        41 conhost.exe 30->41         started        file11 signatures12 process13 dnsIp14 48 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 34->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 34->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 34->52 dropped 54 3 other files (none is malicious) 34->54 dropped 94 Multi AV Scanner detection for dropped file 34->94 43 4.exe 34->43         started        46 vpn.exe 34->46         started        72 135.148.139.222, 33569, 49785 AVAYAUS United States 38->72 file15 signatures16 process17 file18 68 C:\Users\user\AppData\...\SmartClock.exe, PE32 43->68 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f35ceca80969fd2b7e78808fbe17aade7468a724562bfab1a2cdd022eba84302/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 19:58:02 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6noozkajnh6sw7tyqch34f5k3z2grjzekyv7vmnczxicf25iimba._file
Verdict:
malicious
Similar samples:
349fcfd6f24473d8b0c9429c0f71459a178125b6d42a48129d357ce99eca94fe
RedLineStealer
54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605
RedLineStealer
600f6200d1eb3f8cd3371327fd9808b24389a13fc69a39aacc2af5c1d15886fc
RedLineStealer
719cf0c9eba47af19500753dc4213f551efdc09f13e2c71ef0e39b08a7aca888
RedLineStealer
743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854
RedLineStealer
7e19416205cfb8e056d4628bdeb635e29cefba04fcb21ee55e7b0077427e4c99
RedLineStealer
90ac0149296d9e41ed0cac8e96866f26e60b7585f75dddff13f67136ef694b63
RedLineStealer
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
RedLineStealer
df85a38611751933558ef9e7da81e81025ffc5e5e92cedaf4d97fb0b9f147422
RedLineStealer
eb4e54c1372f7002b2b49a9918e67f84d65e52f1b12c5b7313420a48d5305e41
RedLineStealer
+ 291 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:botinstal1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210715-fnh576ykan/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
135.148.139.222:33569
Unpacked files
SH256 hash:
f3ddd7ffeaf9993d2560575e4a185f23c48bf7a7b4127e8f1ff5d8f50633a273
MD5 hash:
678653b4064aead25ef217963cebc183
SHA1 hash:
8a7d4662d4e1069bb9edc891e5d723572d814572
Link:
https://www.unpac.me/results/021a04f4-6f17-4cf2-9687-e3a3e82897d6/
SH256 hash:
f35ceca80969fd2b7e78808fbe17aade7468a724562bfab1a2cdd022eba84302
MD5 hash:
031ce7a66972c49479dbb9df4e900ece
SHA1 hash:
488e94d438f196e9c156dd5c831ae7624ba511c0
Link:
https://www.unpac.me/results/021a04f4-6f17-4cf2-9687-e3a3e82897d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f35ceca80969fd2b7e78808fbe17aade7468a724562bfab1a2cdd022eba84302

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172039/

Comments