MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 220cc23821dc51e1de7ee0e492cef0c0fe9b3785baf6fcee88f56fcbae576bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	220cc23821dc51e1de7ee0e492cef0c0fe9b3785baf6fcee88f56fcbae576bed
SHA3-384 hash:	3451cce63b81a57a2227a9d13c76a99d4d368c99c390a3f71d1817372d4a627e6e37e1fe017f1e7d9638b8e68c620a7d
SHA1 hash:	4ca7c0c7024ef0aa5e83ee4d378eb2c3c71fc7d4
MD5 hash:	bacefa7408181dab82e5d24b89277668
humanhash:	network-six-michigan-oranges
File name:	220cc23821dc51e1de7ee0e492cef0c0fe9b3785baf6f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	316'416 bytes
First seen:	2021-10-06 06:56:37 UTC
Last seen:	2021-10-06 08:19:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f04f32f42fdfa69095db11dda219012b (11 x RaccoonStealer, 4 x ArkeiStealer, 2 x RedLineStealer)
ssdeep	6144:8oNVpSS6Hk45krMhScu6U8J3tRpCqOP/OmupLFHF0aLSlTL:8iVpSS6Hk4qMhScVJ9mX+FHFzStL
Threatray	2'847 similar samples on MalwareBazaar
TLSH	T11B64C010B7E0C035F5B712FA057583B9A92DBDB16B3851CB52C52BEA9A346E4EC30397
File icon (PE):
dhash icon	e0e8e8e8aa62a499 (12 x RaccoonStealer, 9 x RedLineStealer, 7 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.92.73.160:6070

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.92.73.160:6070	https://threatfox.abuse.ch/ioc/230881/

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

220cc23821dc51e1de7ee0e492cef0c0fe9b3785baf6f.exe

Verdict:

Malicious activity

Analysis date:

2021-10-06 06:58:35 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/ca7654b0-203f-49ce-8597-a9bddbdff72c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/195283/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader42.62977.14757.8481.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Launching a service

Creating a window

Connection attempt to an infection source

Sending a TCP request to an infection source

Using the Windows Management Instrumentation requests

Reading critical registry keys

Query of malicious DNS domain

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/615d48c498a6280f3932c1cc/reports/7aff3507-e02c-45a4-8329-7ad802bdfa0a/overview

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b70e554f-88e6-4a62-9ebd-10e23f679338

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/865281

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/220cc23821dc51e1de7ee0e492cef0c0fe9b3785baf6fcee88f56fcbae576bed/

Threat name:

Win32.Trojan.ClipBanker

Status:

Malicious

First seen:

2021-10-05 20:43:03 UTC

AV detection:

20 of 39 (51.28%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eigmeobb3ri6dxt64dsjftxqyd7jwn4fxl3pz3ui6vx4xlsxnpwq._file

Verdict:

malicious

RedLineStealer

3eab904378106422ddb6fac7d20dd694919c0b69fe09231435d781e0f1507e0a

RedLineStealer

51d53ea96cef125f782633f97ae3e7bfaa19c50aeed07186ce85f0b09e7f4446

RedLineStealer

6223f08f2ea185a1cbcef1085ae6bddc64806e80a982acbe8cfb0056de0594a8

RedLineStealer

64fa435686d94f74a3cc546fed84efea58c1ef60454ad9f60939960fadcbaa54

RedLineStealer

a0e565d4dabe4fca53afd035b7c4c0ec68d79e1655042ce42c38e85f18e3dbfe

RedLineStealer

ba9fb85fdf253d76f2e1b1ae1e96b45ffb31ac9f8b7d7b4375e1616a0f4f2137

RedLineStealer

bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c

RedLineStealer

c569326abd44e1e6d0b0a843c41f39c8b06bd1e0085233bdb4024a2289a811cc

RedLineStealer

f59e70c1e2703fd8d6016bad2f6b4ebd7824b52eab2bf63a0fdc96f0a3d16011

RedLineStealer

+ 2'837 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211006-hqya2sahfp/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.92.73.160:6070

Unpacked files

SH256 hash:

13f7ac30eb39cf24986edc688aa98742db025952467692def9edc004dab86309

MD5 hash:

3b91f6cefe8c290ebd1f0a2eccbf8149

SHA1 hash:

ef73bcd5bb2132c190d7ccb755d11e147d389111

Link:

https://www.unpac.me/results/35ec692c-b2e8-48b2-ae34-6502d8f0219c/

SH256 hash:

9a61f48f6a6793bb589d200c05fed5ce0515905412ec019452c664044872ed2e

MD5 hash:

ddc54d57597163b6db135fabc298585a

SHA1 hash:

5885f9b806f98793e76d09b309019480189fa430

Link:

https://www.unpac.me/results/35ec692c-b2e8-48b2-ae34-6502d8f0219c/

SH256 hash:

d096490c40c76e6405fdb6ad03cda2bac4032d6b78767b166cdfa8a47c14b0ba

MD5 hash:

06d06e89cacab7d875eb3f4f18c72fd2

SHA1 hash:

4011b1cb01a41c875da4c0b88f1a6a47c9d6f0d8

Link:

https://www.unpac.me/results/35ec692c-b2e8-48b2-ae34-6502d8f0219c/

SH256 hash:

220cc23821dc51e1de7ee0e492cef0c0fe9b3785baf6fcee88f56fcbae576bed

MD5 hash:

bacefa7408181dab82e5d24b89277668

SHA1 hash:

4ca7c0c7024ef0aa5e83ee4d378eb2c3c71fc7d4

Link:

https://www.unpac.me/results/35ec692c-b2e8-48b2-ae34-6502d8f0219c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/220cc23821dc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/220cc23821dc51e1de7ee0e492cef0c0fe9b3785baf6fcee88f56fcbae576bed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/195283/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample