MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20c001b516886d62564d7dfa31c64df249aa336d0f58984122edf2b3885c8271. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 3 File information Comments

SHA256 hash:	20c001b516886d62564d7dfa31c64df249aa336d0f58984122edf2b3885c8271
SHA3-384 hash:	065e72a38d646bbab9d275c8f0cfd07c90640de659f8d91b73f17f25e26d46fb30f5507a2f4369da521add4f3524dd1c
SHA1 hash:	81486f126f94bd7b8fec3e1732a3de31d4ff1133
MD5 hash:	69bed4d83b53a37d8c12992989dc72f4
humanhash:	sierra-steak-diet-oven
File name:	69bed4d83b53a37d8c12992989dc72f4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'997'064 bytes
First seen:	2022-03-03 09:05:45 UTC
Last seen:	2022-03-21 06:34:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fddc083fa31a17c938d0a17ec7cd3025 (141 x RedLineStealer, 4 x RaccoonStealer, 1 x Formbook)
ssdeep	98304:vw2nxl4JGLgtv5SxHR82KxsuPy27Y9Xuuk+/618QjrIc:o2xl4J4gIHR82Kx37eeukW618sV
TLSH	T16036335E30ADA804D5BF28B0E5CC6CD1ADECDBAEDCE848D95E564163228349C7E059FC
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
2.56.56.116:26011

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
2.56.56.116:26011	https://threatfox.abuse.ch/ioc/392258/

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246828/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Packed.Fragtor-9940182-0

Win.Packed.Crypterx-9940465-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a14f1014-e757-4d72-aa4a-80b583c1f0c8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949795

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20c001b516886d62564d7dfa31c64df249aa336d0f58984122edf2b3885c8271/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-03-03 09:06:18 UTC

File Type:

PE (Exe)

AV detection:

22 of 43 (51.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=edaadniwrbwwevsnpx5ddrsn6je2um3nb5mjqqjc5xzlhcc4qjyq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220303-k2rzhsbhap/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

3235c90e497eb6cd6990bc1f26dea5210e9602bcdbbbd39b4d80a0f8205f5a00

MD5 hash:

a6edc1a58e153b04dfffdfc0f2870c82

SHA1 hash:

f5d991313e4fbc595ea31d54ceff24cfccc84ea1

Link:

https://www.unpac.me/results/cf09d993-56bc-402a-a6af-5fcb6b5bbecd/

SH256 hash:

ec0e7284558031abe7d4bd96125d4da4abc55af55aa73e3f76e6e5682a0ea7e2

MD5 hash:

c2789cee05503811bb679927f4d54c5b

SHA1 hash:

499dac0d97b4a22e4566732066a249db7b5a0e69

Link:

https://www.unpac.me/results/cf09d993-56bc-402a-a6af-5fcb6b5bbecd/

SH256 hash:

20c001b516886d62564d7dfa31c64df249aa336d0f58984122edf2b3885c8271

MD5 hash:

69bed4d83b53a37d8c12992989dc72f4

SHA1 hash:

81486f126f94bd7b8fec3e1732a3de31d4ff1133

Link:

https://www.unpac.me/results/cf09d993-56bc-402a-a6af-5fcb6b5bbecd/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/20c001b51688/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20c001b516886d62564d7dfa31c64df249aa336d0f58984122edf2b3885c8271

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 20c001b516886d62564d7dfa31c64df249aa336d0f58984122edf2b3885c8271

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2072554/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/246828/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample