MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc
SHA3-384 hash: 1bc9cb021dae2d4ade0727cb51cdcc225085807e7f456374ebce210b6a4a92198eab9a397ea5b0eadcce09ab861fcc29
SHA1 hash: 4c12e98491d449fc3fb6f056adc3c6b90496654f
MD5 hash: 934d2b9ee4b5af8bd53ab861226476f9
humanhash: fourteen-sierra-arkansas-blossom
File name:934D2B9EE4B5AF8BD53AB861226476F9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'657'726 bytes
First seen:2021-04-01 05:02:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 98304:75aFAmpi+WcVr7jxElrqy9EHsf6IVbLXe5P+Wq4rw1ST2mk0RHw0XFIHDLW8WAg3:75aFAmXV/+lmefLXegG8mo2zAgW92x7l
Threatray 106 similar samples on MalwareBazaar
TLSH 076623812D808EE9C5761DF23494E5CBF583B56C3E0EC0EA965D16398CF4261EF46FA2
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://crownnest.cyou/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://crownnest.cyou/ https://threatfox.abuse.ch/ioc/6335/

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130426/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/661560
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to register a low level keyboard hook
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 379714 Sample: 4jprGtOI3N.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 80 55 crownnest.cyou 2->55 57 api.ip.sb 2->57 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected RedLine Stealer 2->79 81 Binary is likely a compiled AutoIt script file 2->81 11 4jprGtOI3N.exe 12 2->11         started        signatures3 process4 signatures5 87 Contains functionality to register a low level keyboard hook 11->87 14 cmd.exe 1 11->14         started        16 cmd.exe 1 11->16         started        process6 signatures7 19 cmd.exe 7 14->19         started        22 conhost.exe 14->22         started        69 Submitted sample is a known malware sample 16->69 71 Obfuscated command line found 16->71 73 Uses ping.exe to sleep 16->73 75 Uses ping.exe to check the status of other devices and networks 16->75 24 conhost.exe 16->24         started        process8 signatures9 83 Obfuscated command line found 19->83 85 Uses ping.exe to sleep 19->85 26 Aprano.exe.com 19->26         started        28 PING.EXE 1 19->28         started        31 findstr.exe 1 19->31         started        34 4 other processes 19->34 process10 dnsIp11 36 Aprano.exe.com 26->36         started        65 127.0.0.1 unknown unknown 28->65 67 192.168.2.1 unknown unknown 28->67 53 C:\Users\user\AppData\...\Aprano.exe.com, Targa 31->53 dropped 39 Alzeremo.exe.com 1 34->39         started        42 Animazione.exe.com 34->42         started        file12 process13 dnsIp14 59 xBClidtxMI.xBClidtxMI 36->59 44 Aprano.exe.com 36->44         started        61 tcBtUbYArzPgCRXzyGHBr.tcBtUbYArzPgCRXzyGHBr 39->61 51 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 39->51 dropped 47 RegAsm.exe 2 39->47         started        63 LByBZilSQhpvxCLYFcVMSwJ.LByBZilSQhpvxCLYFcVMSwJ 42->63 49 Animazione.exe.com 42->49         started        file15 process16 signatures17 89 Tries to harvest and steal browser information (history, passwords, etc) 44->89
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 05:15:29 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ez4putmkqziprtslesea5l4jysop7iriuqm3rzope2lsvfm5q7ga._file
Verdict:
malicious
Similar samples:
18d8d0fe50b484ffb499c851cc2964239a5693b36940879e856b970f29e22765
RedLineStealer
2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
RedLineStealer
41bd1c7a896dade70b5e81588a20f0737f30c8ec164990f4da3f788dc843d7d1
RedLineStealer
73188b6122dcf35a0d26fedf3679c9713e6f21ccf78499d8788ed39feb7fdb4a
RedLineStealer
79638b28279f6fc16f4d3a24a73ac67a405aa548aa09d6ca09f485b8e7e13901
RedLineStealer
7af76f869eab565b2b7d3ec5f141e5d8cd94551a6b1b31e0d8af7c3ea2b5a7db
RedLineStealer
9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
RedLineStealer
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
RedLineStealer
c3b699aaaf2a476cf84ca13efd09ac86e66b501e3baaa5b0ef7cdabc47ee9ec1
RedLineStealer
f643cf2250b1ece8e720df93180962e563c6c1e587f4e42af47e4c26ed4ab861
RedLineStealer
+ 96 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer persistence spyware stealer
Link:
https://tria.ge/reports/210401-xdn5kpkb4a/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Modifies WinLogon
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies RDP port number used by Windows
Modifies Windows Firewall
Sets DLL path for service in the registry
Grants admin privileges
RedLine
Unpacked files
SH256 hash:
215fc8b681f44070baa532694e9ef1bd02dc1ef7726bd35af783d141041b6ba0
MD5 hash:
20bfad7f29a069cc157e80e5b8cbf8d2
SHA1 hash:
ca3dac09d89c55977c876b99c3c82b32ab88e9ae
Link:
https://www.unpac.me/results/5ba24bb2-9dc0-4eaf-85cb-fe3cdcd13901/
Parent samples :
42edc53eec43edfe500967882f8e7f7e787614223466817b25d71565fdf3b49c
02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SH256 hash:
2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc
MD5 hash:
934d2b9ee4b5af8bd53ab861226476f9
SHA1 hash:
4c12e98491d449fc3fb6f056adc3c6b90496654f
Link:
https://www.unpac.me/results/5ba24bb2-9dc0-4eaf-85cb-fe3cdcd13901/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/130426/

Comments