MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
SHA3-384 hash:	37a49e5349cc4bc32b3051c7d395573a51cfc3e20e4a8865c13fdafdf0eea289869341471a4f6d03d466030438a257ce
SHA1 hash:	1c980162ae50cbaf1b479d7bc9575faa55a53504
MD5 hash:	cac9c1edb035eec6f2d552ec3ca96145
humanhash:	kilo-five-spaghetti-skylark
File name:	cac9c1edb035eec6f2d552ec3ca96145.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	435'712 bytes
First seen:	2023-02-06 12:05:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f28ad02a4adb6c9c9717704f5e5b34ac (8 x RedLineStealer, 6 x Smoke Loader, 3 x CoinMiner)
ssdeep	6144:QELRf00cREAnFclEoFvd84hM4kaTRfUx9+Ypuk6owt:QEdf0kAnQH184qaBqRprI
Threatray	14'440 similar samples on MalwareBazaar
TLSH	T1B594BF03E6F17C63D55286729E1ECBE8768FF5608E0A676612188D1F34711B1C3F762A
TrID	38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	4c0a140a06164400 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.233.20.7:4138

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

c7c744981610377ba9562abccfc1793e.exe

Verdict:

Malicious activity

Analysis date:

2023-02-06 11:53:05 UTC

Tags:

trojan rat redline amadey loader

Link:

https://app.any.run/tasks/4044a1de-51aa-4f9f-b0ee-df6f3aadd05e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/360835/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63e0ed2c447edb203a02e953/reports/d14406be-6ee2-408e-8c9e-ed079bf66d9b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ccccab5e-e08b-4e5b-8009-05c55b628e22

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1166580

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2023-02-06 11:52:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fhgcftjbm76mclvq6vk5n55u5qf6ipdw2a7kkprv5tzumtc6j35a._file

Verdict:

malicious

RedLineStealer

80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376

RedLineStealer

88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42

RedLineStealer

b7e899976d3623c9de25a73f0fd57d963f12af9b0cacc952f1ce5aa14b93f920

RedLineStealer

b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4

RedLineStealer

cbbe39944f1a5af5719f583c375de30cd19a553a0bd70e5246a8f7ee61523717

RedLineStealer

ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3

RedLineStealer

dfe21a9c782431cbaa3f36a174c1eb493a5b161f6da763e74cb11d65fabe8eab

RedLineStealer

ead282a624633ea76a708ff1ab34593c3095876fa6754078927393f9300b30f8

RedLineStealer

ebd46441b3e3a1c1e64d6b0952dacb9bcdd896bb95c8a62bc3a4028a58b1573c

RedLineStealer

+ 14'430 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:bilod discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230206-n9q9qsha9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.233.20.7:4138

Unpacked files

SH256 hash:

f1e65d2fb477a2eacb1dedfe236100e4b1630b5e5450463d89cf9e66b1af6760

MD5 hash:

ef45323b1905067239609c4d153255a3

SHA1 hash:

d652ca53fc109b61769b2eba0577bc51089f265e

Detections:

redline

Link:

https://www.unpac.me/results/241293d1-0718-40cf-aaa8-7a5d0838d0b1/

Parent samples :

b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376
ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3
29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
eceade3ce86427080b0f4efe03d382ae3ae049cdcafef49cbd1365aab1918ec2

SH256 hash:

56d331d10b814d3bf111a7be43ded93212f1a6538b7f1ed27b36ef01552c6ed4

MD5 hash:

ed50aef1e5392cc41f2f7ad564197b86

SHA1 hash:

79abf2fb46e76cd7ee994cf40120483a6181548c

Link:

https://www.unpac.me/results/241293d1-0718-40cf-aaa8-7a5d0838d0b1/

SH256 hash:

736c3be20841c64e8c3494022027e9cb478a3c34338fa576c02372bb1c1c6470

MD5 hash:

a21d55f20608a424700512cbe24c33f4

SHA1 hash:

5d7279d9107ed162f466a284a966df2195e3b511

Detections:

redline

Link:

https://www.unpac.me/results/241293d1-0718-40cf-aaa8-7a5d0838d0b1/

Parent samples :

b9592f7616249ff910d601c0680932abf55a8b4af511bf18d42ad55835f422d4
88cfd1e05f0460b74f8c08d9bfb7e65c0e1dd44a2b45d03ec1c5813986889e42
80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376
1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
b7e899976d3623c9de25a73f0fd57d963f12af9b0cacc952f1ce5aa14b93f920
dfe21a9c782431cbaa3f36a174c1eb493a5b161f6da763e74cb11d65fabe8eab
ce766e4d494c2be709cd4e0d7a9c55b0acc3c3b4625bf5f2af13a3740d2935d3
29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa
66e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
eceade3ce86427080b0f4efe03d382ae3ae049cdcafef49cbd1365aab1918ec2
a373356377baa29111c9c78123b35689f35dd91d6b440262646078d6571cecf1

SH256 hash:

29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa

MD5 hash:

cac9c1edb035eec6f2d552ec3ca96145

SHA1 hash:

1c980162ae50cbaf1b479d7bc9575faa55a53504

Link:

https://www.unpac.me/results/241293d1-0718-40cf-aaa8-7a5d0838d0b1/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/29cc22cd2167/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 29cc22cd2167fcc12eb0f555d6f7b4ec0be43c76d03ea53e35ecf3464c5e4efa

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2529227/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2528642/

Cape

https://www.capesandbox.com/analysis/360835/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample