MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff0bcc45853b6740d54f30162465b6dcb265fb4a8bb2e16a629b961ee67dfd75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff0bcc45853b6740d54f30162465b6dcb265fb4a8bb2e16a629b961ee67dfd75
SHA3-384 hash: f9c8ea41947d5ac9518fa110f7282cffb024cf37b8ec5d043cb2335f1af18dc4e210b8207b88198ea70cdb0d3ca10719
SHA1 hash: 65414cd819a2ed9a9a24ee34adaa48fc79392a0a
MD5 hash: 8d9328dd33c28b417ff4909192e276d5
humanhash: two-nebraska-steak-illinois
File name:8d9328dd33c28b417ff4909192e276d5
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:332'184 bytes
First seen:2021-11-12 21:51:59 UTC
Last seen:2021-11-13 01:18:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:XqyeqhULC5zFvReTJQdM/oV8ELRzncJaOjlMJ:Jh/5zhkTJQtrLRiaayJ
Threatray 75 similar samples on MalwareBazaar
TLSH T1F664EF022D4EF69CB0553D33BEDB591D47A21DD15A37CACE2F489A0B22521423FA3F69
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205379/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.39783.740.30572.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Launching a service
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending an HTTP POST request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/618ee20ca00afa9663a57ecd/reports/ed236b28-6d07-4859-843c-1c491575cec3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd3b5fcc-6da3-4557-a519-23e4d2e8a242
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888409
Signature
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Detected VMProtect packer
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Powershell Defender Exclusion
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520882 Sample: EX0gCpjN0l Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 99 Multi AV Scanner detection for dropped file 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 Yara detected Xmrig cryptocurrency miner 2->103 105 8 other signatures 2->105 9 EX0gCpjN0l.exe 14 7 2->9         started        14 Windows Host.exe 2->14         started        16 mstee.sys 2->16         started        18 mskssrv.sys 2->18         started        process3 dnsIp4 95 194.58.69.100, 37026, 49768 MTW-ASRU Russian Federation 9->95 97 cdn.discordapp.com 162.159.129.233, 443, 49771 CLOUDFLARENETUS United States 9->97 87 C:\Users\user\AppData\...\WindowsHost.exe, PE32 9->87 dropped 89 C:\Users\user\AppData\...X0gCpjN0l.exe.log, ASCII 9->89 dropped 129 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->129 131 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->131 133 Tries to harvest and steal browser information (history, passwords, etc) 9->133 135 Tries to steal Crypto Currency Wallets 9->135 20 WindowsHost.exe 14 9 9->20         started        137 Adds a directory exclusion to Windows Defender 14->137 25 cmd.exe 14->25         started        27 cmd.exe 14->27         started        29 cmd.exe 14->29         started        31 6 other processes 14->31 file5 signatures6 process7 dnsIp8 91 162.159.130.233, 443, 49772, 49773 CLOUDFLARENETUS United States 20->91 93 cdn.discordapp.com 20->93 81 C:\Users\user\AppData\...\Windows Host.exe, PE32 20->81 dropped 83 C:\Users\user\...\Courie-BoldItalic.ttf, PE32+ 20->83 dropped 85 C:\Windows\System32\...\Windows Host.xml, XML 20->85 dropped 121 Multi AV Scanner detection for dropped file 20->121 123 Machine Learning detection for dropped file 20->123 125 Modifies the windows firewall 20->125 127 Adds a directory exclusion to Windows Defender 20->127 33 cmd.exe 20->33         started        35 cmd.exe 1 20->35         started        38 cmd.exe 20->38         started        44 8 other processes 20->44 40 dxdiag.exe 25->40         started        42 conhost.exe 25->42         started        46 5 other processes 27->46 48 2 other processes 29->48 50 4 other processes 31->50 file9 signatures10 process11 signatures12 52 dxdiag.exe 33->52         started        55 conhost.exe 33->55         started        107 Uses schtasks.exe or at.exe to add and modify task schedules 35->107 109 Uses netsh to modify the Windows network and firewall settings 35->109 57 conhost.exe 35->57         started        59 netsh.exe 35->59         started        65 3 other processes 35->65 67 5 other processes 38->67 111 Query firmware table information (likely to detect VMs) 40->111 61 schtasks.exe 44->61         started        63 conhost.exe 44->63         started        69 10 other processes 44->69 process13 signatures14 113 Query firmware table information (likely to detect VMs) 52->113 115 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->115 117 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 52->117 119 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 52->119 71 conhost.exe 57->71         started        73 netsh.exe 57->73         started        75 netsh.exe 57->75         started        79 2 other processes 57->79 77 conhost.exe 61->77         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff0bcc45853b6740d54f30162465b6dcb265fb4a8bb2e16a629b961ee67dfd75/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 21:27:48 UTC
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
RedLineStealer
3e820217037e312b739d6514547da6a7afd3d9e3b92dc90e6c30c35808fb5214
RedLineStealer
86ae354a12341fd3def17aacee3e3ee3bf9678c499cbb81f0db1014177f378dd
RedLineStealer
de074784466375ef8258b4dbea4dd579fd9edf0c0e0f2b97afa39d00659f6763
RedLineStealer
e26fe6535f9ec57538d49515fdf98b1a925fa26dd28040a96a5bc1c94a691975
RedLineStealer
f89908f8594a0dccfb5e52b295075ff63be86c0f5584f990d39dfe2b2c2f9c08
RedLineStealer
+ 65 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:thedanikxd botnet:xxluchxx1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211112-1q3vmsbcdm/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
194.58.69.100:37026
212.86.102.63:62907
Unpacked files
SH256 hash:
20cad09d67939a77babe0d7f9949cae72b6ac79dc92180877a8b67c19d643af8
MD5 hash:
54585ce74ef3c0de155ed074fccb939a
SHA1 hash:
b89e53d9c30df49195ce149b14d1ce6f65d093f7
Link:
https://www.unpac.me/results/ef854397-d42c-4b6e-8e05-88b67db59656/
SH256 hash:
ff0bcc45853b6740d54f30162465b6dcb265fb4a8bb2e16a629b961ee67dfd75
MD5 hash:
8d9328dd33c28b417ff4909192e276d5
SHA1 hash:
65414cd819a2ed9a9a24ee34adaa48fc79392a0a
Link:
https://www.unpac.me/results/ef854397-d42c-4b6e-8e05-88b67db59656/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ff0bcc45853b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe ff0bcc45853b6740d54f30162465b6dcb265fb4a8bb2e16a629b961ee67dfd75

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1781297/
Cape
Cape
https://www.capesandbox.com/analysis/205379/

Comments


Avatar
zbet commented on 2021-11-12 21:52:01 UTC

url : hxxp://file-file-host6.com/files/9565_1636743030_8404.exe