MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cc931d9ba95d8bd2daea724ffd7cdeb239f298336f32c4640465b8982cf5874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	2cc931d9ba95d8bd2daea724ffd7cdeb239f298336f32c4640465b8982cf5874
SHA3-384 hash:	b485da8137de966d7f07ca874466532f3a3312d2682c2323036e5fe3c99c238af9cfed002cc22a28b476ab65b0a87675
SHA1 hash:	30c2d08b9239c1e6371b52dabf2f6f3547b9912a
MD5 hash:	5fc0555e5eb07c5924705eab1a94fb29
humanhash:	five-autumn-river-quebec
File name:	Install.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	652'288 bytes
First seen:	2021-09-04 19:22:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:nbMGjXa2klT97scjSC3jh4/IWxyC6tym3/xUvNF2r/GUuf8zOt3hiML/C8vifHSv:0V3jhF82r/GUV
Threatray	998 similar samples on MalwareBazaar
TLSH	T1FAD4EB28657FC019C4E7EEB12DDCA8BAD99A94E3600D723711B4633B8B11B84DE4F479
Reporter	Anonymous
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Install.exe

Verdict:

No threats detected

Analysis date:

2021-09-04 19:24:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d718242a-c5c0-4d63-ad81-ff1f7d095d62

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/185344/

Detection(s):

Win.Packed.Redline-9876022-1

Win.Packed.Redline-9879939-1

Win.Trojan.Generickdz-9882256-0

Win.Trojan.Generickdz-9883081-0

Win.Packed.Generickdz-9888683-0

Win.Packed.Generickdz-9889102-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a window

Connection attempt

Sending a custom TCP request

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00ab0bce-41a7-410b-a598-cc39bbc7ad51

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

54 / 100

Link:

https://www.joesandbox.com/analysis/845344

Signature

.NET source code contains very large strings

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cc931d9ba95d8bd2daea724ffd7cdeb239f298336f32c4640465b8982cf5874/

Threat name:

Win32.Trojan.Redlinestealer

Status:

Malicious

First seen:

2021-09-04 19:23:04 UTC

AV detection:

24 of 43 (55.81%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftetdwn2sxml2lnou4sp7v6n5mrz6kmdg3zsyrsaiznytawplb2a._file

Verdict:

malicious

RedLineStealer

211c5e542a39bd580d591ee281d719abc67a1b9313e5eecaa904d41dc2cb9d45

RedLineStealer

2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0

RedLineStealer

2db5b8398fe40439d40336311f84437499781d8659a4557b76ff7db71fa4e05e

RedLineStealer

2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324

RedLineStealer

6fe100707f04edd5edab46ab148ba902e609a418d6e29fe3dddda0a8a5bb2fd9

RedLineStealer

7151dc894be6ab81d6a5ac2fb22812821fb28c2bccea1d01a54eac55ca11da2e

RedLineStealer

9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467

RedLineStealer

9ea4469f78d2953c8061672f6c7630a9728b42944e37be3e30bc6774812af88a

RedLineStealer

fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c

RedLineStealer

+ 988 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:gazel discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210904-x3snnaedf5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

95.217.248.44:1052

Unpacked files

SH256 hash:

7fc7784b72904f4d1e64c50452631863f5dabbd25b890756e38d01e98a168600

MD5 hash:

87f712a598d9918221714f94a3884e7e

SHA1 hash:

aab01cf575f1b9b105b293b838e4e84865ab4a10

Link:

https://www.unpac.me/results/ff63601d-c805-4cfb-8e3e-f7a2c225f7dc/

SH256 hash:

2cc931d9ba95d8bd2daea724ffd7cdeb239f298336f32c4640465b8982cf5874

MD5 hash:

5fc0555e5eb07c5924705eab1a94fb29

SHA1 hash:

30c2d08b9239c1e6371b52dabf2f6f3547b9912a

Link:

https://www.unpac.me/results/ff63601d-c805-4cfb-8e3e-f7a2c225f7dc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cc931d9ba95d8bd2daea724ffd7cdeb239f298336f32c4640465b8982cf5874

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185344/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample