MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f
SHA3-384 hash: fb0831512f7230fb14e4e94a4caa21efb8c3b3b65541efca5a873aabc56f52310a7fc1109bf961515ec077c4cf372c91
SHA1 hash: 2733a6f0449a7e196c92c4585fb19ed60d7ac3b5
MD5 hash: 4508061c16069acdf64b655774eb869a
humanhash: nevada-east-louisiana-hotel
File name:4508061c16069acdf64b655774eb869a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:323'584 bytes
First seen:2021-07-15 13:07:50 UTC
Last seen:2021-07-15 13:50:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6af0d1838918d8930ef3ce51c1f1c449 (2 x RedLineStealer)
ssdeep 3072:WAactLybyIy4fhRDqSmrw2FAfJmHJ0JS+4c/udDZJIuEeJKp8SklD75xhuCQTfNs:WYshNpAw2FtHgL4QyDfMzklEbTfMOM
Threatray 1'165 similar samples on MalwareBazaar
TLSH T10164DF2976B0D833D5A2067010B58FA0667FBC626A70754F27A32F5F5E322D2356638F
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4508061c16069acdf64b655774eb869a
Verdict:
Malicious activity
Analysis date:
2021-07-15 13:09:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a622065a-3a61-4190-8356-f904f40a0465

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171991/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.3360.17538.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a689b05-fa6c-4614-8980-dda71769a8ea
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816918
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 13:08:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rtckbturjadgguk2aiooqlhcbmvro224kqp2bhn7gvsvc7cnl6hq._file
Verdict:
malicious
Similar samples:
2e492cb7c8adba1e0e44b44c212802c8e891f0300d93060691e39f4f986da044
RedLineStealer
4c8d1a1d118384df23575d4421f573f9b97d984b295083b329a8ee08709dcfce
RedLineStealer
857b888bb465ce55999892cc1deaa9fdacc767b9b69439c266acce7a05e8ce47
RedLineStealer
865fc17286ce58e28350c60fd7bb6ae82187c4af18f04afa9faa31ccaee3e1d2
RedLineStealer
9c4589b45940c81fcc8722fa0f96f4b583995df1324a327eefbc276448ea4725
RedLineStealer
a99edbeb0833d7875fdfdd0c969130bc3c793d24a55ce3d20064db158c23537b
RedLineStealer
ad4fdfae7fcaa4464c67695dc43ba48ae0aa1209db04c92f5a4d11e2976895e4
RedLineStealer
b7a6bff8d1d5a3b1d323f949fa92bcd757e3c677de7f73da08cb7a1fba159ba3
RedLineStealer
b9f38162b58c91e8c2ad110219cc67d146ac17e81793d9179aca614037b2fb14
RedLineStealer
e64ecde487ecb44035cf435d457237a4f8b8cedbbe055fa1e6698ad2a3939fed
RedLineStealer
+ 1'155 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:updt01 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210715-8215dwxffa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
176.111.174.254:56328
Unpacked files
SH256 hash:
1cad4971995dad7632a1e2a29e3caf6bd5a88163b2f2104b4d0951558624904d
MD5 hash:
c58a92f40f71cbf011ca9c8c7cd30d0f
SHA1 hash:
225437c9dbb75718ba802833479abab157cb26ea
Link:
https://www.unpac.me/results/951171dd-b555-488a-a220-bd1c760369c8/
SH256 hash:
80ef10ed7e19a4802db48da10a9a79d8b857c33ac552a57346d85354b117aeba
MD5 hash:
b618e3761d5dc9a2cae05ed212e0c2e7
SHA1 hash:
5774f271a4ace5c2d8f7a61468493eecf03e1fb8
Link:
https://www.unpac.me/results/951171dd-b555-488a-a220-bd1c760369c8/
SH256 hash:
85db84b301f430b014faa278bbff2d5f2f1c47764034835655822a96964ce093
MD5 hash:
7e21fc3519313c97a6367b69851b557c
SHA1 hash:
cf238dfefb6817390bc8552a127d2573ce18760a
Link:
https://www.unpac.me/results/951171dd-b555-488a-a220-bd1c760369c8/
SH256 hash:
8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f
MD5 hash:
4508061c16069acdf64b655774eb869a
SHA1 hash:
2733a6f0449a7e196c92c4585fb19ed60d7ac3b5
Link:
https://www.unpac.me/results/951171dd-b555-488a-a220-bd1c760369c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 8cc4a0ce91480663515a021ce82ce20b2b176b5c541fa09dbf3565517c4d5f8f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1456640/
Cape
Cape
https://www.capesandbox.com/analysis/171991/

Comments


Avatar
zbet commented on 2021-07-15 13:07:51 UTC

url : hxxp://176.111.174.69/updatetes.exe