MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c9377c5c508759f8af41c130dbb63d79d1b4c3c8261ee14501dee88b504cb02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c9377c5c508759f8af41c130dbb63d79d1b4c3c8261ee14501dee88b504cb02
SHA3-384 hash: ac9be27da3f6baa913467657d16a0dbce6ee47061ce2de27be7474a6c60bb6f48c6d5fb2ac23d125aac3a8513e4f31a3
SHA1 hash: f257cf86538271dede658780297155e919d26f64
MD5 hash: 671e73513b3bc74b1c441bd6db5dac55
humanhash: colorado-kitten-violet-georgia
File name:671e73513b3bc74b1c441bd6db5dac55
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:305'664 bytes
First seen:2021-11-30 04:54:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 323bd4e3140d43944fb5ccff8da0e3f0 (4 x RedLineStealer, 2 x IcedID, 1 x Stop)
ssdeep 6144:SrYHH4zYtZiJ9hp3On/yNx85mqiNVo+U:qYn4zY/Fn/yz8Mc+
Threatray 3'391 similar samples on MalwareBazaar
TLSH T1C554F111F2A686F1C1A306303435CA518ABB7C3B2B35817E37A06A3F5EFC2D05AB5756
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c8 (18 x RedLineStealer, 10 x RaccoonStealer, 5 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
671e73513b3bc74b1c441bd6db5dac55
Verdict:
Malicious activity
Analysis date:
2021-11-30 04:56:38 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/73b2aab5-452c-44b3-9650-9f706a6d587a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/61a5aea8c4c531414822d25a/reports/496a2398-4c08-435f-add1-20a7436288ee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/442ae9e4-5335-4db9-9efe-f5b3ee35f0aa
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898399
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c9377c5c508759f8af41c130dbb63d79d1b4c3c8261ee14501dee88b504cb02/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 04:55:11 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fsjxprofbb2z7cxudqjq3o3d26orwtb4qjq64fcqdxxirniezmba._file
Verdict:
malicious
Similar samples:
6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9
RedLineStealer
6db7d6d4109963c686547ba997a0eb8fae8112f9bfcb225d3bc62b06113ce36e
RedLineStealer
6f4d0be0c5e4824c213ca020779cee9279d0ed576c2a13d058ecfd992ade3d9e
RedLineStealer
d1439d1a3c8bd8495a07ea2d22e4480b7cd837deb3b6c5576e98592de7f67996
RedLineStealer
d2424ee4002e652925c9d339cc4d08a64f88cf027352f6302d260677a6e70718
RedLineStealer
f4128b1298fd05caadb8c40c93588c09c4f636b997afd88f35a9898ceaf6d2e8
RedLineStealer
+ 3'381 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1limon discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211130-fj5ensggh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
95.215.205.135:8634
Unpacked files
SH256 hash:
a211d7007453a2eaa18f5954465712d6aea23e0ba747c49a8771b31481b39bbf
MD5 hash:
7968445b27b3f78db88c790d977cb48a
SHA1 hash:
78d5bb6d99c84062f9d8c177f0c9004c8db24eb4
Link:
https://www.unpac.me/results/dadc8df9-4a5d-46e8-92e5-14bd4e1af603/
SH256 hash:
b144dc9ac6a711a23b0e38f6daa4e6c241530b3a9a2ba8b0fe2aa364ccbd5c3b
MD5 hash:
4c64af74255be4127a49c9139e9b2000
SHA1 hash:
67995bb52fab1f22c0800e2840122955316c925a
Link:
https://www.unpac.me/results/dadc8df9-4a5d-46e8-92e5-14bd4e1af603/
SH256 hash:
d0322dc31ad32ac77d8ec48b0b24259118491d8dbee1f313fdf17e8ee8f68c59
MD5 hash:
ed0af594ef5f8a8c91dd62ac1614f23d
SHA1 hash:
11b586d2f27817212f563669f9e76a965f5bf713
Link:
https://www.unpac.me/results/dadc8df9-4a5d-46e8-92e5-14bd4e1af603/
SH256 hash:
2c9377c5c508759f8af41c130dbb63d79d1b4c3c8261ee14501dee88b504cb02
MD5 hash:
671e73513b3bc74b1c441bd6db5dac55
SHA1 hash:
f257cf86538271dede658780297155e919d26f64
Link:
https://www.unpac.me/results/dadc8df9-4a5d-46e8-92e5-14bd4e1af603/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2c9377c5c508/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c9377c5c508759f8af41c130dbb63d79d1b4c3c8261ee14501dee88b504cb02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2c9377c5c508759f8af41c130dbb63d79d1b4c3c8261ee14501dee88b504cb02

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1834808/

Comments


Avatar
zbet commented on 2021-11-30 04:54:33 UTC

url : hxxp://5.255.101.55/myblog/posts/sefile.exe