MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f2c0dae965f79906d381041877b327bf2828683fa41a013e659d1112512232b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f2c0dae965f79906d381041877b327bf2828683fa41a013e659d1112512232b
SHA3-384 hash: af11e6bc88a52e3015f01bb0b5ef8e36021c9a8036a86c2190da92960f12ed8cf9192c980d8e1d76b5da21bf8b40936d
SHA1 hash: b21d1a7ee8df2cd3f1578405ff1072ba8c5c5900
MD5 hash: 5816b5bee093950a300f814676b65d3e
humanhash: magnesium-pluto-louisiana-equal
File name:5816b5bee093950a300f814676b65d3e
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:250'368 bytes
First seen:2022-08-01 20:02:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:x2/+dKf9Uvs4gJ151xlAPshhf9mF1z8u44sVbK2n8q:w/IKWvjgJ151xlAPshhf9mF1z8u44sVR
Threatray 1'229 similar samples on MalwareBazaar
TLSH T129344F9C76A076DFC967C576CAA81C64EB6074BB930B9303A06311EDAE0D997DF140F2
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
400
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
http://193.56.146.131/nealxx.exe
Verdict:
Malicious activity
Analysis date:
2022-08-01 20:02:51 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/9cb8aece-0a6f-475a-8115-8db16867b1f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295680/
Detection(s):
Win.Packed.Lazy-9958163-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed stealer
Link:
https://www.filescan.io/uploads/62e831b4b7eec65627829234/reports/181ae297-8a9e-4557-b523-53c8519f5756/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e999df38-dd4a-49f4-8e6e-9e7158c04fb9
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044445
Signature
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f2c0dae965f79906d381041877b327bf2828683fa41a013e659d1112512232b/
Threat name:
ByteCode-MSIL.Infostealer.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-07-31 13:19:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4wa3luwl54za3jycbayo6zsppzifbud7ja2ae7glhircjisemvq._file
Verdict:
malicious
Similar samples:
0699ad9d2c1be04e5a335118cab7db196e912bba8b6f0c4fd49a0ade262a5f59
RedLineStealer
13a0b3e462a014b605489df82b082618b64d7292140bbfdbb7b58e683cb80b3b
RedLineStealer
2cbb7e317e749e0f4d7de7fd084f2217ac91bf13eeee072c004dde01b4c39b8f
RedLineStealer
32fe263a8ffc6bc490c545d6394638347164e676a79e537037f8b0c9691194ef
RedLineStealer
34211e5c3790f76a96eb915fc89ec3fd9c179c2138404ba994387dc5903f575c
RedLineStealer
3427583e84dda3d92aab9f9b9050d7cfe9bcb43094acc08f02f0166f310702cc
RedLineStealer
9bc8a9f52041123c3c471dd111a2ce0ee39eaf5e59d7949826d08601a3511f10
RedLineStealer
e7924441cf355557372d5d058eeb30341f9bb4be80f54449ea66b288d183b928
RedLineStealer
+ 1'219 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:nealxx discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220801-ysnsdsged7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
80.66.87.52:2500
Unpacked files
SH256 hash:
927ce05513c908db13337855b518d478bca6a450c90857a576c959c90943fa67
MD5 hash:
b442c65e47e6d7380d2c0bfdd6906a07
SHA1 hash:
6aacd43c702e8c99d85989ece0aa9abf77c805ed
Link:
https://www.unpac.me/results/9a7b4238-7692-4b33-b767-4304689407ff/
SH256 hash:
2f2c0dae965f79906d381041877b327bf2828683fa41a013e659d1112512232b
MD5 hash:
5816b5bee093950a300f814676b65d3e
SHA1 hash:
b21d1a7ee8df2cd3f1578405ff1072ba8c5c5900
Link:
https://www.unpac.me/results/9a7b4238-7692-4b33-b767-4304689407ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f2c0dae965f79906d381041877b327bf2828683fa41a013e659d1112512232b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 2f2c0dae965f79906d381041877b327bf2828683fa41a013e659d1112512232b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2263719/
Cape
Cape
https://www.capesandbox.com/analysis/295680/

Comments


Avatar
zbet commented on 2022-08-01 20:02:14 UTC

url : hxxp://193.56.146.131/nealxx.exe