MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb75776e6385e0b182e3624a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb75776e6385e0b182e3624a
SHA3-384 hash: 0fa0b048224471abe12b847e68f0a844200172cd1612b26c53fae9c573bb5ca164c0ccc7c412400299891c10fe82b85f
SHA1 hash: 22bcb0ff4bd0229d0eef4d13c194b5ad0bbe0fd3
MD5 hash: 46941fd0c90a281ad25d2d68737bcf8d
humanhash: arizona-magnesium-winter-zebra
File name:2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb757.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'802'048 bytes
First seen:2022-05-20 18:12:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8911a1c8935fd153a9b98c38bcecf4be (1 x RedLineStealer)
ssdeep 24576:1W2rPgXhgNlcMqpA5zThIuBQqOyX3zikEjtKXZ5+ANfHXU5yY65hgo5L+VS:QKshYtq65zThjQK+6ZFvUM5hgaL+VS
Threatray 805 similar samples on MalwareBazaar
TLSH T19E852366D371E1DCDD0EE0B5CA3AD96626D5F25C01080B2DA85D322FF608F4A7C97B25
File icon (PE):PE icon
dhash icon c4e8e8d4e8699640 (1 x RedLineStealer, 1 x CoinMiner)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.23.197.192:43437

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.23.197.192:43437 https://threatfox.abuse.ch/ioc/616165/

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb757.exe
Verdict:
Malicious activity
Analysis date:
2022-05-20 18:27:11 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4147c47b-b106-4af9-a211-babb4c1d48e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273147/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6287da2e945ebb7eb171be73/reports/1911fe4a-d2b0-4988-a699-a205c1a19668/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c9c70ac-52c1-42ab-a724-15b4c4bdb5e1
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998810
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb75776e6385e0b182e3624a/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 18:13:16 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=frxgqbcwuxma23bdbu2nqk5guowvzecbxn2xo3tdqxqldaxdmjfa._file
Verdict:
malicious
Similar samples:
35ca9c06c64525702c430b2781dca9570ba31ba755294b034b926357a2aa2451
RedLineStealer
5df70b6d4395c363a2f97843733996bceabfc71a9b30f6ef7361161b34b45bc6
RedLineStealer
851bba6f93b83f524a19a95ed9fd4f59d163de3d825ee276114b3d03ae206beb
RedLineStealer
a74f9ed962019491f7d2995e4c03ace954c0d4bb81cddb3e79cedd58c40dc6f1
RedLineStealer
be0e88736ccfe77179092d6cf517b34aa32e1cb1e4fc47d98ceb97522d138027
RedLineStealer
c2edd73c44beb4bae6d666109f793c0e246a1cc28bf868d10841023283d880d5
RedLineStealer
c4723b946e8913f59ccb64d9025440820124104c653c79023f09d28da35d0442
RedLineStealer
f2b0706066fbc556ed73ab393d00db40a5cf1a0d4b2dc7647172b122b83fb919
RedLineStealer
+ 795 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220520-wtqbhabfc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
8a47380b09cb6ba4ba2b261a00b9e71ef52ab6eab9028668d1d1d91f9a68a617
MD5 hash:
5d521c375e0327856eb44a056b28563c
SHA1 hash:
dd796e0dcf6f3d37ee1c6252124f29301803a450
Link:
https://www.unpac.me/results/eb72423a-4357-466f-886b-540633c0991f/
SH256 hash:
2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb75776e6385e0b182e3624a
MD5 hash:
46941fd0c90a281ad25d2d68737bcf8d
SHA1 hash:
22bcb0ff4bd0229d0eef4d13c194b5ad0bbe0fd3
Link:
https://www.unpac.me/results/eb72423a-4357-466f-886b-540633c0991f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c6e680456a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb75776e6385e0b182e3624a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:NETDIC208_NOCEX
Create hunting rule
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:NETDIC_208
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2c6e680456a5d80d6c230d34d82ba6a3ad5c9041bb75776e6385e0b182e3624a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/273147/
  
URLhaus
https://urlhaus.abuse.ch/url/2204361/
  
Delivery method
Distributed via web download

Comments