MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04ebbf20cfd58785ad616b81244c6901e8ed57c9c2c1c10c4bf454c035f69aa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	04ebbf20cfd58785ad616b81244c6901e8ed57c9c2c1c10c4bf454c035f69aa2
SHA3-384 hash:	f9d9e406a2d0268bea63ee6240d780bbe4eea4f4069dad08271f7c47328205be9da2c8f117020498eb8bd090a76e3ddd
SHA1 hash:	c3c327b492d7ab0de17181cc7fc187d81eb1bed7
MD5 hash:	2320dc2bbca2b3c45573d259f7b77e5d
humanhash:	item-chicken-golf-spaghetti
File name:	wocmr.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	287'232 bytes
First seen:	2021-07-05 19:16:28 UTC
Last seen:	2021-07-05 19:44:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8e08dca4289dcdec6dfa71a08e601d6c (1 x RedLineStealer, 1 x CryptBot)
ssdeep	3072:KLv5RVyiEy9MJB5lggOXEIxyj5kI7EpfRuoOdl0rnlipHOQcFVxvRu8t4xytu3:6kiEy9MMgSEIxJuoOdmpQcFVxY7B
Threatray	1'262 similar samples on MalwareBazaar
TLSH	4654E1113950C832C79641344865D7B0667ABC325E77DA47B38C7FBF6E312C2AA7A316
Reporter	malware_traffic
Tags:	exe Redline RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

wocmr.exe

Verdict:

Malicious activity

Analysis date:

2021-07-05 19:02:06 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/2bbf3517-2d0b-438d-b23a-776d43f24c78

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.25966.10969.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f6c58870-6370-45bd-9ddc-75bffcd3110a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/811939

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/04ebbf20cfd58785ad616b81244c6901e8ed57c9c2c1c10c4bf454c035f69aa2/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-05 19:17:08 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=atv36igp2wdylllbnoasitdjahuo2v6jyla4cdcl6rkmanpwtkra._file

Verdict:

malicious

RedLineStealer

4a95cb73ac80f5968df35e2dcdabe224fd627041660aba54c4533ba1ca0dcd35

RedLineStealer

51615786dd61880b418061e7ab53c560ab69e979879a27c2feb9f68a62996b72

RedLineStealer

89bd84733053dc4e7ec08fdc5fe3eb139ed953a93e7d11598c9ccb1ea366aac3

RedLineStealer

8a9ed010aa3db217f81dfa4d928863eef5cac1165dab6c03258948b8ef019435

RedLineStealer

a8ae3cb248fb4721b27615276393e430bae895d37794b917f09980bd31c1176c

RedLineStealer

b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e

RedLineStealer

cecd98d6dda67e9a447f9d59666feb8be4259e9c40cc49c29a2af94504145b54

RedLineStealer

cfbdc8b5ae94b960fe50baf1fb78e5a9e5442b2cdb06bbc8233aefd3208fc663

RedLineStealer

e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62

RedLineStealer

+ 1'252 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pitttadov discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210705-442p83fzrn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

135.181.220.99:17984

Unpacked files

SH256 hash:

43c08744c1c874b37034cafcc8a4f5688c0249c84c3494a7477ee606e186f613

MD5 hash:

c873337c3533910b25c67f7c9ef7246b

SHA1 hash:

62b14befb065ed87c74d3f7e5c003f4929429534

Link:

https://www.unpac.me/results/0a9d0192-7f70-46b8-b8ce-d81a20f901d6/

SH256 hash:

a37b8a2ed96db79fb2cc02871be75bb38dff20375df906ee3d09245b5b9b4401

MD5 hash:

10310e46030dd32ea581f8449996bb9f

SHA1 hash:

50c36fa9520044845c65cf8e0c9d0570221ed5fd

Link:

https://www.unpac.me/results/0a9d0192-7f70-46b8-b8ce-d81a20f901d6/

SH256 hash:

20f2ed2a18a67de426e4cfb74632dcf705e35a16685ab2d1a2eed12d291f744e

MD5 hash:

1c40ba0c022214379aedb95558bd676c

SHA1 hash:

23e4c73c670e2f52e364920d6d8b98ed7dc42266

Link:

https://www.unpac.me/results/0a9d0192-7f70-46b8-b8ce-d81a20f901d6/

SH256 hash:

04ebbf20cfd58785ad616b81244c6901e8ed57c9c2c1c10c4bf454c035f69aa2

MD5 hash:

2320dc2bbca2b3c45573d259f7b77e5d

SHA1 hash:

c3c327b492d7ab0de17181cc7fc187d81eb1bed7

Link:

https://www.unpac.me/results/0a9d0192-7f70-46b8-b8ce-d81a20f901d6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/04ebbf20cfd58785ad616b81244c6901e8ed57c9c2c1c10c4bf454c035f69aa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample