MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
SHA3-384 hash:	19d600c05037b9c9a1d0154d89e7967cb0c151d252ebf4d02c50a6c84eae4f909c239c5333b868b1d0d4b4df15e8566e
SHA1 hash:	056215e661f898dde4ad83beb013b6a065c0a9bb
MD5 hash:	2b349f13469bd6d9869cbd062a560d5e
humanhash:	bacon-lithium-two-maryland
File name:	b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	311'808 bytes
First seen:	2023-03-02 17:16:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b9edfa94b36ce86a0bd61e719fe30fb4 (2 x RedLineStealer, 1 x GCleaner, 1 x Smoke Loader)
ssdeep	6144:x3gLiI6VCSlL5osXE0scBpnr0nQCedhZQGDjzAzL4/VEzUWXl:qbuCaEypnrFhZQGDwLcEH1
TLSH	T1D264F2217AE0C032E29B1474483497A5AF7EB92626704BCF7B651BFE5F307C1966630B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	908c8ce8b4b4dc38 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
91.215.85.15:25916

Intelligence

File Origin

# of uploads :

# of downloads :

218

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348.exe

Verdict:

Malicious activity

Analysis date:

2023-03-02 17:17:31 UTC

Tags:

rat redline

Link:

https://app.any.run/tasks/1d96a25e-e689-49b4-90d5-8ff1e3737f03

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/371260/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6400da102ea6b36966306852/reports/a8890e01-4758-4c8d-9152-de3475639a60/overview

Verdict:

Malicious

Labled as:

Ransom.84989A88

Link:

https://www.hybrid-analysis.com/sample/b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/008ae986-7058-4fce-b254-0e82f7258d69

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1185980

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-03-02 17:40:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wramy4a77mwjaj764hhjpk4phzod3mmuje2i4u4dhn2ndih5c7ja._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230302-vtpjjadh93/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Unpacked files

SH256 hash:

fe20253e6bcafed3a581e5269b6864d1fdf838983b0b4427bd9e4696ba3d1ffe

MD5 hash:

9297cc2bad28fe469640b35f8f9358a1

SHA1 hash:

b62081ed7e83a8721d5bf5df0d5ea9fdec2822e2

Detections:

redline

Link:

https://www.unpac.me/results/acc17ca3-bf28-4cd0-8cdd-fcd4d9341924/

Parent samples :

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

SH256 hash:

db2c4acdeb934ae96e51b46b88f24dad4e43f69a90de44b8554e30b909ef29ca

MD5 hash:

9dc3abbfdcd1bb7cafb14a35b60d6713

SHA1 hash:

6aacaf8c94121006562f4a013283741340e99693

Detections:

redline

Link:

https://www.unpac.me/results/acc17ca3-bf28-4cd0-8cdd-fcd4d9341924/

Parent samples :

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
319f678b8bf7350d8a85d7a6185909f75ded81a976062ca8ef823177e90a649b
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666

SH256 hash:

f4262b5eb59db26a6eb9534d7d8e57955ef5ef3079a439570cb32c9754baf696

MD5 hash:

bcc57bbabee21070c3b1c1c0d6549c1d

SHA1 hash:

374f18b741a610c8d532d793c52e2aae22fc7856

Link:

https://www.unpac.me/results/acc17ca3-bf28-4cd0-8cdd-fcd4d9341924/

SH256 hash:

b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2

MD5 hash:

2b349f13469bd6d9869cbd062a560d5e

SHA1 hash:

056215e661f898dde4ad83beb013b6a065c0a9bb

Link:

https://www.unpac.me/results/acc17ca3-bf28-4cd0-8cdd-fcd4d9341924/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b440cc701ffb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/371260/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample