MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20cc86df6047d6350fb5ebc5a1aac365c6c0ca69bb6c6c0e1e3415010d0779b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments 1

SHA256 hash:	20cc86df6047d6350fb5ebc5a1aac365c6c0ca69bb6c6c0e1e3415010d0779b9
SHA3-384 hash:	85b1da9daee021a2bb9ef2252b2415a27ce882a53b2fee5d8b5cb9679ac97ceee7aa7a19e8f825bd6c3cea18bfd3ef1b
SHA1 hash:	645275147ee37ea40bfaf3ce63e97b545bdd5f9d
MD5 hash:	c2806d10ac2390156ffaed2fd8c03ea5
humanhash:	kilo-echo-bacon-white
File name:	c2806d10ac2390156ffaed2fd8c03ea5.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	322'560 bytes
First seen:	2021-04-21 13:37:06 UTC
Last seen:	2021-04-21 15:00:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8fd60dafad060fd6212af469fec2faa3 (5 x ArkeiStealer, 4 x RedLineStealer)
ssdeep	6144:u3l3QtWLRPLSyAvpzUFwdLvH+6NM6UtHu3f3aEoB3XG5Cu:u9QtCPjAv+25vH++YkyEO2su
Threatray	493 similar samples on MalwareBazaar
TLSH	0164D011B290E172D05260B55619C7B18E3A3835792AEE8BBFC16BBD1F253D1E62730F
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/142140/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.1957.29556.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP POST request

Sending a custom TCP request

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20cc86df6047d6350fb5ebc5a1aac365c6c0ca69bb6c6c0e1e3415010d0779b9/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2021-04-21 13:42:39 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=edginx3ai7ldkd5v5pc2dkwdmxdmbstjxnwgydq6gqkqcdihpg4q._file

Verdict:

malicious

RedLineStealer

2efb4d4bb7e9141474ee5ae3f8c40274c5ab675b33836ac31a8ec554dd76a9bf

RedLineStealer

61afa5c0da0fb5b87aa1dc81df5153152a1321d9daf6eb7e220299cf483f453c

RedLineStealer

667d6191eab21dca3a07f01b287a4a4d35c719885b712eeaf3fedeeeb8b16e4f

RedLineStealer

7b9bd29f5c0787b2937b34493ca5a7128d476dc9f4257643f1fd47d48399eafa

RedLineStealer

c0dc7d159998d5d56de5e562cf751e2418a6f23b1c2be5f1b74d0d3590bb2d98

RedLineStealer

defc8c4fa50129d532f0a9bf7a314043fdd3adbf69e46a1b50b9ade98a75926a

RedLineStealer

eec9f565329a6a6e4129c775a212eda9a3e23001dff996345538de0ea1f6bdfc

RedLineStealer

f01f44864129ba56c115b4c4dcaf8373a1f7996a142e17ffcf4d7f4f875bcdaa

RedLineStealer

f3ec960fde547dac872a3fe8ee59c3beb063457673fcf50480e20c886c7f17fa

RedLineStealer

+ 483 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:118 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210421-yp2hja7s52/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

bumblebee2021.store:80
trusmileveneers.store:80
lazerprojekt.store:80

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20cc86df6047d6350fb5ebc5a1aac365c6c0ca69bb6c6c0e1e3415010d0779b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekshen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 20cc86df6047d6350fb5ebc5a1aac365c6c0ca69bb6c6c0e1e3415010d0779b9

(this sample)

Cape

https://www.capesandbox.com/analysis/142140/

URLhaus

https://urlhaus.abuse.ch/url/1147433/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-21 14:14:29 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0052] File System Micro-objective::Writes File
6) [C0007] Memory Micro-objective::Allocate Memory
7) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
8) [C0040] Process Micro-objective::Allocate Thread Local Storage
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process