MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c052c5869d963acac5fbd2c0a80ac161347d33c7290e7095f0c5406245366f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c052c5869d963acac5fbd2c0a80ac161347d33c7290e7095f0c5406245366f7
SHA3-384 hash: 9f0be68a513e8d1187391a814c7099f5cc071fd5beada3b8600bb2219c8ec5a634c9a8f76f0b74cf3c08144ac8f128e1
SHA1 hash: 1de5d4d91ff3779fc0fc77ae993d2b1f7aa7064c
MD5 hash: 448a63b4429ea5497b3ff3f21d3922d6
humanhash: illinois-gee-quiet-uniform
File name:448a63b4429ea5497b3ff3f21d3922d6.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:387'072 bytes
First seen:2022-04-12 06:26:02 UTC
Last seen:2022-04-12 06:59:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05c69e25e4cfe454ad2fbd0d1a9d1b0 (6 x RedLineStealer)
ssdeep 6144:C9EUA4g6zO8zlZb6w3aY6EFEijVrbXienrcx0rJeXdVpA/eqL5hfeLkm:YEUAIi8zlZbYUEipTiercx0ragP5xev
Threatray 3'731 similar samples on MalwareBazaar
TLSH T19D84C010BA90D035F5F766F859B992ACB92E7EE15B2450CF22D426EE17346E0ED3070B
File icon (PE):PE icon
dhash icon 8c9e8c6eaa8ecc8e (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.132:41177

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.132:41177 https://threatfox.abuse.ch/ioc/518759/

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
448a63b4429ea5497b3ff3f21d3922d6.exe
Verdict:
Malicious activity
Analysis date:
2022-04-13 05:55:43 UTC
Tags:
redline
Link:
https://app.any.run/tasks/d992d680-1cd3-4863-8359-305794b87d31

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/262866/
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.55.13768.26945.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13534/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62551b7eeab80a7a6cfe0e77/reports/b2ad64ec-0ba2-4f21-a2ec-db971bb27451/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fec6c5bd-d7e5-4fd3-bc02-6b5dde99c95d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975092
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c052c5869d963acac5fbd2c0a80ac161347d33c7290e7095f0c5406245366f7/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 06:27:06 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqcsywdj3fr2zlc7xuwavafmcyjupuz4okioock7brkamjctm33q._file
Verdict:
malicious
Similar samples:
284c3a7c666370376bce07b6c38ca16d4cff1f7008f5ac025e71b962d26482e9
RedLineStealer
7c221c6a44529cf6cb7ee65d706be2ec9fd4d1fe9bde5840b622e417908fd0bf
RedLineStealer
8933afd919d120bf9b572f07110aca6c46e26d098770202ceab73160c21f8204
RedLineStealer
8e88a317b2a066bbf484f480b1d982880d3749a0ab5d33bab5de59bcaec22b5b
RedLineStealer
a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5
RedLineStealer
ddc087ef9f65b9db5875f5836b47b82cfe0af2d53cb43563033e27e7c3771f3a
RedLineStealer
e53cd7ea200e2a80b7431f6e72ab2f588d009e430f3d9d18c31bd4f49276b5be
RedLineStealer
+ 3'721 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:50 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220412-g67c8abae9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
193.106.191.132:41177
Unpacked files
SH256 hash:
5ff6c585ba1ca791690c47b9d2164f8f4a0b1e1be4dd5ea7949b4088ad1ed31a
MD5 hash:
94df550b09ea3888d3c97cd7ca6b68c7
SHA1 hash:
82b44b60aca618dc953112ecdd205904d1df7fb9
Link:
https://www.unpac.me/results/32b3ade0-9c6a-469f-838e-e2eb8ccaf83f/
SH256 hash:
fd77c273cdc765545dd80d12ab08fb2930372bfd91605f38cd555a6eafc9de7c
MD5 hash:
4325d471b0bfbd9ee905470b62ff0437
SHA1 hash:
6a0ca7c1e137c29eab3b992dc8c3f5f59fdd9ae3
Link:
https://www.unpac.me/results/32b3ade0-9c6a-469f-838e-e2eb8ccaf83f/
SH256 hash:
c73178410f201f31f3bb808381158ebb7b1caf9fbe1bffb2b92b66de7e2bc36b
MD5 hash:
ea541f60b23e9b9a2a54cfd3e96848f3
SHA1 hash:
48c57a65dff2a94280595065076bbc105ea5abd7
Link:
https://www.unpac.me/results/32b3ade0-9c6a-469f-838e-e2eb8ccaf83f/
SH256 hash:
6c052c5869d963acac5fbd2c0a80ac161347d33c7290e7095f0c5406245366f7
MD5 hash:
448a63b4429ea5497b3ff3f21d3922d6
SHA1 hash:
1de5d4d91ff3779fc0fc77ae993d2b1f7aa7064c
Link:
https://www.unpac.me/results/32b3ade0-9c6a-469f-838e-e2eb8ccaf83f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c052c5869d963acac5fbd2c0a80ac161347d33c7290e7095f0c5406245366f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6c052c5869d963acac5fbd2c0a80ac161347d33c7290e7095f0c5406245366f7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2140384/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/262866/

Comments