MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67b77b8b46f24dd2ec3f49d51f4f6e29f9656035a163f7c669db76e338bcf421. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	67b77b8b46f24dd2ec3f49d51f4f6e29f9656035a163f7c669db76e338bcf421
SHA3-384 hash:	14da0315d1688be8e7246bac7b49439f06fd1ba83160ba2ad445199bd2a80372dd22ceb634f7f2c78fab09c6a4f3ef80
SHA1 hash:	2daa380e719796160e4ef68ecc50060ed59082ab
MD5 hash:	a3075c8f7597d753731f19e4678fbf39
humanhash:	asparagus-hamper-edward-lamp
File name:	a3075c8f7597d753731f19e4678fbf39.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	562'688 bytes
First seen:	2022-02-17 07:40:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	12288:1l3DYeINFH8FozAqtz+C+EH3dzQS03ULaHNqrxlKIQNo8stw3C4r7OXo:1lDYr/H8FozAWz+C+GdzkEaHNYK3kwX5
Threatray	1'329 similar samples on MalwareBazaar
TLSH	T175C4239881DDE66AC5CE5BF8FF18E8C5CF786640B4B06C91E621CD122824110FBBADF5
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.41:15912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.41:15912	https://threatfox.abuse.ch/ioc/388265/

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CozyModMenu.exe

Verdict:

Malicious activity

Analysis date:

2022-02-14 18:42:00 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/dd4ede55-aa4a-4743-9d62-d17749a1be08

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/242186/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/620dfc1aac8ad0468b4a98b4/reports/9e410a75-d847-4201-9f87-3e48e539bde4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75804694-678a-4eb9-8ba9-a3d7b735c539

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/941425

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67b77b8b46f24dd2ec3f49d51f4f6e29f9656035a163f7c669db76e338bcf421/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-02-14 21:29:03 UTC

File Type:

PE (Exe)

AV detection:

29 of 43 (67.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m63xxc2g6jg5f3b7jhkr6t3ofh4wkybvufr7prtj3n3ogof46qqq._file

Verdict:

malicious

RedLineStealer

173b56d49f816c4035c5bdf6d97113345605cc758bf0062932f31ee80b751ee6

RedLineStealer

6e60006ac8af12483aee2b0f6bcf0a963a0423b494b55f56ad51bfc9b3a3bd71

RedLineStealer

77fcb4636a483ee37fdb9b76a082b64a1338c8d4c45a8a77e91791e475e6d9fa

RedLineStealer

c57ec94c7fed128887694b07d817af02c2d19aac98d8d1fbd4004a8accee4ee5

RedLineStealer

d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457

RedLineStealer

d37f2546cea1ed8a8f85d1f6274f7a59869ded7f56ecc6af9c123dd76fd10d70

RedLineStealer

f1a11f00ce1ff509fa6039cc1ecc147f6f4e83d15d9c27f6a2a97da78c0512ba

RedLineStealer

f4036a8affaa6f227d3fce3a98b5b9bb752cd434f04587ea4105c58fc96404e2

RedLineStealer

+ 1'319 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220217-jh493aafh9/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

8ef86645b9da8ea43958d8aef0b3818234228283067c2d19c2cb62fd93b144ef

MD5 hash:

32bee4bc61bac56d0cc54ac29bdb03e6

SHA1 hash:

6f17b0bc3052fff6134f569f74c8a45f6dd25ebd

Link:

https://www.unpac.me/results/b55f6cd5-b4aa-4ae9-83e7-ade9bcbafb4a/

SH256 hash:

90afc876531000ddc1409e45e565266495f6eaaea6076e159cb37a866cc0448f

MD5 hash:

5e65aadaa77291bfe9f6f60934376ca0

SHA1 hash:

49d926f54835292d35f7fa5170d5a1af66d576b3

Link:

https://www.unpac.me/results/b55f6cd5-b4aa-4ae9-83e7-ade9bcbafb4a/

SH256 hash:

67b77b8b46f24dd2ec3f49d51f4f6e29f9656035a163f7c669db76e338bcf421

MD5 hash:

a3075c8f7597d753731f19e4678fbf39

SHA1 hash:

2daa380e719796160e4ef68ecc50060ed59082ab

Link:

https://www.unpac.me/results/b55f6cd5-b4aa-4ae9-83e7-ade9bcbafb4a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/67b77b8b46f24dd2ec3f49d51f4f6e29f9656035a163f7c669db76e338bcf421

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/242186/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample