MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ecc034f8f1166be076eb73a1d38c772fd179aa0c0978aba75126a308a98702a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	0ecc034f8f1166be076eb73a1d38c772fd179aa0c0978aba75126a308a98702a
SHA3-384 hash:	d1470178eb0e04cc1ed1e82c7c77ef39503369d953d4c472b6547ea1e293741a07c89f65552d2798d8932fb1d10045b9
SHA1 hash:	bbd8df7eb7492a124e50ed709112a92c3d90bb4d
MD5 hash:	9c820a94cf381f24d83a413e29bd0eab
humanhash:	six-lactose-quiet-lake
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	308'224 bytes
First seen:	2023-03-01 19:45:00 UTC
Last seen:	2023-03-01 21:31:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e3f9c15c4b3609736f33755744ec1f93 (2 x RedLineStealer, 1 x Rhadamanthys, 1 x TeamBot)
ssdeep	6144:IrFUi4exZ6mQ9TLiNExdQeKn/uac7TsHJ3841FaMw0M3:IrFUi4efQ9TmN7B/u9+3r1
Threatray	15 similar samples on MalwareBazaar
TLSH	T17B64CF1233E0B861E1725B319D7A87F46E2FBD528978369F32543B2F4E701A2C962717
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	3989c593993830bb (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://91.215.85.15/cryp.exe

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-01 19:48:01 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/fe365a5e-28bf-426f-8464-4962683b357b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/370966/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.25813.27550.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

No Threat

Threat level:

2/10

Confidence:

75%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63ffab40bbedb8176ff2087a/reports/6ece568b-6846-42df-aab1-8f324fffa6cc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0ecc034f8f1166be076eb73a1d38c772fd179aa0c0978aba75126a308a98702a

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc3e4be0-dd69-4583-ab64-66dc5c0114e3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1185194

Signature

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ecc034f8f1166be076eb73a1d38c772fd179aa0c0978aba75126a308a98702a/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-03-01 19:45:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b3gagt4pcftl4b3ow45b2oghol6rpgvayclyvotvcjvdbcuyoava._file

Verdict:

malicious

RedLineStealer

7fe05268c8e8fd080b2365e422a5e461dc3f6b0256539f56c9076b46e0864346

RedLineStealer

886661aad6c5a156202a50d30412770401829118c532c77e4e19dc9ab67704d3

RedLineStealer

a9979989b6709a7c8c0d588adc4a70f16145a77980288235f3bf31c2daebc877

RedLineStealer

b61e024c0314aae27d06e3213a9fbc24e2a3d77959b24600f75a95c61df848ff

RedLineStealer

bd4d978fa4d4235102b82e6a56867082673bfe1bb7e491e71786fdf9c8203b12

RedLineStealer

d7333a5343a74c8aec7405dadd479c5ca86bc0b5ad8f3a74e4cacc359bfa68ea

RedLineStealer

dca66a3ef8ac260d22b74a2c0942492bce58c51a20528e58b2d26c0a4893b049

RedLineStealer

e1d2b602a3df088de970c32c04b73168447fad6f867dfad97e7e17e8d5e7dc63

RedLineStealer

ef20f567ece486a5df8e04c2b23949619b6a777092b6c5e4f70a7fc812b22459

RedLineStealer

+ 5 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230301-ygdhaahe3s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

3982d007ed3ad232df0bd682ed99d1cf99edffadf62050622b1461450a8136ec

MD5 hash:

dd9f1c2932034cb9450da858390132f0

SHA1 hash:

c8c98264a2ac0b2dcd17005a93320f8c52d77281

Detections:

redline

Link:

https://www.unpac.me/results/9570871a-c8bc-40e7-8d24-a6a0dded95b1/

Parent samples :

0ecc034f8f1166be076eb73a1d38c772fd179aa0c0978aba75126a308a98702a
e88fdec4baad15e68132d76f3b2ecc20cb47a7cd1e2936730bc7be538521789f
12a35db90d742e30447a174625c113cc13c73b223667031dbc6cae8be38ec5a2
bdea952b056e60fb0d92dc6d0f9e8358ac81028007c4971ec791e211f3f0c183
39cedfd80cd423efcecb63dddb2e3f4143781e0314ccebc29d8a74236bb85901
fca4ab31963439e8e5359bcb0f7fccbfb3e418f95320e6c0776bdae3b7b2498f
96d3662a758311d8533925bbf59e45ae803e4e060380c40ee7defa5c20d1620f
ffd78a3357299ea7fc0b57650575599c859e9e3c9e4907bc7df9cab2293ae552
ca8a4600094e711b7e7fad108d2bf61338a86f470227ba60e27f5dba7b6f0af9
697341461993ea5a75936c40d11974ea7509fb895b779e978a7fbb402d28d01d
b34928ea339fcb61045131dabdadf1182e8e4fa88b737b960ee171f9ebb15cf1
8dbfa6809f9a52d74ffa5bb373c588da4dbeb0ae2c8769e7311610c53826f812

SH256 hash:

7e305dc7d44679710423625a3a882348c12e829359b73c88156cfc93fd2fff09

MD5 hash:

6dd36f6df2e943bdc84f256b5030cbb6

SHA1 hash:

4a250f640138c01ebc5b3746f2080734ce0257eb

Detections:

redline

Link:

https://www.unpac.me/results/9570871a-c8bc-40e7-8d24-a6a0dded95b1/

Parent samples :

0ecc034f8f1166be076eb73a1d38c772fd179aa0c0978aba75126a308a98702a
e88fdec4baad15e68132d76f3b2ecc20cb47a7cd1e2936730bc7be538521789f
12a35db90d742e30447a174625c113cc13c73b223667031dbc6cae8be38ec5a2
39cedfd80cd423efcecb63dddb2e3f4143781e0314ccebc29d8a74236bb85901
ffd78a3357299ea7fc0b57650575599c859e9e3c9e4907bc7df9cab2293ae552
ca8a4600094e711b7e7fad108d2bf61338a86f470227ba60e27f5dba7b6f0af9
697341461993ea5a75936c40d11974ea7509fb895b779e978a7fbb402d28d01d

SH256 hash:

999c9b69a14bfa8a8db96571d103c2134c63bdce550c02444faa0f5656008f52

MD5 hash:

1028b88474c9e64f6cde1225f996161a

SHA1 hash:

3c13981aa00647f7421065767c93cd8083e5bf0d

Link:

https://www.unpac.me/results/9570871a-c8bc-40e7-8d24-a6a0dded95b1/

SH256 hash:

0ecc034f8f1166be076eb73a1d38c772fd179aa0c0978aba75126a308a98702a

MD5 hash:

9c820a94cf381f24d83a413e29bd0eab

SHA1 hash:

bbd8df7eb7492a124e50ed709112a92c3d90bb4d

Link:

https://www.unpac.me/results/9570871a-c8bc-40e7-8d24-a6a0dded95b1/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0ecc034f8f11/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ecc034f8f1166be076eb73a1d38c772fd179aa0c0978aba75126a308a98702a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/370966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample