MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cf78b1a3c0e8cefa95e5dc162d7442cca568a2a2e7811b32afafe74803b98ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cf78b1a3c0e8cefa95e5dc162d7442cca568a2a2e7811b32afafe74803b98ff
SHA3-384 hash: 3b0d130e4fb5606e7165519dd599df55e4439103f6db8cf8f868d82c660e2f5714297c083f3acebbc354c1715ffd02b1
SHA1 hash: b270b770389232eb8b7518e548fc70bc1d844a2c
MD5 hash: 2860f510d9c1caeba4d457e4f08b4bae
humanhash: hawaii-queen-six-massachusetts
File name:2860f510d9c1caeba4d457e4f08b4bae.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:849'824 bytes
First seen:2022-08-29 06:15:46 UTC
Last seen:2022-08-29 06:47:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48c28d9f3783f0e32815b0b4c57a60a9 (73 x RecordBreaker, 23 x RedLineStealer, 21 x ArkeiStealer)
ssdeep 12288:KKXyc9N48+0TPYobS1roAYaHoDJo3I4wjsgIqYlr6KEpbhruvMU3mX4F:KKXyWN48RTPYobi6js7qWrGbhwmX4F
Threatray 119 similar samples on MalwareBazaar
TLSH T1FA059E313DC48172EDE220BA46ECF931467EE0B0073657CB56C45BEED6246D16F32A9A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
78.153.144.6:2510

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
78.153.144.6:2510 https://threatfox.abuse.ch/ioc/845912/

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2860f510d9c1caeba4d457e4f08b4bae.exe
Verdict:
No threats detected
Analysis date:
2022-08-29 06:31:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3f7d964-f55a-4509-91ef-ec9362d12bc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302030/
Detection(s):
SecuriteInfo.com.Variant.Lazy.238286.29588.16989.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Lazy.238286.26274.3339.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30644/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/630c5a1f116a699e028aff61/reports/bfa913e2-ae34-4614-9ac3-810ad07b670b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55cb3142-3806-4c80-8823-b50772edbf52
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059526
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 692043 Sample: Cj2VoFAgf6.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 72 transfer.sh 2->72 74 in.appcenter.ms 2->74 86 Snort IDS alert for network traffic 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 9 other signatures 2->92 10 Cj2VoFAgf6.exe 2->10         started        12 uusfebe 2->12         started        signatures3 process4 process5 14 AppLaunch.exe 10->14         started        17 WerFault.exe 23 9 10->17         started        20 AppLaunch.exe 10->20         started        file6 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->118 120 Maps a DLL or memory area into another process 14->120 122 Checks if the current machine is a virtual machine (disk enumeration) 14->122 124 Creates a thread in another existing process (thread injection) 14->124 22 explorer.exe 12 14->22 injected 56 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->56 dropped signatures7 process8 dnsIp9 80 ilabok2498fso.xyz 22->80 82 belladama.fr 207.174.214.200, 443, 49791, 49795 PUBLIC-DOMAIN-REGISTRYUS United States 22->82 84 8 other IPs or domains 22->84 58 C:\Users\user\AppData\Roaming\uusfebe, PE32 22->58 dropped 60 C:\Users\user\AppData\Local\Temp\8D7B.exe, PE32 22->60 dropped 62 C:\Users\user\AppData\Local\Temp\6C17.exe, PE32 22->62 dropped 64 3 other files (1 malicious) 22->64 dropped 100 System process connects to network (likely due to code injection or exploit) 22->100 102 Benign windows process drops PE files 22->102 104 Performs DNS queries to domains with low reputation 22->104 106 3 other signatures 22->106 27 6C17.exe 22->27         started        30 8D7B.exe 22->30         started        32 38D1.exe 4 22->32         started        35 4 other processes 22->35 file10 signatures11 process12 file13 108 Machine Learning detection for dropped file 27->108 37 AppLaunch.exe 16 27->37         started        41 WerFault.exe 10 27->41         started        110 Writes to foreign memory regions 30->110 112 Allocates memory in foreign processes 30->112 114 Injects a PE file into a foreign processes 30->114 44 AppLaunch.exe 2 30->44         started        46 WerFault.exe 30->46         started        54 C:\Users\user\AppData\Local\...\Update.exe, PE32 32->54 dropped 116 Multi AV Scanner detection for dropped file 32->116 48 Update.exe 7 32->48         started        50 AppLaunch.exe 35->50         started        52 AppLaunch.exe 35->52         started        signatures14 process15 dnsIp16 76 t.me 149.154.167.99, 443, 49796 TELEGRAMRU United Kingdom 37->76 78 49.12.72.35, 49797, 80 HETZNER-ASDE Germany 37->78 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->94 96 Tries to harvest and steal browser information (history, passwords, etc) 37->96 98 Tries to steal Crypto Currency Wallets 37->98 66 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 41->66 dropped 68 C:\Users\user\AppData\Local\...\Update.exe, PE32 48->68 dropped 70 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 50->70 dropped file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cf78b1a3c0e8cefa95e5dc162d7442cca568a2a2e7811b32afafe74803b98ff/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 02:30:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nt3ywgr4b2go7kk6lxawfv2eftffncrkfz4bdmzk7l7hjab3td7q._file
Verdict:
malicious
Similar samples:
0a9a86d87da4b6984d7c09566b49776e41a3445aafbb1e4496925131e53b9aff
RedLineStealer
2f780fbe426ec668667aaa54a902cfab80f47cc1e3ef39017ef15845279384db
RedLineStealer
4ab91c72d0d913c2a18a74a2b9ea5bcd8b77bfb68110e56767a552a358fa0687
RedLineStealer
50b87ee5a6cb9ee5b9a40a7fe5adb1f807c3876f7499565f3f8754537945174e
RedLineStealer
6a56ad7cc45d701696652e3be5275f37f09527ecd7fdacbbf634b2532f97027a
RedLineStealer
8acf3d9eea531ae8c1ab8eabe3f22206f3771c6c25ed577a6c0010b0a43cfcc0
RedLineStealer
9c8c0c8e368d5895d29bb917517bab1bd71e529adfbd6e7c1619774c05bc0594
RedLineStealer
c6f08559551f3db557a40537c7686831bffc968df3aa6221082fa2479be4a5fa
RedLineStealer
e6173a0a906d3259d4a9006b61901262705e309a6e5bc1cdfc035e3a78e2f225
RedLineStealer
f8fbc50db8de41fbcf7dcf31883c086b50d0cc74fbbd94979893fc26c9898f76
RedLineStealer
+ 109 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220829-g1gklscgek/
Unpacked files
SH256 hash:
412723a3d9295cf6e564e10c1e75642bdd82cbd161ffa9153562edb1a60be12d
MD5 hash:
30206da27efa9add6fc43c102e811b5d
SHA1 hash:
5b950f382a52bf91b5054565402a351b78d6b04f
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/b9532cc4-9574-43a3-9722-1261c6f7fc1e/
Parent samples :
b5938ac3434dba249dd144d180b2d9d1fae0918b81630497c458781acd3afed8
12d0f4e279c8b87d94fba44d8e4a85c553cd96b90256716bd98096ca4c2ba359
a70beb61ac3aa68ed844f8bf3a5c9ada717363fc372948c2ef88abb647665f39
38499e2889590574aa401acf16f8aba05e693e3da4aa0ac6e71f5d690446d29e
765e9affe3a441bbb4e9eb26ff339622cfaea0b027451f1203a260ce2064c3f9
7a1e4107599b275852d1353c20e84e2cfff2bd25c862d78a13937906a7e3709b
ef21ae74a71b4723917307e94623bea6f6bab6786c44f4a1a6ac6dc85b8840a5
9112a7346d78a2ae8877aa00b74654c6d09247b3db7fff02c78dc11235ce37f8
cb2564dcfdc61a2ea6154055a1bd85adc99b6161e93d87a6bc6770a67528c810
b9e95b6fa3070fb53792cb09341e8f2e62a1bd129303b238a94928d39ca0071b
fc2e70d71b95648d7877ff7122a5f495907c0001ba18f62ad99ac5a189af2053
9dd0e772737b8d16a0cdb8b201469b6e615665bdd377469f0e5f93b9ba8ac479
aa242d4c8a5f67afd47de854a31bb5bdc7d26a56341561b0651a4084e89849a8
fd3c3fae617c274ad21ce3dd7ed5bd7917f1cc4c05c3e2eb7970bc4a13e5f677
fd582f2eac99165e184680af6cad7a54bc49be0d81062a84a8b7ed89c6264d54
0d932c75aaa05e080f148244d3bb662f029700d0f93db45016bc7e832f4ec97b
9d2e0af3b8bff569350605fdb9a8b335e0927c3a79ead19e0e22b68be9485fed
0a4440a7a52617208ec855783b6d8c3f463cf252f55daabb91e1f077f7851147
7e1e6f593554832937d7ba69b5621c2cf62b0dee645af38d135ca87b8af41fe6
e6377f8eab328be9e7e44ab527745930e2e7f2c5bbd12002e8bbd067d433c554
6bec1b0031afd498aa61e08c7862bc1bc1a8b4a5dc431af109fc8fa5928d39da
d7b4d2dc55f5cccd3c78faa681a66bb34410844b1b489871013019fd3a0a592d
6ed7bcd055c39d73d9931abe8e3c72dd5eedc515abe2f804d6eafde208a69e71
5354e8f3b71a8fc97815eeb1ce7378fac5f5904c4fbd4a2e54f2a514746746c7
df590bceb693fc56770c4d38593029a55a9089861fdf9dc16d66a28e9937538e
8744d5d03a50bd12d9f320c679627121b728e51c8c0ea910c3cf52bb8ebe4feb
96cfa1aafa0804caebf3a76d0347e1c56c11f52521f5a179ddaa020d0a46232a
cdb1f87be3ee96364adc1444b3de9bc977fbf27042b58b72485341582c3d640d
03ea60a4f8df4d94d2f60eb4c1210d5148a1839e63d2c6f7b3a5a1e7e84cafc7
da59303921279f64f59348a35a80762786083649b8f14571a384bf20c058ea7a
e365896c10dc579e90035a614ceba996bdf1aa6d81cc054ae357979cf4d9998f
6a56ad7cc45d701696652e3be5275f37f09527ecd7fdacbbf634b2532f97027a
9c8c0c8e368d5895d29bb917517bab1bd71e529adfbd6e7c1619774c05bc0594
8acf3d9eea531ae8c1ab8eabe3f22206f3771c6c25ed577a6c0010b0a43cfcc0
4ab91c72d0d913c2a18a74a2b9ea5bcd8b77bfb68110e56767a552a358fa0687
50b87ee5a6cb9ee5b9a40a7fe5adb1f807c3876f7499565f3f8754537945174e
0a9a86d87da4b6984d7c09566b49776e41a3445aafbb1e4496925131e53b9aff
2fdf37efa33b720c25cfa65fa479686f0bdf202698b83518a66886e0b461a92a
6cf78b1a3c0e8cefa95e5dc162d7442cca568a2a2e7811b32afafe74803b98ff
821cddea41336dfd788ff78d2fff14a722a1c8f7edcbbbfbbf482944561c6b07
599453ebb82c1cfffdc6201d416d3a0630a3a6b4429abfa230569d0aed8d03f3
6e3d020b3bd3c611a7350f59e1e41ceabbe573e1db4c640fe5217fd6d0d6ee38
eb472ba48f692c86a35dda96d6fbbfbdcc47ae1431b43824fdf56b44a2078bde
225e63ba68c765b44f6019a5d0727887d9bbadde4db669657cf37fc9e30ec262
50a1010ec34a0d592bc15f19dd572840813fbd8eeb32afc0715e88668732bd36
4e7a0319d1ef9a6bb3a1c8c55890053008305ce163f8aed0e3d723cea0386556
1c6b2e06ec61636fa0ed64a73c3bd037005bf37a832bf3c2d0be67ef82573443
SH256 hash:
6cf78b1a3c0e8cefa95e5dc162d7442cca568a2a2e7811b32afafe74803b98ff
MD5 hash:
2860f510d9c1caeba4d457e4f08b4bae
SHA1 hash:
b270b770389232eb8b7518e548fc70bc1d844a2c
Link:
https://www.unpac.me/results/b9532cc4-9574-43a3-9722-1261c6f7fc1e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cf78b1a3c0e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6cf78b1a3c0e8cefa95e5dc162d7442cca568a2a2e7811b32afafe74803b98ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 6cf78b1a3c0e8cefa95e5dc162d7442cca568a2a2e7811b32afafe74803b98ff

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2281065/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/302030/

Comments