MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba534d34e70f12ecec70f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba534d34e70f12ecec70f
SHA3-384 hash:	8d32dd8673924928302ba68af7b9aad5743726278722ebca0062efaf41f42569f4b45c2d331e0e4eeb7ae31109704539
SHA1 hash:	1d71c59add2766ad7babf474efe9de5ad32b2a0c
MD5 hash:	1003e8117d9261a42fd229fdbf7cf754
humanhash:	october-iowa-tennis-don
File name:	4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	418'304 bytes
First seen:	2022-01-19 18:17:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b599c41ba6f3d2fcbb28babbce596599 (10 x RedLineStealer, 3 x RaccoonStealer, 1 x OnlyLogger)
ssdeep	6144:RdNofxccfq1U63z49Ww1KDTvW9m0drY7A:DGfxccyU63zE1KDT+9/drY0
Threatray	4'422 similar samples on MalwareBazaar
TLSH	T13194E0313590C831C3D666314865DFA5DA7DBC304EA18A5733A83BAE2F613F0A66539F
File icon (PE):
dhash icon	fcfcb4b4b4b4d9c9 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.111:1355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.111:1355	https://threatfox.abuse.ch/ioc/303028/

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba.exe

Verdict:

Malicious activity

Analysis date:

2022-01-20 03:46:17 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/6615b114-306d-4db4-b8c8-a7eea3508010

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/220757/

Detection(s):

Win.Trojan.Generic-9935605-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4774/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61e855e8d32385db6309e305/reports/b1834b9b-d6c7-4b83-b8c0-5b605268224c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0aac3d09-285e-4ce9-ad1a-3d7961184c2c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/923744

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba534d34e70f12ecec70f/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-01-19 18:18:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jpgg3z4bbktid6fxodu3hz6oflvm47kzczn2kngtjzypclwoy4hq._file

Verdict:

malicious

RedLineStealer

2aeae97b66dd8ebfea88b7723e883a6e23c9af62fe567b67f337c330bbaf3a0f

RedLineStealer

560f614418ca04cf5caa6eb9c04f36572fa28fa12aa94a1ed0178305e457a40f

RedLineStealer

87c2869f098859952880ea773440cf19d0177db82b5199d6c1fb80b05119ffb7

RedLineStealer

ac2d71860246343e73f2005e2d2904b03c5b66f68a0f9a5f00f2cde327998d84

RedLineStealer

b0671c01ba85943cc2f01a7442341520d0068fb89c402828f0ae280fab9f8785

RedLineStealer

bfdcfeecf5b9596257de7aa327baedeac2ab806435c69eefba75479227588bcc

RedLineStealer

f694953397988874197ea90c94bd7aba4ee19cd6144739519b8d6f436a7e36d4

RedLineStealer

+ 4'412 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220119-wxlsgsccd2/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Checks installed software on the system

Reads user/profile data of web browsers

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

772d46367b04b4b033c7829ae1c2db68b6333c32db053ad5e67eb4183a6fb588

MD5 hash:

0902916958b5fc98b781fd451e149077

SHA1 hash:

fc4bf667733d955b2fb7c930ea887ad67dffdd61

Link:

https://www.unpac.me/results/7cd1664c-9d09-400d-bfd0-513aee0403b8/

SH256 hash:

ccf2a17a23a01fe16ea37413010d2d845aac780c9fb534491ef177c0d67016dc

MD5 hash:

4ed3c840e3f554f5f6c0ac741f4e02b4

SHA1 hash:

b775d1fa3fc54de998025bedd9e24d6f76bd5164

Link:

https://www.unpac.me/results/7cd1664c-9d09-400d-bfd0-513aee0403b8/

SH256 hash:

6f1b3f902f153ac2c41b58cd2faed0698993cf6c38b726e8a3112ecde80c7a68

MD5 hash:

afb109167a037d3bc519538a433f4f6b

SHA1 hash:

51a10bbff21cc9e47535368a77032fa31a09e0f1

Link:

https://www.unpac.me/results/7cd1664c-9d09-400d-bfd0-513aee0403b8/

SH256 hash:

4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba534d34e70f12ecec70f

MD5 hash:

1003e8117d9261a42fd229fdbf7cf754

SHA1 hash:

1d71c59add2766ad7babf474efe9de5ad32b2a0c

Link:

https://www.unpac.me/results/7cd1664c-9d09-400d-bfd0-513aee0403b8/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4bcc6de7810a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba534d34e70f12ecec70f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/220757/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample