MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cba8012f3deb21e3f361d5a3f07cc794b6e18e63b07c98aa2cbd78233cee70e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	2cba8012f3deb21e3f361d5a3f07cc794b6e18e63b07c98aa2cbd78233cee70e
SHA3-384 hash:	5d9611f286844749e96266d1fea0ac6a84b2f7b61e8850f23058138191cef9e088f94ab593be6119a65da08153f9e387
SHA1 hash:	a4b3576feb789f5c58da2178e3b3c40f7ef185ad
MD5 hash:	aae688a16a5bd098f7b696c2dcdb713c
humanhash:	maryland-seventeen-one-cola
File name:	aae688a16a5bd098f7b696c2dcdb713c.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	329'216 bytes
First seen:	2021-07-25 09:05:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7780eb9cc098185992365509d7637fd7 (4 x RaccoonStealer, 1 x DanaBot, 1 x TeamBot)
ssdeep	6144:taJZA5HBB2qJI+LY5MaW9vn3/rRAS7Lf4ZLyXqSlrFzBnmytldWS:gJZANLdHNjcyHLhm2ld
Threatray	3'759 similar samples on MalwareBazaar
TLSH	T18C64E040F680D87BD2A64D3244E783D52A7EBCA12F6C86537B447ADF2E311D162BE706
dhash icon	48b9b2b0e8c38c90 (6 x Smoke Loader, 5 x RedLineStealer, 3 x CryptBot)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.114:8887

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.114:8887	https://threatfox.abuse.ch/ioc/162768/

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aae688a16a5bd098f7b696c2dcdb713c.exe

Verdict:

Malicious activity

Analysis date:

2021-07-25 09:09:22 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/f582a250-dc07-4ce5-a07f-ad91ee978ced

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/173996/

Detection(s):

Win.Packed.Pwsx-9880609-0

Win.Packed.Pwsx-9880641-0

Win.Malware.Generic-9880750-0

Win.Packed.Fugrafa-9880767-0

Win.Dropper.Raccoon-9880773-0

Win.Packed.Fugrafa-9880781-0

Win.Malware.Generic-9880786-0

Win.Packed.Fugrafa-9880806-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Connection attempt

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a window

Creating a file

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/25a38e3d-4f66-4321-b752-ee6ce3262a92

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821447

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-22 02:09:07 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fs5iaext32zb4pzwdvnd6b6mpffw4ghghmd4tcvczplyem6o44ha._file

Verdict:

malicious

RedLineStealer

326c2c9f4f724fb74c0d826aaa93c3c86140a26bd2c0f27a37407ac1dbdc7c59

RedLineStealer

3557b514f9eada3659219bc4c1401d074f814ba82bf137ba0671fec66078d534

RedLineStealer

4dee972756364c4a670b31004c506161750027588c111bb0f1b499acf91ff657

RedLineStealer

76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93

RedLineStealer

a4ba89389929db2c9baa52e9b858164dad161d53ba61a73712a2c3ba92b49ec5

RedLineStealer

b138c67994648f1784c8263e0af703662e2bd8e55d9d8a1189dcf243f2bff657

RedLineStealer

b666325729d0aa8e49292441558e945d0075439d6e6a544181fe708864835383

RedLineStealer

ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5

RedLineStealer

e10f5bc4cb6610bd2aee334a581f2a9872b16c830bdce2f67ffe3cf57bf0b065

RedLineStealer

+ 3'749 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210725-yjrr1ag7ja/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.114:8887

Unpacked files

SH256 hash:

896327f3b8ffb0108da0ba4bb4177ecf34b2b537c70ba775f3b8d05f7337e480

MD5 hash:

9ef3832f3b00631ed09c7931e494e3e5

SHA1 hash:

bffc8ce4c382f443820d1d089db72c267090bb3d

Link:

https://www.unpac.me/results/6c3ffc23-38c4-48d9-a315-d6f635425ccd/

SH256 hash:

5a9bcd47b183892a42b3b68a53e442a93c0bb016fb94abbd8d42b6477e982194

MD5 hash:

9d700a739ff25fd446ab24994185abd7

SHA1 hash:

73eaeff4f6ec5d342f9c5ccf045eab616281d7d0

Link:

https://www.unpac.me/results/6c3ffc23-38c4-48d9-a315-d6f635425ccd/

SH256 hash:

98a398c51f219ad1ad34f1190a276355212cd4228797708ee2fae4c43b1186cf

MD5 hash:

8cf1348cb3c4ea66ef1664c23478b56c

SHA1 hash:

5e79ef8bfed82f2713b589c7cd24b2e241b2a16d

Link:

https://www.unpac.me/results/6c3ffc23-38c4-48d9-a315-d6f635425ccd/

SH256 hash:

2cba8012f3deb21e3f361d5a3f07cc794b6e18e63b07c98aa2cbd78233cee70e

MD5 hash:

aae688a16a5bd098f7b696c2dcdb713c

SHA1 hash:

a4b3576feb789f5c58da2178e3b3c40f7ef185ad

Link:

https://www.unpac.me/results/6c3ffc23-38c4-48d9-a315-d6f635425ccd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cba8012f3deb21e3f361d5a3f07cc794b6e18e63b07c98aa2cbd78233cee70e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173996/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample