MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d2ff3cc83ea214e33e4105ccb1051cd85b82e052f6152d7f252667f2f5a5ecb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d2ff3cc83ea214e33e4105ccb1051cd85b82e052f6152d7f252667f2f5a5ecb
SHA3-384 hash: 2e874d75a843cb1d9eb177c2e242e375277ad7640e0c8062704411a38b47460083b8238968879017b3c1281ddf1d6de1
SHA1 hash: c46b747d456bb5d805d005df6c6166fe546d4da1
MD5 hash: 131ac3c2f0495a301363e79f69c133e3
humanhash: lithium-tennis-texas-happy
File name:6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'606'391 bytes
First seen:2021-11-23 22:01:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xsF8P3F1j1drifXnAcukSWrFAamXQCruXr/brw7awSA:xqK1drifXndurdgXb3Was
Threatray 8'947 similar samples on MalwareBazaar
TLSH T19B763366FFD5B4FAD68104369A483F9833F9D3085B1194E333BE98981F21477822FA56
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://91.219.236.69/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.69/ https://threatfox.abuse.ch/ioc/253491/

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe
Verdict:
No threats detected
Analysis date:
2021-11-23 22:04:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94d48e6e-5f15-496c-977f-75902341800c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
barys overlay packed ursnif
Link:
https://www.filescan.io/uploads/619d64a6f36138de3f381962/reports/c6cdaebb-07ff-41df-a7e4-26ebec9f0bd6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/155bd514-b772-4378-96f7-77d26248a4ba
Result
Threat name:
Cookie Stealer RedLine SmokeLoader Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895082
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527560 Sample: 6D2FF3CC83EA214E33E4105CCB1... Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 58 91.121.67.60 OVHFR France 2->58 60 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->60 62 10 other IPs or domains 2->62 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Antivirus detection for URL or domain 2->84 86 Antivirus detection for dropped file 2->86 88 21 other signatures 2->88 9 6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe 21 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Fri14def89ebdce1.exe, PE32+ 9->44 dropped 46 C:\Users\user\...\Fri14db78c00155a.exe, PE32 9->46 dropped 48 16 other files (10 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 64 127.0.0.1 unknown unknown 12->64 66 hsiens.xyz 12->66 112 Performs DNS queries to domains with low reputation 12->112 114 Adds a directory exclusion to Windows Defender 12->114 16 cmd.exe 12->16         started        18 cmd.exe 12->18         started        20 cmd.exe 12->20         started        22 7 other processes 12->22 signatures8 process9 signatures10 25 Fri140d16d9a199.exe 16->25         started        28 Fri1425d076308.exe 18->28         started        32 Fri141d31513022.exe 20->32         started        90 Adds a directory exclusion to Windows Defender 22->90 34 Fri14def89ebdce1.exe 22->34         started        36 Fri14bdb9bff7a.exe 22->36         started        38 Fri14db78c00155a.exe 4 22->38         started        40 2 other processes 22->40 process11 dnsIp12 92 Antivirus detection for dropped file 25->92 94 Multi AV Scanner detection for dropped file 25->94 96 Detected unpacking (changes PE section rights) 25->96 110 4 other signatures 25->110 68 136.144.41.58 WORLDSTREAMNL Netherlands 28->68 76 5 other IPs or domains 28->76 50 C:\Users\...\KqgrbhtndUVCOGe0vTdMmluN.exe, PE32+ 28->50 dropped 52 C:\Users\user\...52iceProcessX64[1].bmp, PE32+ 28->52 dropped 98 Machine Learning detection for dropped file 28->98 100 Tries to harvest and steal browser information (history, passwords, etc) 28->100 102 Disable Windows Defender real time protection (registry) 28->102 54 C:\Users\user\AppData\...\Fri141d31513022.tmp, PE32 32->54 dropped 104 Obfuscated command line found 32->104 70 ip-api.com 208.95.112.1, 49724, 80 TUT-ASUS United States 34->70 72 staticimg.youtuuee.com 34->72 106 May check the online IP address of the machine 34->106 78 3 other IPs or domains 36->78 80 2 other IPs or domains 38->80 56 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 38->56 dropped 108 Creates processes via WMI 38->108 74 cdn.discordapp.com 162.159.133.233, 443, 49716, 49726 CLOUDFLARENETUS United States 40->74 file13 signatures14
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d2ff3cc83ea214e33e4105ccb1051cd85b82e052f6152d7f252667f2f5a5ecb/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 05:38:06 UTC
File Type:
PE (Exe)
Extracted files:
413
AV detection:
32 of 44 (72.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nux7hted5iqu4m7ecbomwecrzwc3qlqff5qvfv7skjth6l22l3fq._file
Verdict:
malicious
Similar samples:
22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31
RedLineStealer
44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885
RedLineStealer
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
RedLineStealer
77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59
RedLineStealer
951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c
RedLineStealer
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
RedLineStealer
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
RedLineStealer
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
RedLineStealer
+ 8'937 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:ani botnet:jamesfuck aspackv2 backdoor evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211123-1w9kdabdck/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
65.108.20.195:6774
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
45.142.215.47:27643
Unpacked files
SH256 hash:
c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
MD5 hash:
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1 hash:
eb9a4185ddf39c48c6731bf7fedcba4592c67994
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
e374f0772ac05cbe0bdbee3de048cb43d41c947418aed1632a32d5720a365b9c
MD5 hash:
b08229e74d39890702325665bfdf4b2c
SHA1 hash:
e7be40997ab8b0ce19b62fc78589fc176d5d5431
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
0591ec07f8a000222987d0d4b544c638c562f9458f79e7973ec1b0ae0c9e2eb2
MD5 hash:
fc8d874e421a96d748fda17337f0430e
SHA1 hash:
ba8de08c8811d7808e200ad2a375272de3e004d6
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1
MD5 hash:
51b73b4d3041eb2d32a29dca61059549
SHA1 hash:
9845a8e5716e5e16ffc33ceccae9abf52872a2b5
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
655979cb929aec2baa28806f523bd9f8311092cbdf22c04122f5bf91beb3adc3
MD5 hash:
c68dcf1b3ac869a354526de6b0312296
SHA1 hash:
78a559d04afcd6e985e69f3a6c4ca038864a3629
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
ad33bb3e5369620127e8b59e95527da8af51b06c4db479094499b297646b53f2
MD5 hash:
95124265a1f5232b9a734b0e47e4e2f0
SHA1 hash:
026973d86d99581860f059f48abccdf42344048a
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
078b80b059f5db99874557c13a13f9916674fef20eaac89337cb9f14ee97405e
MD5 hash:
a8bc5553733d6e68753d63747eed87d6
SHA1 hash:
f9210ad415b8d1a0c4a88b62ff6f05d0128df05e
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
9253c070a4a5ce357909556505b49ccd25b5a21789064621393a61df2dbfc515
MD5 hash:
1b0354c000633a8862638f65a19442dc
SHA1 hash:
ea04a876808c63b899895383d5dfe9c026a36853
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
d5896f8d00c6688b5b2a6f84d8ae3f3d1e136512624cb96054ca0db51af53dff
MD5 hash:
6e1cf5a21e2cbfab1a3fad4e5ff360c2
SHA1 hash:
c37f14af2efba855033d2221bbec13d436427ccd
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
9dcf478e78a1ab8f8ea35f853bce86c198e1f2e08e4121079e3b6f13055455c3
MD5 hash:
0272d1265e6a0ebe9dc2af58b9005b7f
SHA1 hash:
98efa29fdc8a73acde9064348761d87ccedf8cfc
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
41ebcd768a17fb78b4628bfd641d92305da6ea90dc993545d7cb7644550e0d85
MD5 hash:
741dfc7b42614aea87faee623e983e78
SHA1 hash:
577f43e99b33d255830e2354ee8cc9113ead4e25
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
628f2b12d4271dd075941d4e60a9998448eb8647897085c5c4f345e8d8d8e1fa
MD5 hash:
022f25cdad54a088405a426a4dcfeb7a
SHA1 hash:
d427f8d9e19f6aae4394bb30373c7545997eccbf
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
12b39a83b00c94571dc2c6ba0e3d4b27eed7e59fe0de6d04aec0ad40f67266a8
MD5 hash:
b6f9e6ab696f47da55eceda10df3968a
SHA1 hash:
f2c41afa8338386dc94645676a4bfb80a13916ba
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
a2d776c1a3e5b4956929e4ff737485ccd8b4c25692e19fa52bca289e06040055
MD5 hash:
59591847b755688fc953889ebba13a81
SHA1 hash:
9e14a6b854d1eba31f02e64634f9c8bc6c6d8499
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
SH256 hash:
6d2ff3cc83ea214e33e4105ccb1051cd85b82e052f6152d7f252667f2f5a5ecb
MD5 hash:
131ac3c2f0495a301363e79f69c133e3
SHA1 hash:
c46b747d456bb5d805d005df6c6166fe546d4da1
Link:
https://www.unpac.me/results/cbcba0cf-cc56-45d2-a7ed-241412efb8d2/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6d2ff3cc83ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d2ff3cc83ea214e33e4105ccb1051cd85b82e052f6152d7f252667f2f5a5ecb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208828/

Comments