MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd
SHA3-384 hash: af2ef77eff23205998a56431ad9d101d83f7f0a4ab4d36b3ff4e48d8945a98d6658beb819162a5d08bd58075ae826daa
SHA1 hash: e89d26ebdd8585840094db45d60968455bcfd822
MD5 hash: 58fc3bb157e30334818c6f8a184ed14a
humanhash: missouri-indigo-autumn-oven
File name:GrandTheftAutoVcheat.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:431'616 bytes
First seen:2022-08-11 16:02:55 UTC
Last seen:2022-08-11 16:03:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:bCuPm4ds02xvXcDZTgheZ8AUgmx3N3spPMr7iuw2D:bCuPmgsNxPcDZA3H93IEjD
TLSH T12994F13D76C8BF24E9ACD5778259C123BAF98E26530BEE06DDC068E31663B510711CE6
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter tech_skeech
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
452
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GrandTheftAutoVcheat.exe
Verdict:
No threats detected
Analysis date:
2022-08-11 16:02:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ae13a79b-1cfd-4ce4-8ba8-1025346fbfa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298056/
Detection(s):
SecuriteInfo.com.Malware.AI.2128337618.31466.11988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching a process
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f5287fe456f39ac941f1aa/reports/8e5b2218-b228-442f-8292-93b73bb83476/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49c1c3b6-c1a8-44d3-8570-416e999de7c3
Result
Threat name:
Colibri, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050077
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Colibri Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682583 Sample: GrandTheftAutoVcheat.exe Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Antivirus detection for URL or domain 2->74 76 8 other signatures 2->76 9 GrandTheftAutoVcheat.exe 8 2->9         started        14 powershell.exe 17 2->14         started        process3 dnsIp4 60 185.106.92.226, 40788, 49767 SUPERSERVERSDATACENTERRU Russian Federation 9->60 44 C:\Users\user\AppData\...\tmpC688.tmp.exe, PE32 9->44 dropped 46 C:\Users\...behaviorgraphrandTheftAutoVcheat.exe.log, ASCII 9->46 dropped 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->82 84 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->84 86 Tries to harvest and steal browser information (history, passwords, etc) 9->86 88 Tries to steal Crypto Currency Wallets 9->88 16 tmpC688.tmp.exe 9->16         started        19 Get-Variable.exe 14->19         started        21 conhost.exe 14->21         started        file5 signatures6 process7 signatures8 62 Antivirus detection for dropped file 16->62 64 Multi AV Scanner detection for dropped file 16->64 66 Contains functionality to inject code into remote processes 16->66 68 2 other signatures 16->68 23 tmpC688.tmp.exe 14 16->23         started        28 Get-Variable.exe 19->28         started        process9 dnsIp10 54 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc 194.195.211.26, 49766, 49846, 80 NEXINTO-DE Germany 23->54 56 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx 65.108.213.210, 49834, 49859, 49869 ALABANZA-BALTUS United States 23->56 58 192.168.2.1, 49804 unknown unknown 23->58 42 C:\Users\user\AppData\...behaviorgraphet-Variable.exe, PE32 23->42 dropped 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->78 30 Get-Variable.exe 23->30         started        33 schtasks.exe 23->33         started        80 Injects a PE file into a foreign processes 28->80 35 Get-Variable.exe 28->35         started        file11 signatures12 process13 signatures14 90 Antivirus detection for dropped file 30->90 92 Multi AV Scanner detection for dropped file 30->92 94 Found evasive API chain (may stop execution after checking mutex) 30->94 96 Injects a PE file into a foreign processes 30->96 37 Get-Variable.exe 14 30->37         started        40 svchost.exe 1 30->40         started        process15 dnsIp16 48 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc 37->48 50 yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx 37->50 52 176.124.204.171, 8000 GULFSTREAMUA Russian Federation 37->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd/
Threat name:
ByteCode-MSIL.Trojan.WizzMonetize
Create hunting rule
Status:
Malicious
First seen:
2022-08-11 16:03:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqykg4wfsezqit26brwhur3zkfpwjmvd6a6a5ztfjhbsc2dtuhoq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:colibri family:redline botnet:@foruman botnet:build1 discovery infostealer loader spyware stealer
Link:
https://tria.ge/reports/220811-thcj6ahchm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Colibri Loader
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.106.92.226:40788
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Unpacked files
SH256 hash:
0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd
MD5 hash:
58fc3bb157e30334818c6f8a184ed14a
SHA1 hash:
e89d26ebdd8585840094db45d60968455bcfd822
Link:
https://www.unpac.me/results/c170b7a2-0362-4a50-a0a8-74405d69345f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c30a372c591/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_colibri_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.colibri.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/298056/

Comments