MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c1fc2b2d57ed0e1a22e06c0a700996b36646d4a27278117fda266949aeb86ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c1fc2b2d57ed0e1a22e06c0a700996b36646d4a27278117fda266949aeb86ab
SHA3-384 hash: 026cdbb8486aa107e9e171ff81917f56a6757fd8d2203c31c91d0bcf35d4753a4bf3cb38eb309627318401ab24f82624
SHA1 hash: 96ebdecb0127a033c5beb937b6890f49d6ed1028
MD5 hash: da64052d0668ffd45460f0808b8289f6
humanhash: wolfram-carbon-twenty-washington
File name:0c1fc2b2d57ed0e1a22e06c0a700996b36646d4a27278.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:254'464 bytes
First seen:2021-08-20 14:20:58 UTC
Last seen:2021-08-20 15:11:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a84fa8c5c9d81b30cf439f0d2b7f422b (7 x RedLineStealer, 4 x RaccoonStealer, 2 x Smoke Loader)
ssdeep 3072:2BP0x+oqB1Y5Syvc/PgxAArZ6CV3BofCwxCvmW/bcDE40wBSRjDzJ/gxzgFnLmx:N+oQA6+AAFf6ymWDs6DzCRgFnL
Threatray 1'536 similar samples on MalwareBazaar
TLSH T19844E11079B0C1B3C453D67039DECAE06A3ABD216BB4510F3F9B266F2E71281D61AF56
dhash icon 1072c292b0381802 (7 x RedLineStealer, 7 x RaccoonStealer, 2 x Stop)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.14.49.245:61619

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.14.49.245:61619 https://threatfox.abuse.ch/ioc/192465/

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ad09c0ed70dbbc220d66da87d3dc5b0.exe
Verdict:
Malicious activity
Analysis date:
2021-08-20 14:19:23 UTC
Tags:
evasion opendir trojan rat redline
Link:
https://app.any.run/tasks/74b991e1-c1e3-42fa-94c6-96c3c1a5047e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180963/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.9685.26465.13881.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP POST request
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Sending a UDP request
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8b0ee72-7b8a-4354-9070-b3dfb2075465
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/836462
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c1fc2b2d57ed0e1a22e06c0a700996b36646d4a27278117fda266949aeb86ab/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 14:21:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqp4fmwvp3iodiroa3akoaeznm3gi3kke4tycf75ujtjjgxlq2vq._file
Verdict:
malicious
Similar samples:
154d1fb0342d26622c548ab47adfa4a94845d763a5e8b5841f751abf0baff2ed
RedLineStealer
1b14c7036f8b61a95942856545cf119cb93433bb92ce6d196ebddb45eeaca453
RedLineStealer
524ee29b7756f2aadd0a07eeb4ca406084ff58369efdbe795169af470a0632ac
RedLineStealer
c783603717e4e900812cefc1676313b5511cd1904cded011effbacc7a95cda74
RedLineStealer
ca68be73a03f7463fa58538b9ce46d0c94fc15204bddc7fe0a6a5c70fdb8f1b1
RedLineStealer
ffebf01251d7696de69b50dbbe38c30f0fa936fa476fe35cfe79da64fb0a680c
RedLineStealer
+ 1'526 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:21.08 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210820-xl3gxt86r6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.14.49.245:61619
Unpacked files
SH256 hash:
e8f6c58d5550975dbf4e362ff221b56ddb2568cf1148e1786d7cee0145463258
MD5 hash:
eb2702efe10a1ad4e9a6aa95cdc568fe
SHA1 hash:
3112ad06095d4d56d543a52f6b7092e212674f8d
Link:
https://www.unpac.me/results/6e1f2aa0-e462-47ba-bbc8-d10fa11523c9/
SH256 hash:
2c4de39d5b9039ae761d3b1013b3d35e51c6d2a2dd51d1a35e60b6af469ac107
MD5 hash:
ab8c6da567171beb77dbd7de3cfe2e77
SHA1 hash:
258ed816be348b11241896e9c34202f84f87ad70
Link:
https://www.unpac.me/results/6e1f2aa0-e462-47ba-bbc8-d10fa11523c9/
SH256 hash:
2d1f3af10a208f388bd9531ab1a18f9a308dab3df11b45a50a904fae75d656c7
MD5 hash:
f1956ef3973d47ab9a5ed6aadeb45962
SHA1 hash:
2289d3a3b38ff228b53e3b6fed928d60455869dc
Link:
https://www.unpac.me/results/6e1f2aa0-e462-47ba-bbc8-d10fa11523c9/
SH256 hash:
0c1fc2b2d57ed0e1a22e06c0a700996b36646d4a27278117fda266949aeb86ab
MD5 hash:
da64052d0668ffd45460f0808b8289f6
SHA1 hash:
96ebdecb0127a033c5beb937b6890f49d6ed1028
Link:
https://www.unpac.me/results/6e1f2aa0-e462-47ba-bbc8-d10fa11523c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c1fc2b2d57ed0e1a22e06c0a700996b36646d4a27278117fda266949aeb86ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0c1fc2b2d57ed0e1a22e06c0a700996b36646d4a27278117fda266949aeb86ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1547071/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180963/

Comments