MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
SHA3-384 hash: 21abecb732a4c9a09200964df7545b4fc2a8579fcded28f9c9a8ad5ac9d3657e4294cbb6b0a7dae68e3e0a8e04faa494
SHA1 hash: 4794160919d85748d3b52311a0192d5c3514cb36
MD5 hash: 6213cb0219b42087680c8f48c3a8be07
humanhash: georgia-sierra-beer-west
File name:6213CB0219B42087680C8F48C3A8BE07.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'829'182 bytes
First seen:2021-06-23 16:25:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 49152:WC2lJmXbj5DIwbQea1LPEyK7r385JD3d6cIWh8:WzlkbFDVrQMyOr3S3d6cLh8
Threatray 5 similar samples on MalwareBazaar
TLSH 48851203B293C072D49901B505658BB64F3A7C319775D0F7AFD13AAA9D703E29B3638A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
85.143.175.93:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
85.143.175.93:80 https://threatfox.abuse.ch/ioc/150701/

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6213CB0219B42087680C8F48C3A8BE07.exe
Verdict:
No threats detected
Analysis date:
2021-06-23 16:29:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3cb5634c-b666-44c8-9175-6476edc75808

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77b1e4ba-d66e-48b0-b337-a44b9dbe210e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806715
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439126 Sample: XqnM8G36Ih.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 129 s.logsss.com 2->129 131 ma.logsss.com 2->131 133 23 other IPs or domains 2->133 177 Multi AV Scanner detection for domain / URL 2->177 179 Antivirus detection for URL or domain 2->179 181 Antivirus / Scanner detection for submitted sample 2->181 183 6 other signatures 2->183 15 XqnM8G36Ih.exe 4 2->15         started        18 svchost.exe 2->18         started        20 svchost.exe 2->20         started        23 8 other processes 2->23 signatures3 process4 dnsIp5 121 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 15->121 dropped 123 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 15->123 dropped 26 irsetup.exe 15 15->26         started        30 WerFault.exe 18->30         started        33 WerFault.exe 18->33         started        185 Changes security center settings (notifications, updates, antivirus, firewall) 20->185 161 127.0.0.1 unknown unknown 23->161 file6 signatures7 process8 dnsIp9 167 a-13.1fichier.com 5.39.224.13, 443, 49711 DSTORAGEFR France 26->167 169 1fichier.com 5.39.224.140, 443, 49709 DSTORAGEFR France 26->169 171 pastebin.com 104.23.99.190, 443, 49707 CLOUDFLARENETUS United States 26->171 119 C:\Users\user\AppData\...\SetupB_343.exe, PE32 26->119 dropped 35 SetupB_343.exe 4 26->35         started        189 Tries to evade analysis by execution special instruction which cause usermode exception 30->189 file10 signatures11 process12 file13 89 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 35->89 dropped 91 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 35->91 dropped 38 irsetup.exe 33 35->38         started        process14 dnsIp15 155 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 38->155 157 www.findmemolite.com 46.101.214.246 DIGITALOCEAN-ASNUS Netherlands 38->157 159 4 other IPs or domains 38->159 101 C:\Users\user\AppData\Local\Temp\pLab.exe, PE32 38->101 dropped 103 C:\Users\user\AppData\Local\...\maskvpn.exe, PE32 38->103 dropped 105 C:\Users\user\AppData\...\installerapp.exe, PE32 38->105 dropped 107 C:\Users\user\AppData\...\WcInstaller.exe, PE32 38->107 dropped 42 pLab.exe 2 38->42         started        45 maskvpn.exe 38->45         started        47 installerapp.exe 38->47         started        file16 process17 file18 117 C:\Users\user\AppData\Local\Temp\...\pLab.tmp, PE32 42->117 dropped 49 pLab.tmp 3 19 42->49         started        process19 dnsIp20 127 superstationcity.com 31.207.38.89, 49717, 49720, 80 RMI-FITECHFR France 49->127 81 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 49->81 dropped 83 C:\Users\user\AppData\Local\...\gucca.exe, PE32 49->83 dropped 85 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 49->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 49->87 dropped 53 gucca.exe 20 20 49->53         started        file21 process22 dnsIp23 149 connectini.net 162.0.210.44, 443, 49718, 49723 ACPCA Canada 53->149 151 privateinvestig8tor.com 162.0.220.187, 49721, 80 ACPCA Canada 53->151 153 2 other IPs or domains 53->153 93 C:\Users\user\AppData\...\Dasaevefypu.exe, PE32 53->93 dropped 95 C:\Users\user\AppData\...behaviorgraphikyvyfyki.exe, PE32 53->95 dropped 97 C:\Program Files (x86)\...\SHywaelijuzhu.exe, PE32 53->97 dropped 99 4 other files (3 malicious) 53->99 dropped 57 Dasaevefypu.exe 53->57         started        61 Gikyvyfyki.exe 53->61         started        63 prolab.exe 53->63         started        file24 process25 dnsIp26 163 connectini.net 57->163 187 Detected unpacking (overwrites its own PE header) 57->187 66 iexplore.exe 57->66         started        69 iexplore.exe 57->69         started        71 iexplore.exe 57->71         started        76 12 other processes 57->76 165 connectini.net 61->165 125 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 63->125 dropped 73 prolab.tmp 63->73         started        file27 signatures28 process29 dnsIp30 135 www.directdexchange.com 66->135 143 5 other IPs or domains 66->143 137 www.directdexchange.com 69->137 139 directdexchange.com 69->139 145 4 other IPs or domains 71->145 109 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 73->109 dropped 111 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 73->111 dropped 113 C:\Program Files (x86)\...\is-VJ0OE.tmp, PE32 73->113 dropped 115 8 other files (none is malicious) 73->115 dropped 141 www.cloud-security.xyz 76->141 147 4 other IPs or domains 76->147 78 iexplore.exe 76->78         started        file31 process32 dnsIp33 173 192.243.59.12 ADVANCEDHOSTERS-ASNL Dominica 78->173 175 www.profitabletrustednetwork.com 78->175
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-06-20 02:35:06 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nxk4rodrruaujmaer765uuvsl2avndzgojejrmlp4zzpz3t7pgq._file
Verdict:
unknown
Similar samples:
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
RedLineStealer
3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0
RedLineStealer
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
RedLineStealer
5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee
RedLineStealer
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
RedLineStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210623-xfzxpwxcxa/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
8da71508b61a98b6c130f25c8aed935b3fae5af76f63e6d369995b30b44685e7
MD5 hash:
4417c66f9c2ea1e82ae448b0741619ed
SHA1 hash:
1067594b7c12f75f9760bac7411c35453ffa114f
Link:
https://www.unpac.me/results/1f6c7886-4446-421c-b68c-58122653e34e/
SH256 hash:
c3f051fdc89bba65156a1f0b0c6bcd9dd7950ff851ed8338e842ad1d89534c48
MD5 hash:
6e8174db90c85a6c871510c2ec49c3f9
SHA1 hash:
01d1ea3fceaae1eef1034e230c1924eba645a7ee
Link:
https://www.unpac.me/results/1f6c7886-4446-421c-b68c-58122653e34e/
SH256 hash:
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
MD5 hash:
6213cb0219b42087680c8f48c3a8be07
SHA1 hash:
4794160919d85748d3b52311a0192d5c3514cb36
Link:
https://www.unpac.me/results/1f6c7886-4446-421c-b68c-58122653e34e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments