MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 4 File information Comments

SHA256 hash:	2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
SHA3-384 hash:	3e1dda4ec4207cce4a24dc6d68b14837c29461fd0988ba4032b12ddded0d9d007e57d1f541a17886b95075311a9952dd
SHA1 hash:	eb20b1fa9218955d0cbe776a9e234c058f3b071c
MD5 hash:	ac4e5863b0aa232a92e93de5c774353d
humanhash:	shade-twelve-quiet-freddie
File name:	ac4e5863b0aa232a92e93de5c774353d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'395'520 bytes
First seen:	2021-12-22 07:10:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e48cc266501c282987b27f2c1f654e2d (52 x RedLineStealer, 3 x RaccoonStealer)
ssdeep	98304:iKsTRDViy+Jgp0YDwjjTxoLx7W+UloO0r7TGjnJr99nPWUO7dFriTPQZ:l2RJWJgp0YDwjvi9GdITWnJr9MUO58T+
Threatray	151 similar samples on MalwareBazaar
TLSH	T1BD16337CE98CF315E117AEB41189E785E35FA0B40FECA8376061B6E305B4026D5FB8A5
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
5.206.227.27:65531

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
5.206.227.27:65531	https://threatfox.abuse.ch/ioc/279899/

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ac4e5863b0aa232a92e93de5c774353d.exe

Verdict:

Malicious activity

Analysis date:

2021-12-22 07:14:42 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/d30c89ad-51aa-42c0-84fd-561080a88d70

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/215745/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Malware.Fragtor-9916737-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Searching for the window

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2914/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61c2cf884ab5c44cbf4c68c8/reports/9a10f2fe-8dfa-47cc-9c86-a72dae62d389/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd068c0c-2d84-4e60-a5e1-0d0b98603a18

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/911394

Signature

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08/

Threat name:

ByteCode-MSIL.Infostealer.Convagent

Status:

Malicious

First seen:

2021-12-19 07:49:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 43 (62.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftjjxc24ohyppx252c6o3oytjf35trrgtbq53xlf3mo3eayzjqea._file

Verdict:

malicious

RedLineStealer

38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c

RedLineStealer

44d3715b74d4162d3407fc4dcff4dbd67eb390452700cd2628a63399cd39979d

RedLineStealer

5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4

RedLineStealer

8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3

RedLineStealer

8e7d62f065db87ae8a824816af5447845b4f1fdd02d97f759f251f0e1254f5c3

RedLineStealer

c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf

RedLineStealer

c4e9742a6a418ee7366c594a4f1206d468f6147792407fcd9ac6b452369d88bb

RedLineStealer

cf48264ec1ae636f92543b873e455d9c56a8c1f274746caa6357aaccf1b42096

RedLineStealer

+ 141 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211222-hzyceafag4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Unpacked files

SH256 hash:

4d8a3d6184855b8336db77b9b6ba02cd3936a91ba8553c89ff939e6c52683329

MD5 hash:

d117ec3d224a39ae6e14bdc7831bfb2c

SHA1 hash:

25957ee4a5c9f361955ec7889439f03ece3c9cb8

Link:

https://www.unpac.me/results/59c686a0-ff2e-495e-aa76-09b27d53a4d4/

SH256 hash:

2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08

MD5 hash:

ac4e5863b0aa232a92e93de5c774353d

SHA1 hash:

eb20b1fa9218955d0cbe776a9e234c058f3b071c

Link:

https://www.unpac.me/results/59c686a0-ff2e-495e-aa76-09b27d53a4d4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2cd29b8b5c71/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/215745/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample