MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
SHA3-384 hash: 5d6be1f5e64bc159dd8bb7729a66115b0f19f3178dd3ad1d6f4d7e10c643348321cb57a503c9ea2dc2e88d9cafbfd79f
SHA1 hash: 831fae42f7647dce83d51566d0c812d63e0cd97e
MD5 hash: 97c3f6161cb1449726f9a0eaff9dc67f
humanhash: mexico-artist-carbon-four
File name:97c3f6161cb1449726f9a0eaff9dc67f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:350'208 bytes
First seen:2021-03-24 07:12:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d67dd7544a02fd047bb271b77af7698 (1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:fbB2FTwT4cV7JR1jidaqM4/Ha0rhoGT9Ctbp+IWekfwmE2Mh4B:DBimV75Gdap4va0rh+jX7kfwM
Threatray 431 similar samples on MalwareBazaar
TLSH 8F74BE1173E0C033D5A224754224CBB16EBB78727576DA4FBBC416B99F64BC1EA2630B
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://87.251.71.185/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://87.251.71.185/ https://threatfox.abuse.ch/ioc/4782/

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Testing.exe
Verdict:
Malicious activity
Analysis date:
2021-03-20 20:30:49 UTC
Tags:
loader trojan evasion stealer
Link:
https://app.any.run/tasks/054e9dc9-ed48-4242-8a8d-46df82b4dec7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-9846132-0
Create hunting rule

Win.Malware.Filerepmetagen-9846659-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Searching for the window
Delayed reading of the file
Reading critical registry keys
Creating a window
Sending an HTTP POST request
Launching a process
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Sending a TCP request to an infection source
Launching a tool to kill processes
Stealing user critical data
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/651900
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 374898 Sample: 1iEOgEs3sq.exe Startdate: 24/03/2021 Architecture: WINDOWS Score: 100 110 grcCwxjDXykM.grcCwxjDXykM 2->110 112 HtcMxJDZqUppUy.HtcMxJDZqUppUy 2->112 114 2 other IPs or domains 2->114 146 Malicious sample detected (through community Yara rule) 2->146 148 Antivirus detection for URL or domain 2->148 150 Multi AV Scanner detection for dropped file 2->150 152 10 other signatures 2->152 12 1iEOgEs3sq.exe 24 2->12         started        17 98589915128.exe 1 19 2->17         started        19 98589915128.exe 2->19         started        21 98589915128.exe 2->21         started        signatures3 process4 dnsIp5 124 193.38.55.33, 49710, 80 SERVERIUS-ASNL Russian Federation 12->124 126 iplogger.org 88.99.66.31, 443, 49718, 49719 HETZNER-ASDE Germany 12->126 136 3 other IPs or domains 12->136 88 C:\Users\user\AppData\...\98589915128.exe, PE32 12->88 dropped 90 C:\Users\user\AppData\...\43431373297.exe, PE32 12->90 dropped 92 C:\Users\user\AppData\Local\...\null[1], PE32 12->92 dropped 100 3 other files (2 malicious) 12->100 dropped 160 Detected unpacking (changes PE section rights) 12->160 162 Detected unpacking (overwrites its own PE header) 12->162 164 May check the online IP address of the machine 12->164 23 cmd.exe 1 12->23         started        25 cmd.exe 1 12->25         started        27 cmd.exe 1 12->27         started        128 jfas.top 34.105.199.171, 49724, 80 GOOGLEUS United States 17->128 130 api.2ip.ua 17->130 94 C:\_readme.txt, ASCII 17->94 dropped 96 C:\Users\user\Desktop\...\PWCCAWLGRE.docx, data 17->96 dropped 98 C:\Users\user\Desktop\...\PIVFAGEAAV.pdf, data 17->98 dropped 102 2 other malicious files 17->102 dropped 166 Machine Learning detection for dropped file 17->166 168 Modifies existing user documents (likely ransomware behavior) 17->168 132 api.2ip.ua 19->132 134 api.2ip.ua 21->134 file6 signatures7 process8 process9 29 43431373297.exe 49 23->29         started        34 conhost.exe 23->34         started        36 98589915128.exe 1 16 25->36         started        38 conhost.exe 25->38         started        40 conhost.exe 27->40         started        42 taskkill.exe 27->42         started        dnsIp10 138 morwhy03.top 35.228.217.164, 49738, 49739, 80 GOOGLEUS United States 29->138 140 bazfr32.top 29->140 142 akrvt04.top 29->142 104 C:\Users\user\AppData\Local\Temp\Joirk.exe, PE32 29->104 dropped 106 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 29->106 dropped 170 Multi AV Scanner detection for dropped file 29->170 172 Detected unpacking (changes PE section rights) 29->172 174 Detected unpacking (overwrites its own PE header) 29->174 176 Tries to harvest and steal browser information (history, passwords, etc) 29->176 44 Joirk.exe 29->44         started        48 cmd.exe 29->48         started        144 api.2ip.ua 77.123.139.190, 443, 49714, 49720 VOLIA-ASUA Ukraine 36->144 108 C:\Users\user\AppData\...\98589915128.exe, PE32 36->108 dropped 178 Machine Learning detection for dropped file 36->178 50 98589915128.exe 36->50         started        53 icacls.exe 36->53         started        file11 signatures12 process13 dnsIp14 80 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 44->80 dropped 82 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 44->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 44->84 dropped 86 2 other files (1 malicious) 44->86 dropped 156 Multi AV Scanner detection for dropped file 44->156 158 Machine Learning detection for dropped file 44->158 55 5.exe 44->55         started        59 4.exe 44->59         started        62 vpn.exe 44->62         started        64 6.exe 44->64         started        66 conhost.exe 48->66         started        68 timeout.exe 48->68         started        116 api.2ip.ua 50->116 file15 signatures16 process17 dnsIp18 118 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49744 GOOGLEUS United States 55->118 120 192.168.2.1 unknown unknown 55->120 122 doc-10-04-docs.googleusercontent.com 55->122 154 Query firmware table information (likely to detect VMs) 55->154 78 C:\Users\user\AppData\...\SmartClock.exe, PE32 59->78 dropped 70 SmartClock.exe 59->70         started        72 cmd.exe 62->72         started        74 svchost.exe 62->74         started        file19 signatures20 process21 process22 76 conhost.exe 72->76         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-21 01:50:57 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tqrzv2ngfixwwlghmplqokvytznyjybio7ksq5vxawfze3pzqaq._file
Verdict:
malicious
Similar samples:
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812
RedLineStealer
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
RedLineStealer
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
RedLineStealer
7c3ec59724f79c69f7bb889f8dac9e89a45ad3629a25c954c26905b5b953e3f5
RedLineStealer
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
RedLineStealer
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
RedLineStealer
b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
RedLineStealer
bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
RedLineStealer
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
RedLineStealer
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
RedLineStealer
+ 421 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:raccoon family:xmrig botnet:c46f13f8aadc028907d65c627fd9163161661f6c discovery evasion miner spyware stealer
Link:
https://tria.ge/reports/210324-w8e8scwrfe/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Sets file to hidden
XMRig Miner Payload
CryptBot
Raccoon
xmrig
Unpacked files
SH256 hash:
6b83294d09ae3cc42e611f4cb153136f82e504177a6058c2c59cf5c4c2b5ed6e
MD5 hash:
13bbe74606eea1ee0deb63b35d6388b0
SHA1 hash:
dd976fef2c630b63858ee6e76616c2f199899fa1
Link:
https://www.unpac.me/results/db73e454-7866-4516-b2b4-4ae6a8ce23dd/
SH256 hash:
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
MD5 hash:
97c3f6161cb1449726f9a0eaff9dc67f
SHA1 hash:
831fae42f7647dce83d51566d0c812d63e0cd97e
Link:
https://www.unpac.me/results/db73e454-7866-4516-b2b4-4ae6a8ce23dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments