MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 322e2172b60d694797e91a98109d97e2b167953bb82f8f0b007b159351f8350e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 3 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 322e2172b60d694797e91a98109d97e2b167953bb82f8f0b007b159351f8350e
SHA3-384 hash: d5fb2ff88b5afd41140505b2d7b33a0f7c4c3193fdde3953f592e8fa318050b9298ea0db319da69758f572b46b468695
SHA1 hash: 5bb867da154f957ae4f0f59cc7df348210438762
MD5 hash: f62b83e691c6723990cadfd22d20cb68
humanhash: ten-alpha-johnny-kansas
File name:322e2172b60d694797e91a98109d97e2b167953bb82f8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:291'328 bytes
First seen:2021-08-08 16:30:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 742e6f89721f9cdb5e5779dfcb30ce2f (6 x RaccoonStealer, 2 x RedLineStealer, 1 x DanaBot)
ssdeep 6144:tYvav4ebMYAZdqV4893oh/zTrRgxhzjTwa/RxJg:tEav0IV48FohrR0TY
Threatray 3'880 similar samples on MalwareBazaar
TLSH T17154E1213A40DD72F1533D3458E9EBA456BAEDA0DB20C247B798376E2E313D0573539A
dhash icon b2e0dc3cecd8e20c (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://gc-prtnrs.top/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://gc-prtnrs.top/decision.php https://threatfox.abuse.ch/ioc/166045/
http://gc-prtnrs.top/dlc/distribution.php https://threatfox.abuse.ch/ioc/166046/
http://gc-prtnrs.top/stats/remember.php https://threatfox.abuse.ch/ioc/166047/

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
322e2172b60d694797e91a98109d97e2b167953bb82f8.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-08 16:33:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8e0b9214-ae8e-4ef8-b013-f9890bd9ea80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177287/
Detection(s):
Win.Malware.Fragtor-9884245-0
Create hunting rule

Win.Malware.Fragtor-9884342-0
Create hunting rule

Win.Malware.Generic-9884468-0
Create hunting rule

Win.Packed.Generic-9884519-0
Create hunting rule

Win.Packed.Generic-9884525-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbc61b4e-4c7e-4101-99a5-b354976101db
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/828851
Signature
Country aware sample found (crashes after keyboard check)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461283 Sample: 322e2172b60d694797e91a98109... Startdate: 08/08/2021 Architecture: WINDOWS Score: 68 24 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->24 26 Multi AV Scanner detection for domain / URL 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 2 other signatures 2->30 7 322e2172b60d694797e91a98109d97e2b167953bb82f8.exe 2 2->7         started        process3 dnsIp4 22 gc-prtnrs.top 95.181.179.21, 49726, 80 NEOHOST-ASUA Russian Federation 7->22 10 cmd.exe 1 7->10         started        12 WerFault.exe 9 7->12         started        14 WerFault.exe 9 7->14         started        16 4 other processes 7->16 process5 process6 18 taskkill.exe 1 10->18         started        20 conhost.exe 10->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/322e2172b60d694797e91a98109d97e2b167953bb82f8f0b007b159351f8350e/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 05:33:51 UTC
AV detection:
34 of 46 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gixcc4vwbvuupf7jdkmbbhmx4kywpfj3xaxy6cyapmkzgupyguha._file
Verdict:
unknown
Similar samples:
34cfa360c2efd052e71a29f2091723206cf2a74dc87c64b1d617e822f69b7180
RedLineStealer
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
RedLineStealer
538a92c3c9e3f3ee0704bde1009188520dc54a840f3a97832dc5b9f8de2545b0
RedLineStealer
63d9527d69c228772ebadb63c1e74d7d0702acac52357fcea08ec5a408ca0453
RedLineStealer
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
RedLineStealer
c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
RedLineStealer
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
RedLineStealer
+ 3'870 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210808-k8qst8pqes/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M1
Unpacked files
SH256 hash:
0f78cd04b2b68447a7950b0c664ce6bdbfd915a72a7f74bda907f8fcce43c2f2
MD5 hash:
a704fcc25c1ff232bb1af663b8906ace
SHA1 hash:
8884ef35cbce8a6635475192e40a34253b40eca8
Link:
https://www.unpac.me/results/a8b5e5b3-b7c5-47a3-a6cb-97d46961b91b/
SH256 hash:
322e2172b60d694797e91a98109d97e2b167953bb82f8f0b007b159351f8350e
MD5 hash:
f62b83e691c6723990cadfd22d20cb68
SHA1 hash:
5bb867da154f957ae4f0f59cc7df348210438762
Link:
https://www.unpac.me/results/a8b5e5b3-b7c5-47a3-a6cb-97d46961b91b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/322e2172b60d694797e91a98109d97e2b167953bb82f8f0b007b159351f8350e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177287/

Comments