MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f6cf61ca279ab22095de51cde942554b9aa1b481d5237f79fa5990ccbf5121e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f6cf61ca279ab22095de51cde942554b9aa1b481d5237f79fa5990ccbf5121e
SHA3-384 hash: 0d89c54b000c7a3c656f17c92ce8d091a7d8812d6bf50034b1aa2290efd9bf7a2615a39c1d033d5c09cc914ee01db4bb
SHA1 hash: f163ec0a389cb2698619b4bd8c9482a88a527b4a
MD5 hash: 41072e1f2ef020cedb12fd2e12c6301e
humanhash: xray-music-south-nitrogen
File name:41072e1f2ef020cedb12fd2e12c6301e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'840'744 bytes
First seen:2022-05-07 13:26:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9626794517ae5f9ef503b6366d80781 (5 x RedLineStealer)
ssdeep 49152:nZmWfs0p0jbkjpXtnkq5oc7z+ViK0gd1r5+kL:nUw0fkjpXtnk0T7z+wVIp5h
Threatray 384 similar samples on MalwareBazaar
TLSH T14E85C0D38742400BF162643B802E6E6D75731A3157CFF8B777899BE9971B2D0A628B13
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4505/5/1)
11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
11.4% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
212.192.241.119:27367

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.192.241.119:27367 https://threatfox.abuse.ch/ioc/548761/

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
41072e1f2ef020cedb12fd2e12c6301e.exe
Verdict:
Malicious activity
Analysis date:
2022-05-07 13:28:04 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/60641340-e46f-4d71-9a6c-7e36202d7d19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269244/
Detection(s):
Win.Packed.Sabsik-9945155-0
Create hunting rule

Win.Packed.Generic-9948526-0
Create hunting rule

Win.Packed.Fragtor-9949368-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Modifying an executable file
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16618/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control.exe CVE-2015-2546 exploit greyware overlay packed yakes
Link:
https://www.filescan.io/uploads/627673babe0219041a7b2dac/reports/6a9f38e7-83c2-4f66-b159-812909fabb51/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31e3ac8c-af2c-4d8f-9134-2ecc95f76d55
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989493
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
DLL side loading technique detected
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Add file from suspicious location to autostart registry
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621989 Sample: WEsJ9FAJc3.exe Startdate: 07/05/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 8 other signatures 2->58 10 WEsJ9FAJc3.exe 1 2->10         started        process3 signatures4 70 Writes to foreign memory regions 10->70 72 Allocates memory in foreign processes 10->72 74 Injects a PE file into a foreign processes 10->74 13 AppLaunch.exe 15 7 10->13         started        18 conhost.exe 10->18         started        process5 dnsIp6 48 212.192.241.119, 27367, 49752 RAPMSB-ASRU Russian Federation 13->48 50 accurateinnovations.co.bw 5.100.152.127, 443, 49756 PUBLIC-DOMAIN-REGISTRYUS United Kingdom 13->50 42 C:\Users\user\AppData\Local\...\anusskita.exe, PE32 13->42 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->76 78 May check the online IP address of the machine 13->78 80 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->80 82 4 other signatures 13->82 20 anusskita.exe 1 13->20         started        file7 signatures8 process9 signatures10 60 Antivirus detection for dropped file 20->60 62 Multi AV Scanner detection for dropped file 20->62 64 Query firmware table information (likely to detect VMs) 20->64 66 5 other signatures 20->66 23 AppLaunch.exe 20 20->23         started        28 conhost.exe 20->28         started        process11 dnsIp12 44 api.telegram.org 149.154.167.220, 443, 49770, 49771 TELEGRAMRU United Kingdom 23->44 46 ipinfo.io 34.117.59.81, 49769, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->46 38 C:\Users\user\AppData\Local\...\OneDrive.exe, PE32+ 23->38 dropped 40 C:\Users\user\AppData\Local\...\Secur32.dll, PE32+ 23->40 dropped 68 Uses cmd line tools excessively to alter registry or file data 23->68 30 reg.exe 1 1 23->30         started        32 reg.exe 1 1 23->32         started        file13 signatures14 process15 process16 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f6cf61ca279ab22095de51cde942554b9aa1b481d5237f79fa5990ccbf5121e/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-05-07 13:27:08 UTC
File Type:
PE (Exe)
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5wpmhfcpgvseck54uon5fbfks42ug2idvjdp547uwmqzs7vcipa._file
Verdict:
malicious
Similar samples:
08ff371dff7eb8283c675a14af2477eede676756cdd4d2252ee7239140445ec9
RedLineStealer
1660fa277deb0f1afcd706189ecca08930050458121c2a2f42f2dcdeb1cf9c29
RedLineStealer
28432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158
RedLineStealer
63d5524d7a7e198dde291df94f3c8ad57d82afcc9d0d14ec085d9b7453792e07
RedLineStealer
73872c3c2ba2f4e09a18b0e0b3e00419b302781a83206512da39c28ae2e35fcc
RedLineStealer
9c8314de1486634c7612198f144f80cba26a2f79a65b657b6f17af33491c0998
RedLineStealer
b6a3b9630a6ed8f626b7fdc083c73a03c57923c1055314bacaa49031c5fa6ae3
RedLineStealer
+ 374 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1471 evasion infostealer spyware trojan
Link:
https://tria.ge/reports/220507-qp3hdacdh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
212.192.241.119:27367
Unpacked files
SH256 hash:
5c1edc50e97242e8b01279c3a840745256d92452c4676b2b083e6b1ad2eb1c14
MD5 hash:
3514c737c89b8e221d2991dc269ea0b4
SHA1 hash:
939e6a663636a7517737d5273fc9bb9df1518dcc
Link:
https://www.unpac.me/results/29b5ecda-32db-4494-b065-1d9c39f50b62/
SH256 hash:
2f6cf61ca279ab22095de51cde942554b9aa1b481d5237f79fa5990ccbf5121e
MD5 hash:
41072e1f2ef020cedb12fd2e12c6301e
SHA1 hash:
f163ec0a389cb2698619b4bd8c9482a88a527b4a
Link:
https://www.unpac.me/results/29b5ecda-32db-4494-b065-1d9c39f50b62/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f6cf61ca279/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f6cf61ca279ab22095de51cde942554b9aa1b481d5237f79fa5990ccbf5121e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269244/

Comments