MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dd943c56508689ccf31338d5b04b91176f29005cf98258f3a161fa01c7cf3a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dd943c56508689ccf31338d5b04b91176f29005cf98258f3a161fa01c7cf3a3
SHA3-384 hash: 29a9209901d58ea4cf0a97cfee897c0177f7f46f749a6efbd7c69b38c10d55f594939f8256a272302549cdbee5191984
SHA1 hash: 372b23a8cd577e394775313d16e2a1f18a4a328d
MD5 hash: 25a2beef2f2e7eca936297350d01b299
humanhash: nine-quiet-vermont-oklahoma
File name:IcePick.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'571'784 bytes
First seen:2021-10-31 07:46:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94e2b0572ac9e87d08b3c525a2cff4f7 (16 x RedLineStealer, 4 x RaccoonStealer, 2 x ArkeiStealer)
ssdeep 24576:GId2ZvuYcBFIvZQ2412UxOvcutO0jEhqJhMexXmjsCvhji0UrEhAyCLMjk+xvI:tyuevZ0Oln4hYjQwN0UI2ojk4A
Threatray 385 similar samples on MalwareBazaar
TLSH T1467533AAFD190DD2C9EDC83E94FB0B4BEDF01C82461467BAA41E45F3334554E8993786
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://mega.nz/file/sgwRGYKS#weqAxsNAPdYW2IrYhZnmIZ0fvQGI-l-ETj7HLBYASyU
Verdict:
Malicious activity
Analysis date:
2021-10-31 02:03:42 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a94685b1-177b-418c-86a1-a54a40ccd097

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/996b6680-a281-4273-a20c-c93f0d68a009
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879969
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512403 Sample: IcePick.exe Startdate: 31/10/2021 Architecture: WINDOWS Score: 100 35 youbotter.click 2->35 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 8 IcePick.exe 2->8         started        11 bghost.exe 2->11         started        14 bghost.exe 2->14         started        signatures3 process4 dnsIp5 61 Query firmware table information (likely to detect VMs) 8->61 63 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->63 65 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 8->65 67 4 other signatures 8->67 16 AppLaunch.exe 15 7 8->16         started        21 WerFault.exe 23 9 8->21         started        41 youbotter.click 11->41 43 youbotter.click 14->43 signatures6 process7 dnsIp8 31 185.255.133.25, 18225, 49750 SUPERSERVERSDATACENTERRU Russian Federation 16->31 33 duiwqyue.digital 172.67.146.142, 443, 49755 CLOUDFLARENETUS United States 16->33 27 C:\Users\user\AppData\Local\Temp\bghost.exe, PE32+ 16->27 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->45 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->47 49 Tries to harvest and steal browser information (history, passwords, etc) 16->49 51 Tries to steal Crypto Currency Wallets 16->51 23 bghost.exe 1 1 16->23         started        29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->29 dropped file9 signatures10 process11 dnsIp12 37 youbotter.click 167.71.28.113, 49757, 49758, 49759 DIGITALOCEAN-ASNUS United States 23->37 39 192.168.2.1 unknown unknown 23->39 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Machine Learning detection for dropped file 23->73 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dd943c56508689ccf31338d5b04b91176f29005cf98258f3a161fa01c7cf3a3/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2021-10-31 07:37:34 UTC
AV detection:
9 of 44 (20.45%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
RedLineStealer
13f9f1b052c5d540b5dfa64f9eafcb962163d3649d222bbb8690182741622420
RedLineStealer
28f5fa7118d4f1866643d781c3fee5cb4507f3d268c263ef40551d527da2c330
RedLineStealer
3e6ecd9dc9ec4d42be5fdca7c55931fa9f835f3f634ee9f707ed7b1a102e9f7d
RedLineStealer
48f9b4bc2bf75c03449857ff0d6b47c35ab97ed8ba444890ccdd4128d9ae1027
RedLineStealer
9a1f36511ec56cbf0cf30080cdc11d8f261823079838cedd5ce0e6391ec815ef
RedLineStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RedLineStealer
bff3d8677d0c866b3fa47a2176ba05c9ae03cc215794896f2ef922a1aa037097
RedLineStealer
dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90
RedLineStealer
+ 375 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:onyxx0.1 evasion infostealer spyware trojan
Link:
https://tria.ge/reports/211031-jmj5pacecq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.255.133.25:18225
Unpacked files
SH256 hash:
cdd391bb6aca05fb6b4f771e4f3c28fe5f8b46b6d991fdf25eeb0ad395ec23cf
MD5 hash:
30c1cfb862c120fbb5296530e7da8679
SHA1 hash:
7491d4a0595c156b4f72bb799e8ce4efd7d6470c
Link:
https://www.unpac.me/results/b104a60b-37cf-4a1b-a88d-cc8e5e224602/
SH256 hash:
5dd943c56508689ccf31338d5b04b91176f29005cf98258f3a161fa01c7cf3a3
MD5 hash:
25a2beef2f2e7eca936297350d01b299
SHA1 hash:
372b23a8cd577e394775313d16e2a1f18a4a328d
Link:
https://www.unpac.me/results/b104a60b-37cf-4a1b-a88d-cc8e5e224602/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5dd943c56508/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5dd943c56508689ccf31338d5b04b91176f29005cf98258f3a161fa01c7cf3a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments