MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c9c308ce5c725fa5bf276517e4b246a46ad6a1e61a7296f0f250d20d00cbc69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	6c9c308ce5c725fa5bf276517e4b246a46ad6a1e61a7296f0f250d20d00cbc69
SHA3-384 hash:	19ede7e94074cdefdfb3315087c1f1833eb9c0e742df5e90e129854a749e99ed072e4c4e00a711dc084713222eed338a
SHA1 hash:	794737f9d40f2239eff492525b603efed0de0177
MD5 hash:	950c6b87e1bb3df00a70c46575e55c24
humanhash:	pluto-william-carbon-autumn
File name:	6c9c308ce5c725fa5bf276517e4b246a46ad6a1e61a72.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	949'760 bytes
First seen:	2021-10-24 06:25:36 UTC
Last seen:	2021-10-24 07:15:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	682b88463c7583e0323d7851be5034d8 (6 x RedLineStealer)
ssdeep	12288:FW3sD5uERPqbHkIvA2EH9Sb24C2YmInQvISyRmjwns3ueIEJsEPc5JG/OfOs2vc+:ysD5gbHNMdc2x2yQvQRNO7sEE5MObh8
TLSH	T146152BC6E1B3608EDB62B8780F0195E14A461E7E2B119EF56F75B91A11F36D1CACB303
File icon (PE):
dhash icon	ccb2b2f0b0b2ccd4 (9 x RedLineStealer, 1 x RaccoonStealer, 1 x AilurophileStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
65.108.14.118:15253

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
65.108.14.118:15253	https://threatfox.abuse.ch/ioc/236830/

Intelligence

File Origin

# of uploads :

# of downloads :

482

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://xyz.jelikob.ru/666088747.exe

Verdict:

Malicious activity

Analysis date:

2021-10-24 03:58:10 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/df29af6c-aae0-400d-85aa-1f2cf4f42369

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/199626/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.31624.26375.12615.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm packed

Link:

https://www.filescan.io/uploads/6174fce8db358dd15ed91625/reports/8a3ebe77-ecd4-4649-ad15-ca4fc14e6979/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/556d7d49-bf80-4e1a-86dc-1899dad59ca4

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/875762

Signature

Detected unpacking (creates a PE file in dynamic memory)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-10-23 19:23:05 UTC

AV detection:

13 of 27 (48.15%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nsodbdhfy4s7uw7sozix4szenjdk22q6mgtss3ypeugsbuamxruq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211024-g67nzsdcg9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

726144b85de217d8bcb3e10f94ed186dba68de26bef6461c09f1725bf790d295

MD5 hash:

339751b293cacb583656a2662ee4e4c6

SHA1 hash:

ba869267a93141c76a35d7692151daf50d7c45dc

Link:

https://www.unpac.me/results/3a7296dc-82c7-4aa8-8e89-7cb79928e9f9/

SH256 hash:

fdcfaccd4d8e01d47a807fb7f2d07e216e1c8fc33e57de51ad41c382310e3155

MD5 hash:

1aa406d92067bb56686a86768ac66158

SHA1 hash:

4c0ff7b0faf0ca1eb0108bcd5efb59c6b7a4ca59

Link:

https://www.unpac.me/results/3a7296dc-82c7-4aa8-8e89-7cb79928e9f9/

SH256 hash:

6c9c308ce5c725fa5bf276517e4b246a46ad6a1e61a7296f0f250d20d00cbc69

MD5 hash:

950c6b87e1bb3df00a70c46575e55c24

SHA1 hash:

794737f9d40f2239eff492525b603efed0de0177

Link:

https://www.unpac.me/results/3a7296dc-82c7-4aa8-8e89-7cb79928e9f9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6c9c308ce5c7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6c9c308ce5c725fa5bf276517e4b246a46ad6a1e61a7296f0f250d20d00cbc69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/199626/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample