MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c97e8f759935a583274a2fd225bcd42e1b1ac66bd9ea70754f0b8cc20a728e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 7 File information Comments

SHA256 hash:	2c97e8f759935a583274a2fd225bcd42e1b1ac66bd9ea70754f0b8cc20a728e9
SHA3-384 hash:	6752364f78140c442d446390e855c970caa01184c8b746dd1a4062809c6d2d66633c2655790fef3d0d1be1b99ee3fdd4
SHA1 hash:	57fb95d38b138679ac07f4b3f85f4d37fa2e27fa
MD5 hash:	a667970f0ea130a7a49c0c4a7613186b
humanhash:	juliet-violet-bluebird-music
File name:	a667970f0ea130a7a49c0c4a7613186b.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'585'403 bytes
First seen:	2022-07-31 13:10:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	da0a8429d07681e0f845d1d4f08ae833 (28 x RedLineStealer, 2 x ArkeiStealer, 1 x PhoenixStealer)
ssdeep	24576:DA9EerLOdfZjYGY67TxhG2CMXndQOJKnBFEdp04mNhWMLqSTWe69RSZl3RuQ5537:MKOLOdfJmoy4mNhWMi0l3P
Threatray	784 similar samples on MalwareBazaar
TLSH	T15EC51A135A8B0E75DDD23BB4A1CB633AA734ED30CA3A9B7FB608C53559532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.124.22.27:8362

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.124.22.27:8362	https://threatfox.abuse.ch/ioc/840581/

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

a667970f0ea130a7a49c0c4a7613186b.exe

Verdict:

Malicious activity

Analysis date:

2022-07-31 16:21:29 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/a53d9b8f-7eff-4fc0-b692-50183518d9d1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295345/

Detection(s):

Win.Packed.Generickdz-9957591-0

Win.Dropper.Generickdz-9957947-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/27892/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug overlay spyeye

Link:

https://www.filescan.io/uploads/62e67fa56fb6aea51f0ea13e/reports/1f4bf78d-7a9c-408d-9afc-2acba02ae7f5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e9a0292c-4237-4203-b37b-cbb97977bf5b

Result

Threat name:

RedLine, Xmrig

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1043754

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to inject code into remote processes

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential dropper URLs found in powershell memory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/2c97e8f759935a583274a2fd225bcd42e1b1ac66bd9ea70754f0b8cc20a728e9/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-07-25 15:26:33 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fsl6r52zsnnfqmtuul6sew6nilq3dldgxwpkob2u6c4myifhfduq._file

Verdict:

malicious

RedLineStealer

032bcb319cbd29d5c32d8a7657578ffa823745940bd8e6152b1e5bc7efc776f2

RedLineStealer

23c30d4d176ded055abf529bf8c75bc1e0f7656072f6a2a4ac8ad7d9f889fedc

RedLineStealer

28432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158

RedLineStealer

3477350a178f4abfbebe739f97ecd499345d62abcc1702fa516a61fa060f9cd5

RedLineStealer

4b51bfdfb096e034e057e4cf48abcdb2f8f3301d3493f286053bf66f9b74f175

RedLineStealer

5f45f47d879bf54f44ab26b4eaafbc80cd276dd72acc648220e95cac385b6ede

RedLineStealer

833cd1ac5362600d62cbd298f5924de853d798e9217da0ae18054800f74ca86b

RedLineStealer

a24c2f0775f834d56102bc71dcab3681573128c66cd33d82967a49fe9fe16b13

RedLineStealer

ee987d5d4e5f25b0f245376444d7e89d5ab5da49f26a80809271348623ea3536

RedLineStealer

+ 774 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:redline family:xmrig botnet:5005971465 discovery evasion exploit infostealer miner spyware

Link:

https://tria.ge/reports/220731-qext5sggej/

Behaviour

Creates scheduled task(s)

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Possible privilege escalation attempt

Stops running service(s)

XMRig Miner payload

Modifies security service

RedLine

RedLine payload

xmrig

Malware Config

C2 Extraction:

193.124.22.27:8362

Unpacked files

SH256 hash:

da99b7a96dc289a5ebd4951e3ca153f6aa14361566653ce2f5c6300e3d1c3654

MD5 hash:

cb3e5df759c28ba81d584af3c69ed090

SHA1 hash:

65381ba0e6517e1e425c01d28ad133cc244b5cbd

Link:

https://www.unpac.me/results/3e8a522f-c5ef-4c1d-99a6-c114685a6065/

SH256 hash:

2c97e8f759935a583274a2fd225bcd42e1b1ac66bd9ea70754f0b8cc20a728e9

MD5 hash:

a667970f0ea130a7a49c0c4a7613186b

SHA1 hash:

57fb95d38b138679ac07f4b3f85f4d37fa2e27fa

Link:

https://www.unpac.me/results/3e8a522f-c5ef-4c1d-99a6-c114685a6065/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2c97e8f75993/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.28

Link:

https://yomi.yoroi.company/submissions/2c97e8f759935a583274a2fd225bcd42e1b1ac66bd9ea70754f0b8cc20a728e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ArechClient Create hunting rule
Author:	@bartblaze
Description:	Identifies ArechClient, infostealer.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295345/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample