MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad
SHA3-384 hash: f35f694ae6fbd241484b47af5d3fdadc95a41bbff5ff1aed048e5a35cb6bd81517d5f352d4ac68d1efcbb05bfa39afab
SHA1 hash: dbf1d46d963b561751d200fe3ef95f07b9f645f1
MD5 hash: 6080cdf3c23a43caeba7e55dffc72bbe
humanhash: don-blue-speaker-butter
File name:6080CDF3C23A43CAEBA7E55DFFC72BBE.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:12'411'748 bytes
First seen:2021-06-26 01:56:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 196608:PGqlH+s8u7KTMe7qAWnGFyl6b2btDhTXEFpqvE8lEwoSITRYluQq0aDWS:txcqAWGFyl6ijTXEcE86WIFY1q0Av
Threatray 11 similar samples on MalwareBazaar
TLSH 1EC633495640BAF7F4488FBF42226FF4CBCFF4E59E40ED8B8B6D55181A21892D50E9C2
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
213.189.218.18:8080

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.189.218.18:8080 https://threatfox.abuse.ch/ioc/154004/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168405/
Detection(s):
Win.Ransomware.Kapahyku-9855532-1
Create hunting rule

Win.Ransomware.Kapahyku-9862602-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8adbbece-cfcc-46d0-98c1-ad47d5945cbd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
50 / 100
Link:
https://www.joesandbox.com/analysis/808367
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for sample
May check the online IP address of the machine
Modifies Group Policy settings
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Copying Sensitive Files with Credential Data
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440778 Sample: puuXkjM8wR.exe Startdate: 26/06/2021 Architecture: WINDOWS Score: 50 90 www.testupdate.info 2->90 92 files.testupdate.info 2->92 94 6 other IPs or domains 2->94 120 Antivirus detection for URL or domain 2->120 122 Antivirus detection for dropped file 2->122 124 Antivirus / Scanner detection for submitted sample 2->124 126 5 other signatures 2->126 11 puuXkjM8wR.exe 21 2->11         started        15 msiexec.exe 3 2->15         started        18 msiexec.exe 3 59 2->18         started        20 7 other processes 2->20 signatures3 process4 dnsIp5 106 bon.ironzebra.site 11->106 108 bon.ironzebra.site.w.kunlunsl.com 47.246.43.227, 49712, 80 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 11->108 110 do.yearearth.host 104.21.18.133, 49714, 80 CLOUDFLARENETUS United States 11->110 78 C:\Users\user\AppData\Local\Temp\...\1.exe, PE32 11->78 dropped 80 C:\Users\user\AppData\Local\...80SISdl.dll, PE32 11->80 dropped 22 1.exe 41 11->22         started        82 C:\Users\user\AppData\Local\...\shi4D4A.tmp, PE32 15->82 dropped 84 C:\Users\user\AppData\Local\...\shi4CEC.tmp, PE32 15->84 dropped 134 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->134 136 Opens network shares 15->136 116 2 other IPs or domains 18->116 86 C:\Users\user\AppData\Local\...\shi5CCB.tmp, PE32 18->86 dropped 88 C:\Users\user\AppData\Local\...\shi5C2E.tmp, PE32 18->88 dropped 27 taskkill.exe 18->27         started        112 uim.tifbs.net 20->112 114 m.jingxi.com 20->114 118 43 other IPs or domains 20->118 29 conhost.exe 20->29         started        31 conhost.exe 20->31         started        33 conhost.exe 20->33         started        35 3 other processes 20->35 file6 signatures7 process8 dnsIp9 96 www.findmemolite.com 46.101.214.246, 49723, 80 DIGITALOCEAN-ASNUS Netherlands 22->96 98 stat.shelfvolcano.site 104.21.49.100, 49800, 80 CLOUDFLARENETUS United States 22->98 100 2 other IPs or domains 22->100 70 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 22->70 dropped 72 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 22->72 dropped 74 C:\Users\user\AppData\Local\...\setup_1.exe, PE32 22->74 dropped 76 6 other files (none is malicious) 22->76 dropped 132 Antivirus detection for dropped file 22->132 37 setup_2.exe 22->37         started        41 setup_0.exe 66 22->41         started        44 setup_1.exe 22->44         started        46 conhost.exe 27->46         started        file10 signatures11 process12 dnsIp13 58 C:\Users\user\AppData\Local\...\WqVLiyI.exe, PE32 37->58 dropped 60 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 37->60 dropped 128 Antivirus detection for dropped file 37->128 130 Modifies Group Policy settings 37->130 48 cmd.exe 37->48         started        102 192.168.2.1 unknown unknown 41->102 104 collect.installeranalytics.com 41->104 62 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 41->62 dropped 64 C:\Users\user\AppData\...\Windows Updater.exe, PE32 41->64 dropped 66 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 41->66 dropped 68 4 other files (none is malicious) 41->68 dropped 50 msiexec.exe 41->50         started        file14 signatures15 process16 process17 52 forfiles.exe 48->52         started        54 conhost.exe 48->54         started        process18 56 cmd.exe 52->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad/
Threat name:
Win32.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-23 09:52:56 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=niyczwy67ize7h5cncegn4sybhwoteyz6g5dajnl2ufxk6qx3wwq._file
Verdict:
malicious
Similar samples:
0240347f0a7e6318facda5d29103c2dba44ef0d45f76706cd5ade058a69c0c55
RedLineStealer
0ec8d01e78f2157589701925ec97ada690046fa17ca65a0db766d96533529aab
RedLineStealer
0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507
RedLineStealer
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
RedLineStealer
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
RedLineStealer
7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548
RedLineStealer
80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42
RedLineStealer
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
RedLineStealer
a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda
RedLineStealer
bd7b2d30b633986f5eabfd4e1bb561e7cf7e79ee7be5db03bee270c79298d252
RedLineStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210626-1x7cfkm96a/
Behaviour
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
MD5 hash:
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 hash:
168f3c158913b0367bf79fa413357fbe97018191
Link:
https://www.unpac.me/results/2edeba62-156b-4e46-8f08-d86807e3ad8d/
SH256 hash:
6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad
MD5 hash:
6080cdf3c23a43caeba7e55dffc72bbe
SHA1 hash:
dbf1d46d963b561751d200fe3ef95f07b9f645f1
Link:
https://www.unpac.me/results/2edeba62-156b-4e46-8f08-d86807e3ad8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168405/

Comments