MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cdca77b21c0831877df4e8510074d56319e3080edb43990c4a7c11c85881ef7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cdca77b21c0831877df4e8510074d56319e3080edb43990c4a7c11c85881ef7
SHA3-384 hash: 6f6ffaed923d9229221d7fcf65e081f3bec6d74dea0390ec1a073014cf073b9be5c70c8b40f66923ee09e83ce59ab924
SHA1 hash: a187dbf643dd906568d4d1d0e6b69616dfc25c3c
MD5 hash: ca440503d2d2b7ae5e849b0910c53566
humanhash: chicken-kansas-violet-harry
File name:Genshin.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'952'696 bytes
First seen:2022-07-26 20:31:32 UTC
Last seen:2022-07-26 21:50:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 81edf760848ebcbb96ad3bd218fd7dfe (2 x RedLineStealer)
ssdeep 49152:gpLTEUbngNfr+wcYMWiDqQ5oVpI/Rz2CO3Inrst1mJKt:0LTHATR18oPwRzT5ntJKt
Threatray 181 similar samples on MalwareBazaar
TLSH T195954BE3512CCF3AF01157F65A0246BAE813B65590F72FBC7DB08728AE662257450F8B
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b270e2e0c0e070b2 (1 x ArkeiStealer, 1 x RedLineStealer)
Reporter tech_skeech
Tags:exe RedLineStealer signed

Code Signing Certificate

Organisation:chegg.com
Issuer:Amazon
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-05T00:00:00Z
Valid to:2022-10-04T23:59:59Z
Serial number: 0eb4cc85b4ca420e0c1527624ff58308
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 69c43deee3273112057bf728c1efa3b21784e7603ab5fe53e7c0e59a83039c1e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294462/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61013488.28870.7659.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27551/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed smokeloader
Link:
https://www.filescan.io/uploads/62e04f9eef4d15d9c031983b/reports/39194090-9f84-483a-994b-421381e4fc5c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c53fb4f-76a1-48ac-9c61-e150eb8837ff
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1041447
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 673941 Sample: Genshin.exe Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 4 other signatures 2->46 8 Genshin.exe 2->8         started        process3 dnsIp4 26 192.168.2.1 unknown unknown 8->26 48 Writes to foreign memory regions 8->48 50 Allocates memory in foreign processes 8->50 52 Injects a PE file into a foreign processes 8->52 12 InstallUtil.exe 15 7 8->12         started        signatures5 process6 dnsIp7 28 193.106.191.106, 26883, 49758 BOSPOR-ASRU Russian Federation 12->28 30 bitbucket.org 104.192.141.1, 443, 49773 AMAZON-02US United States 12->30 32 3 other IPs or domains 12->32 24 C:\Users\user\AppData\Local\...\startix.exe, PE32 12->24 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 60 Tries to steal Crypto Currency Wallets 12->60 17 startix.exe 1 12->17         started        file8 signatures9 process10 signatures11 34 Antivirus detection for dropped file 17->34 36 Writes to foreign memory regions 17->36 38 Injects a PE file into a foreign processes 17->38 20 conhost.exe 17->20         started        22 AppLaunch.exe 17->22         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5cdca77b21c0831877df4e8510074d56319e3080edb43990c4a7c11c85881ef7/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-07-24 23:08:51 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
16 of 40 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltoko6zbycbrq567j2crab2nkyyz4mea5w2dtegeu7arzbmid33q._file
Verdict:
malicious
Similar samples:
1a410b868da14ae4cbc2cbc68870ffcdc8a060aca06ee3b09bd356b9d27c814b
RedLineStealer
26b026ec1b7075e871d3935fa044dcd51304d261c9f57d9d0c40ae716a0c2c63
RedLineStealer
2cbb7e317e749e0f4d7de7fd084f2217ac91bf13eeee072c004dde01b4c39b8f
RedLineStealer
32fe263a8ffc6bc490c545d6394638347164e676a79e537037f8b0c9691194ef
RedLineStealer
3427583e84dda3d92aab9f9b9050d7cfe9bcb43094acc08f02f0166f310702cc
RedLineStealer
36ac1377c88fb5dd7ffb82c918ee1e07fa75ee2ff50f6ce129e859152bf0dc44
RedLineStealer
45aebea9d7e8dfe9d950cc6cf90b5c6e023bd90ef810d8dfde5c9462c642617a
RedLineStealer
9bc8a9f52041123c3c471dd111a2ce0ee39eaf5e59d7949826d08601a3511f10
RedLineStealer
9d313aa0090d3425564379e7674795b68f050ec6473b1ced106fff220a8749d4
RedLineStealer
ceff984891362aced0814217cae0a2d70980172e0f7a54adcb3c66cd3cd82704
RedLineStealer
+ 171 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:@virusvirus77 infostealer spyware
Link:
https://tria.ge/reports/220726-za9sksdhej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.106:26883
Unpacked files
SH256 hash:
c8a06794c1da2029c1c42fa78ab6557231092108b0b2f9353b1a759514d80bf0
MD5 hash:
6eef1f0de4ab3a2d08ddb871866f8342
SHA1 hash:
f2315cd42510adcb23d02c30e7ce66dc737aac5c
Link:
https://www.unpac.me/results/690f04a3-de06-4129-b6c5-9e38086dcdb8/
SH256 hash:
4c34937e102d2e297f5ba0811982e64ea8c34414db06740664c30d428fe5ec55
MD5 hash:
1b1a476e0020adc900924a8b18f03fcd
SHA1 hash:
1dfcd10692083e5993f4c34662169fd70884250e
Link:
https://www.unpac.me/results/690f04a3-de06-4129-b6c5-9e38086dcdb8/
SH256 hash:
5cdca77b21c0831877df4e8510074d56319e3080edb43990c4a7c11c85881ef7
MD5 hash:
ca440503d2d2b7ae5e849b0910c53566
SHA1 hash:
a187dbf643dd906568d4d1d0e6b69616dfc25c3c
Link:
https://www.unpac.me/results/690f04a3-de06-4129-b6c5-9e38086dcdb8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5cdca77b21c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5cdca77b21c0831877df4e8510074d56319e3080edb43990c4a7c11c85881ef7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/294462/

Comments