MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 995cce8a3847b995d70f0d3148b782a3cdbc2b1297925dcb654bec2504bcf946. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	995cce8a3847b995d70f0d3148b782a3cdbc2b1297925dcb654bec2504bcf946
SHA3-384 hash:	06faaebab5526eaf2f8d9d55541bcfa97e0ef25b3d9c0721549a6550ea3226278d52925646374032971095597cc6238b
SHA1 hash:	07cd3944226996c10b4a5636111d27d17bb7649d
MD5 hash:	65bb991af07e72f16b54934ca980ef35
humanhash:	spring-edward-tennessee-timing
File name:	995cce8a3847b995d70f0d3148b782a3cdbc2b1297925.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	422'912 bytes
First seen:	2022-03-28 02:11:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	159dcaa804632f606b007a362cfb6cc5 (3 x Stop, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep	6144:Dsdtv/biXPzkjcPkVfnFQGMY/GUGHIHG2dHcHKn7MUorAqq:DsdtXu4cmfPMY/FGAHcqnADH
Threatray	2'339 similar samples on MalwareBazaar
TLSH	T12394F123F196C073E5A612B4AC62C7B19ABAB47059241A473FDC363D0F326D2DA7174B
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.142.214.245:48570

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.142.214.245:48570	https://threatfox.abuse.ch/ioc/456499/

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/258294/

Detection(s):

Win.Packed.Strab-9942213-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Connecting to a non-recommended domain

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11632/overview

Behaviour

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/624119739253b276b78a7f0d/reports/fe2879e7-e362-46a1-8ba6-7a43afa707d9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0adc2fc9-4bdd-468a-84c3-67de669c8881

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/965451

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/995cce8a3847b995d70f0d3148b782a3cdbc2b1297925dcb654bec2504bcf946/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-03-28 02:12:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tfom5cryi64zlvypbuyurn4cupg3ykyss6jf3s3fjpwckbf47fda._file

Verdict:

malicious

RedLineStealer

11d70988c6bb7174dd4050db008c278920f14cbfa54920655ad1bdbaee082700

RedLineStealer

28902b108407a692e9d7f7dc11ce8097eaf0fa3994dafafacdca382d47f0046d

RedLineStealer

63116a7686b86bf85bfc4e27fa6f465f8dea270f165c431cac19dd647579fbc5

RedLineStealer

827dcd6eeff67fb8fd1322c9eeccc9558713bf83b4353669b3d7cc826cadf2f1

RedLineStealer

8e88a317b2a066bbf484f480b1d982880d3749a0ab5d33bab5de59bcaec22b5b

RedLineStealer

a4291a80f585f6610d0860629886f71cb5a894ac4dcb4aa43ebbb11c409864e5

RedLineStealer

e53cd7ea200e2a80b7431f6e72ab2f588d009e430f3d9d18c31bd4f49276b5be

RedLineStealer

+ 2'329 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:one discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220328-cmt7bsffe4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.142.214.245:48570

Unpacked files

SH256 hash:

5d1c02a3a36e0abed2a0f60a40ea6676d306121b99b57ca6dde42b365e2bcd2d

MD5 hash:

e9d673bda8e3598a16de43ad93a0ebb5

SHA1 hash:

a0bb5288da179417f14d9f05da2a422c36024f81

Link:

https://www.unpac.me/results/d73467be-66df-4459-b136-f4139017fdca/

SH256 hash:

e02167e5b8e672d2c04c65fbf7c379808621f1b7a0f3ab2bef457a7137a64f84

MD5 hash:

8c98605e8e659048d48787d19e382f20

SHA1 hash:

82c77f46f3a390644aace6f8dbb630d3d82d9060

Link:

https://www.unpac.me/results/d73467be-66df-4459-b136-f4139017fdca/

SH256 hash:

eb5d31904f00d493a25bbafbd46b5a609f6a4248528f9fdd656bff07ac1ee145

MD5 hash:

364076a1e5ec6d35635f4196fd0ab887

SHA1 hash:

0c858efb12887dca856f33df9de70eb88c0cf598

Link:

https://www.unpac.me/results/d73467be-66df-4459-b136-f4139017fdca/

SH256 hash:

995cce8a3847b995d70f0d3148b782a3cdbc2b1297925dcb654bec2504bcf946

MD5 hash:

65bb991af07e72f16b54934ca980ef35

SHA1 hash:

07cd3944226996c10b4a5636111d27d17bb7649d

Link:

https://www.unpac.me/results/d73467be-66df-4459-b136-f4139017fdca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/995cce8a3847b995d70f0d3148b782a3cdbc2b1297925dcb654bec2504bcf946

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/258294/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample