MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fd8616b2ae9f0c04f7bd91f87e7efea5a0e488001fd37ff1b523d0b36e8f027. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	6fd8616b2ae9f0c04f7bd91f87e7efea5a0e488001fd37ff1b523d0b36e8f027
SHA3-384 hash:	de2b6f607b35758c75e00ba4c2744e6f07d3ce9d4722662cfcfccd12a3da86b66f598aa4149dfc1e18e1c396742d9575
SHA1 hash:	60ce89471c1bd9dcb638a70639d19bd408f3d1aa
MD5 hash:	cb57510ace9e54ed5bcd5e182961c2ad
humanhash:	foxtrot-nebraska-oscar-lamp
File name:	cb57510ace9e54ed5bcd5e182961c2ad.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	451'584 bytes
First seen:	2022-03-02 02:01:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c20aaf28a6597d3e2b7aaa9c8e55011a (1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	6144:sSRk22Y9baNgLJnFNU69XD5fjARa8tIxBVshsBoWYsVLdWKy2gQ5:5t9baNgLzW69XtfgIxDd+gVLdyw
TLSH	T1C7A4C010BA90D035F1B722F84879D3ADB63EBDA15B3461CB22D46BEA16356E1EC31307
File icon (PE):
dhash icon	2dec1370319b9b91 (15 x RedLineStealer, 5 x Smoke Loader, 3 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.40:43503

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.40:43503	https://threatfox.abuse.ch/ioc/391695/

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246085/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7817/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware mokes packed smokeloader virut

Link:

https://www.filescan.io/uploads/621ed01eb94fb38cb433e98b/reports/bc6b69dd-118f-480e-923d-f2f73237f7b0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7302ff3-8ad9-4d67-ab2e-8a9bb1fac5f8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/948770

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fd8616b2ae9f0c04f7bd91f87e7efea5a0e488001fd37ff1b523d0b36e8f027/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2022-02-26 11:09:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

38 of 43 (88.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n7mgc2zk5hymat333epypz7p5jna4seaah6tp7y3ki6qwnxi6atq._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:proxypub discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220302-cf5pgscca8/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

45.9.20.40:43503

Unpacked files

SH256 hash:

20fe10ea0888d4e1a6136d96b57a552e5667f16040940d373252cf680bd0bf99

MD5 hash:

82addda81ddbe19df0885d26686ccca2

SHA1 hash:

6184d64c584222b993770c403a4134691f67f8cc

Link:

https://www.unpac.me/results/bea7ce30-d09d-4dde-b977-aee074aea45a/

SH256 hash:

977613085918b7951b1b3ef8677368b7ec71b8b247ef61be65a1116ef8f422c5

MD5 hash:

ff797a8a0eb9b12fd603e952769e4391

SHA1 hash:

5de4a4fcb772e96a980361596a1b24f2474d8969

Link:

https://www.unpac.me/results/bea7ce30-d09d-4dde-b977-aee074aea45a/

SH256 hash:

3e2332ab75f2eb71d4bc9524ea523aad429d00badc33ccb9966000da8ac18932

MD5 hash:

0d49cbb7cb677042b24d220f21e9a65e

SHA1 hash:

250b9eef106fe50043abd7f029652944e82cb018

Link:

https://www.unpac.me/results/bea7ce30-d09d-4dde-b977-aee074aea45a/

SH256 hash:

6fd8616b2ae9f0c04f7bd91f87e7efea5a0e488001fd37ff1b523d0b36e8f027

MD5 hash:

cb57510ace9e54ed5bcd5e182961c2ad

SHA1 hash:

60ce89471c1bd9dcb638a70639d19bd408f3d1aa

Link:

https://www.unpac.me/results/bea7ce30-d09d-4dde-b977-aee074aea45a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6fd8616b2ae9f0c04f7bd91f87e7efea5a0e488001fd37ff1b523d0b36e8f027

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/246085/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample