MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ceabdcc9091f0a803a1d385d2dfd16eeb775cd5405f4cfe597f7088012119c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	2ceabdcc9091f0a803a1d385d2dfd16eeb775cd5405f4cfe597f7088012119c8
SHA3-384 hash:	d875ded147b7816683edac2af84dfa96581c4560d178ae03130620b9f275480696e10be08630f58067aedee495f18988
SHA1 hash:	ea31d30a63c8b5f13794a9f909750097ec058a83
MD5 hash:	d34a030513f91e8f08223996fbaefaf1
humanhash:	video-fish-red-dakota
File name:	2ceabdcc9091f0a803a1d385d2dfd16eeb775cd5405f4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	449'024 bytes
First seen:	2022-01-05 12:21:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	62bfdc2e0e8d6afb3b408569163b2244 (3 x Smoke Loader, 2 x RedLineStealer)
ssdeep	6144:5Ewdrgu1nRyn2rrF9T5cwj6KILD+4bzoaxz7epUuzbgwuyr7ITsqNNb0:TdZ1RUmFbBG7iytx2KunnP7Q2
Threatray	3'990 similar samples on MalwareBazaar
TLSH	T170A4D0F17599FC31D1637A3084359AA55E3AB811E520514B32742BAE2F32ECC7AE731E
File icon (PE):
dhash icon	a1bcdcac9c8cb4a4 (6 x RedLineStealer, 4 x DanaBot, 3 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.151.240.132:33087

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.151.240.132:33087	https://threatfox.abuse.ch/ioc/290926/

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2ceabdcc9091f0a803a1d385d2dfd16eeb775cd5405f4.exe

Verdict:

Malicious activity

Analysis date:

2022-01-05 12:23:14 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/b8fb06c3-80d0-4a84-849a-a346c6235b4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/217439/

Detection(s):

Win.Dropper.Tofsee-9919472-0

Win.Dropper.Lockbit-9919572-0

Win.Malware.Stopcrypt-9933337-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware tofsee

Link:

https://www.filescan.io/uploads/61d58d6e92bdc4b4078059a5/reports/6439d547-870d-4a7c-860a-b6fc0d87d6e6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/93ebdacb-3a58-4ec1-b08d-98a261cfbea2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/915802

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ceabdcc9091f0a803a1d385d2dfd16eeb775cd5405f4cfe597f7088012119c8/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-01-05 12:22:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftvl3teqshykqa5b2oc5fx6rn3vxoxgvibpuz7szp5yiqajbdhea._file

Verdict:

malicious

RedLineStealer

7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

RedLineStealer

bc73acdb022ef13011594053334948517f80755f3cc7dc28c0f3dc88da7b70e3

RedLineStealer

d147f74b457cd669430ad9508c5aded7437ce700694e461d10a55215ccb37714

RedLineStealer

dbc317c10477f446b4cea04fd74c7747cb92051b538f3e8a9002292ad85d3cf1

RedLineStealer

f4128b1298fd05caadb8c40c93588c09c4f636b997afd88f35a9898ceaf6d2e8

RedLineStealer

+ 3'980 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220105-pjw8qsacg5/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

78cbc34008c90efb90a1df249d4566be7c7da1dda42e55b5bb20eba6d230aff4

MD5 hash:

594e7b894d49c611fbfc1bf6fd7a0b16

SHA1 hash:

fdea39770815b3d237dc880857b32a0f9fb2fe68

Link:

https://www.unpac.me/results/13f9d3ab-0304-4b56-a99e-1453ba518a97/

SH256 hash:

8e96b470349c00969cce3ff60f70198deb8f9e376177d137a312bf16f94152a0

MD5 hash:

022144cf31358ced018c6f5fbf7b126d

SHA1 hash:

f6c9c472ee98f939d07e692e0420aa64d1683985

Link:

https://www.unpac.me/results/13f9d3ab-0304-4b56-a99e-1453ba518a97/

SH256 hash:

e9c33209738b21cf8b4887d22702a529bbee9bd697a26657ca6f0e21edde6271

MD5 hash:

00da6701e29fc7186c1721272ed46d99

SHA1 hash:

61806de49e84e538c4b8bb4e7d4edeb437f20344

Link:

https://www.unpac.me/results/13f9d3ab-0304-4b56-a99e-1453ba518a97/

SH256 hash:

2ceabdcc9091f0a803a1d385d2dfd16eeb775cd5405f4cfe597f7088012119c8

MD5 hash:

d34a030513f91e8f08223996fbaefaf1

SHA1 hash:

ea31d30a63c8b5f13794a9f909750097ec058a83

Link:

https://www.unpac.me/results/13f9d3ab-0304-4b56-a99e-1453ba518a97/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ceabdcc9091f0a803a1d385d2dfd16eeb775cd5405f4cfe597f7088012119c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/217439/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample