MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cc3cdf16a17e24f338f93481d25e9082bf062a65303686b8521466aea5de780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 4 File information Comments

SHA256 hash:	2cc3cdf16a17e24f338f93481d25e9082bf062a65303686b8521466aea5de780
SHA3-384 hash:	ca87fde26955dd175f2c2405cd88eeb2e709721af370a7a5a2d3fbe20a72d64c4228ad1acb2f2be02a9c28051fcf038c
SHA1 hash:	65dfb2bfdc801cbd531750784fc512ab08856cba
MD5 hash:	562ea5c2f9d8dcc620544ec678e6c50c
humanhash:	alaska-sad-four-hamper
File name:	2cc3cdf16a17e24f338f93481d25e9082bf062a653036.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	745'072 bytes
First seen:	2022-01-14 13:33:26 UTC
Last seen:	2022-01-14 16:00:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d123a69e1a76a1d4c228975990208112 (4 x RedLineStealer, 1 x TVRat, 1 x ArkeiStealer)
ssdeep	12288:4L5O7UG6YyDA2SoGFfqMEiyGmHTH4aZ+Fau+CXshpMbzZKZSV+yWZPjOPD1Zf:ghG6YyDpyEiKL4aZQxXMmbzEZSVPAPjY
Threatray	2'125 similar samples on MalwareBazaar
TLSH	T19CF42395A3F51A57CABD1BB044EFA3623B71FE044B26C71FF58064193D239C8CE82A56
File icon (PE):
dhash icon	78996869d4dadae0 (3 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.80.53.106:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.80.53.106:80	https://threatfox.abuse.ch/ioc/295238/

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://ec2-3-15-199-99.us-east-2.compute.amazonaws.com/?verify-id=51&verify-hash=b7eb6c689c037217079766fdb77c3bac3e51cb4c&verify-msch=VkIgRGVjb21waWxlciBMaXRlIENyYWNrIHYxMS42ICAgQWN0aXZhdG9yIChVcGRhdGVkKSBGcmVlIERvd25sb2Fk&download=1&xtrans=MTM4

Verdict:

Malicious activity

Analysis date:

2022-01-13 00:00:06 UTC

Tags:

evasion trojan rat redline loader stealer opendir vidar raccoon

Link:

https://app.any.run/tasks/6194aae7-e7d2-4c56-9822-c0d6aec9ac89

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/219324/

Detection(s):

SecuriteInfo.com.Variant.Doina.30743.1579.30927.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug exploit greyware overlay packed redline

Link:

https://www.filescan.io/uploads/61e17bd6e997359713ec7d99/reports/fc9bff0f-6556-4792-a00d-cfd289b71de1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/920759

Signature

Antivirus detection for URL or domain

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cc3cdf16a17e24f338f93481d25e9082bf062a65303686b8521466aea5de780/

Threat name:

Win32.Infostealer.RedLine

Status:

Malicious

First seen:

2022-01-12 21:36:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftb434lkc7re6m4psneb2jpjbav7ayvgkmbwq24fefdgv2s546aa._file

Verdict:

malicious

Label(s):

ryuk

RedLineStealer

190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5

RedLineStealer

2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7

RedLineStealer

4fe1cb64f16f7fa987407a906a4319520972f5a8f5749e3b071a831825559a45

RedLineStealer

55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb

RedLineStealer

98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb

RedLineStealer

aa3abbd93819a58f0612b60cf1cfcc3a296e10d1b776555b8a3f967608b00f06

RedLineStealer

fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784

RedLineStealer

+ 2'115 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220114-qt6qlagfcm/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

5196209df0dbeae7a1174239a25a7c92ac2516388a2af5181665fc5116365c59

MD5 hash:

eec445658d597dd46b599864aa63cc96

SHA1 hash:

3fec65ecb83edf47a12d4d899098b640687393f3

Link:

https://www.unpac.me/results/e8b17ac7-b7eb-4b09-8f73-a2c0f9fb5961/

SH256 hash:

353f26eb916e999cb3c257d0582744717a2c23dd6838aa0ec8b619d5f88c90a8

MD5 hash:

32d5e123a83efa29eecf0e76b5e2a768

SHA1 hash:

3748f78fab43c7202f99588a7aa1f00586fb75bb

Link:

https://www.unpac.me/results/e8b17ac7-b7eb-4b09-8f73-a2c0f9fb5961/

SH256 hash:

bb579b065460389790ef8527eef2a37732527869975be5ca56025652b64e02ed

MD5 hash:

57a9e64d4e23866be85fbadc984f21e4

SHA1 hash:

1f7d798b6cc0416ac9cf87187c1dc15fa0803cfd

Link:

https://www.unpac.me/results/e8b17ac7-b7eb-4b09-8f73-a2c0f9fb5961/

SH256 hash:

2cc3cdf16a17e24f338f93481d25e9082bf062a65303686b8521466aea5de780

MD5 hash:

562ea5c2f9d8dcc620544ec678e6c50c

SHA1 hash:

65dfb2bfdc801cbd531750784fc512ab08856cba

Link:

https://www.unpac.me/results/e8b17ac7-b7eb-4b09-8f73-a2c0f9fb5961/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cc3cdf16a17e24f338f93481d25e9082bf062a65303686b8521466aea5de780

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/219324/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample