MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6
SHA3-384 hash:	611ca82d18c71109c3fc16683d1824833528bc57655b48b3fd91755aadaec116da9ce5f9ad636826fde9806c1961d256
SHA1 hash:	6570d3c3bf5340309bd88c9005018f5be1c2703a
MD5 hash:	e2dd660a47fabd0fcb5c537896f49a9a
humanhash:	autumn-ten-zulu-green
File name:	file
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	389'120 bytes
First seen:	2022-10-24 05:15:44 UTC
Last seen:	2022-10-24 05:50:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	85c2243080c4d639c6b8e81e9e238d45 (10 x RedLineStealer, 9 x Smoke Loader, 5 x CoinMiner)
ssdeep	6144:A9FDVLKz2BX2x02oqKGre4U58MRoAPJeYeHBm9QnGRn6lxghK68yBCNtk:A9FR46X2xprKGr9U58DAPJ6HwOS6i8yB
Threatray	8'076 similar samples on MalwareBazaar
TLSH	T1D484F1227581C032E277117559A4D7B5AA7BB9701A366A8B7FC807FD6F303D38A26307
TrID	39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	2b178e4de66a3333 (1 x RedLineStealer)
Reporter	andretavare5
Tags:	exe RedLineStealer

andretavare5

Sample downloaded from http://91.212.166.17/MicrosoftKey.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.212.166.17:47242	https://threatfox.abuse.ch/ioc/916215/

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-24 05:17:19 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/06c85760-b8bc-4b3a-8bd5-99d8c09318ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/323181/

Detection(s):

Win.Packed.LokiBot-9975422-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the system32 subdirectories

Reading critical registry keys

Creating a file

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f5b5a959-03ff-42bf-b96f-1157bc711849

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096178

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-24 06:12:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dtfqcwtgyl6nudyj3lonek35l2vmerlfu5pgokjgo7rmjccflk3a._file

Verdict:

malicious

RedLineStealer

1f0425fe23f0d4ac522e4b7ab406d256eb4e83e559ee321d543e5aaa1b9dd81b

RedLineStealer

365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4

RedLineStealer

52e3242393de87b01436ebbd277bfede706386a50e9ed5228972952d46f2cd53

RedLineStealer

991c8dfbe0a289193571e5a0c7accc97d78854fdf99b81fa54621cbf9cb19ceb

RedLineStealer

c47413fbe7370f890051b2fa9c29ca979a56eb6c2c5552139c41ce4eec3b5856

RedLineStealer

d7fd854148197d2bcb0b950073f5fc33aaf2447fb6f638dde571d4900452f593

RedLineStealer

db002e8b893fd6dee710745042a37df58e48dc40ae5f8b68f061864343441c77

RedLineStealer

+ 8'066 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:dozkey discovery infostealer spyware stealer

Link:

https://tria.ge/reports/221024-fx5btsegem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

91.212.166.17:47242

Unpacked files

SH256 hash:

e58eea1068c784e3dcb533ce64aae58ef7920c8742ed940d79d2ba360811a82a

MD5 hash:

dcf3c0102d4e1d44bcbf1c5eb9528bd2

SHA1 hash:

af31bdef305768766120a012973bacb4f15034ee

Detections:

redline

Link:

https://www.unpac.me/results/1149b439-dd1c-4ca1-a521-ba65162dc41f/

Parent samples :

48cbaaab18b890652bfef726e950299231302c30f8199b8662c5901825c4129d
0de875f11ee5d69c5b4633e3b878529f08788440f87fb3ab0cde77e698b200e9
799e2b0dee8840f6d5188de9f87ed464fcc7ad20f9b5649a484f97bdd5348700
db002e8b893fd6dee710745042a37df58e48dc40ae5f8b68f061864343441c77
f266c8ee6eb9d3bd5b6837f32f36db8a641e767ac894b81cec6c2dc3ee19f0dd
991c8dfbe0a289193571e5a0c7accc97d78854fdf99b81fa54621cbf9cb19ceb
1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6
b4447a4391e46c6a2aa54352e24ffaa942cb5fed36c93200ca797c8aed010113
de40f288db5205260851385815e74116dbaf8d392a8c482ad9d89aa653dfed2a
0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553
32e3a90268a245c20daf420e7e50521b8501a8c1b2e15b79a6938688ac80eaa6
489529112a5723a8a10721cd849c7c1ac08be57025b069b585a769d78ff26ea2

SH256 hash:

97db991fe56320065ff62f3215970d660418e6852e3004da9b54235a923d1500

MD5 hash:

7e73850b53b7b41ae570be4400cfa26c

SHA1 hash:

79cb307ea14094808240cf1ba5ae8af7d7c06c30

Link:

https://www.unpac.me/results/1149b439-dd1c-4ca1-a521-ba65162dc41f/

SH256 hash:

7dc0b7b8735c32eb535f7ed2942e395eca96e0086af4aa2966d9fee6ead02dfd

MD5 hash:

a169389d4e3baff79c267cb6c9399f60

SHA1 hash:

5f89b7eb12c37a88c818b5857bc2945edb40d3a7

Detections:

redline

Link:

https://www.unpac.me/results/1149b439-dd1c-4ca1-a521-ba65162dc41f/

Parent samples :

48cbaaab18b890652bfef726e950299231302c30f8199b8662c5901825c4129d
52e3242393de87b01436ebbd277bfede706386a50e9ed5228972952d46f2cd53
c47413fbe7370f890051b2fa9c29ca979a56eb6c2c5552139c41ce4eec3b5856
8f4afa06546e11c830d7e0b94241b5512ca7063768ab3398d6f1c33038522d04
d285d0a18d5e51285963abd72ce31c5df6901b4898a9a0bc5db60c8b7c258306
b3052af2c1ddf659b83954242a6089df7a1bd0b64c3f3f2c2bcf38c797233873
c4206333c1a4d1b2dcb2345a41e8760cb2a861341f756a482d7da77506e29684
0de875f11ee5d69c5b4633e3b878529f08788440f87fb3ab0cde77e698b200e9
52f0a344c8b48a6801baebfefbb892756396088a7868628a635af1f1b05a1b19
799e2b0dee8840f6d5188de9f87ed464fcc7ad20f9b5649a484f97bdd5348700
db002e8b893fd6dee710745042a37df58e48dc40ae5f8b68f061864343441c77
f266c8ee6eb9d3bd5b6837f32f36db8a641e767ac894b81cec6c2dc3ee19f0dd
d40fc6109211068d9e09a2f1e64582c33f3ad61b2af5b65e311096ea3634be1d
991c8dfbe0a289193571e5a0c7accc97d78854fdf99b81fa54621cbf9cb19ceb
1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6
b4447a4391e46c6a2aa54352e24ffaa942cb5fed36c93200ca797c8aed010113
08a013750c3ed9e339bd3648d917d2d4b6e9abe21cc1ee36cdc93a136bd5280c
241f43f5c38693709006262e623833f8e38c46fee00719d805dd987640cd7d07
de40f288db5205260851385815e74116dbaf8d392a8c482ad9d89aa653dfed2a
6eb0af96065d646ab24c8863032d95e24321b2ccffa9d8b759914237cb439f96
809b0a9b896b9abcb0d1fd2cfbf61ad280c04ab801123aca803ba1cbdc6c42a6
f6826dbd4674d710f36a8d66991239c84958591feb9e1ef03b8393c38659d9e2
a7f3b188e40442ef84a92ca3daf76c2d65f98e9fceee53ff40c1ca5916ccd673
69a9e8239fde88fef3b3fb4d92220390f9c9f84f8c3964678eeab3fbdbd49dbc
0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553
32e3a90268a245c20daf420e7e50521b8501a8c1b2e15b79a6938688ac80eaa6
489529112a5723a8a10721cd849c7c1ac08be57025b069b585a769d78ff26ea2
0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf
b62ebe6b28b02ae9092ced023b76e8a1ff48798025c93f40548db508035d1962

SH256 hash:

1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6

MD5 hash:

e2dd660a47fabd0fcb5c537896f49a9a

SHA1 hash:

6570d3c3bf5340309bd88c9005018f5be1c2703a

Link:

https://www.unpac.me/results/1149b439-dd1c-4ca1-a521-ba65162dc41f/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ccb015a66c2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ccb015a66c2fcda0f09dadcd22b7d5eaac24565a75e67292677e2c488455ab6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/323181/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample