MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 253cdc5cba3fd7cf6350112945ee8b65d6a21564a5bd09490199cab832f16533. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	253cdc5cba3fd7cf6350112945ee8b65d6a21564a5bd09490199cab832f16533
SHA3-384 hash:	b2ff5203f1b2aaafdc7ab5ff3a978acdfec0739bfb5d7b7368af41b83552f3597363411d188679d0bffe972507b9e68d
SHA1 hash:	454928ad4471754d44c0051b3a915ec5ce042385
MD5 hash:	00b92816309e2704ac0e6dfbee152e55
humanhash:	alpha-foxtrot-high-magazine
File name:	Tcizfcj.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'961'984 bytes
First seen:	2023-06-26 11:50:19 UTC
Last seen:	2023-06-26 12:36:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:B3jP9VNjr7u6KX9U0XrjNSYo+AOEK+tUXnUqm+1zpZml9xJWZte:1P9juReSj0YlAOEDtsVpEl9xIte
Threatray	10 similar samples on MalwareBazaar
TLSH	T1EC959D51BAA0CE27E93F23BBB5B2569843B9D443935AFB8B08C8C1F15C963506D4C25F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
94.142.138.90:11894

Intelligence

File Origin

# of uploads :

# of downloads :

305

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

Tcizfcj.exe

Verdict:

Malicious activity

Analysis date:

2023-06-26 11:51:13 UTC

Tags:

zgrat rat redline

Link:

https://app.any.run/tasks/0e6c8b98-8362-4504-8ea6-6e28ff58f1c4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/402869/

Detection(s):

SecuriteInfo.com.HEUR.Trojan-Downloader.MSIL.Seraph.gen.32486.9976.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a UDP request

DNS request

Creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64997ba7aafebb733348c8ab/reports/e153a4a1-a53b-4d69-a3bc-677afaf97ffc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/253cdc5cba3fd7cf6350112945ee8b65d6a21564a5bd09490199cab832f16533

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/3d70221e-c1e1-4454-b503-750101ad210b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1261429

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/253cdc5cba3fd7cf6350112945ee8b65d6a21564a5bd09490199cab832f16533/

Threat name:

ByteCode-MSIL.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-06-26 11:51:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eu6nyxf2h7l46y2qceuul3ulmxlkefleuw6qssibthflqmxrmuzq._file

Verdict:

malicious

RedLineStealer

1dc2d94462f30e8f97c740a578056634809f9bfef4e38d0c887fce98c2284c03

RedLineStealer

360021ebe6b8431bb0a7b27b6ff4a5c0998728edd3619bab81d067194afffad2

RedLineStealer

4218d4a03fb87124e33562f14b385c28ea9ef1085b2f389d6da8a2c0dc20ce22

RedLineStealer

661f40c3448fa2acbddfd8297c54733b9f2d9c71e15506a4fba876a25d279e76

RedLineStealer

6ef6b791315d1d1581ea617d1837ea8af4db3147ee4ea2ec7cfccc2a5ed11f71

RedLineStealer

733c3e3bf1651f0090a868eebd3670e880f489a2a6a19e47be04fa08eca38623

RedLineStealer

7be497fad30daede2fd7601f09ac79fbe2ec35bec5923e80f321dc30ac606457

RedLineStealer

f0b92472c6a95a379f7235c22460fdb3602d625a662141e7baecc48c049ad715

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:9705 infostealer spyware

Link:

https://tria.ge/reports/230626-nz5z5she84/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

RedLine

Malware Config

C2 Extraction:

94.142.138.90:11894

Unpacked files

SH256 hash:

253cdc5cba3fd7cf6350112945ee8b65d6a21564a5bd09490199cab832f16533

MD5 hash:

00b92816309e2704ac0e6dfbee152e55

SHA1 hash:

454928ad4471754d44c0051b3a915ec5ce042385

Link:

https://www.unpac.me/results/33c3d201-5471-4d3b-b098-bce349605d3f/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/253cdc5cba3f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/253cdc5cba3fd7cf6350112945ee8b65d6a21564a5bd09490199cab832f16533

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/402869/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample