MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b
SHA3-384 hash: a2d3f17e1108d6ae7ff466dc300f5796e3dba0a5a1bc0f37391ba8698fbaf6e89dffb62f94190180e38996b2095ae36d
SHA1 hash: 8283b232fd8be508043b5d151e1655dc4caf7769
MD5 hash: a9c63f792d6eee1784924ba712adc68a
humanhash: bluebird-shade-august-california
File name:c0887fac0c1921b6678e81a90619bda7f0ffb9abee995.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:575'488 bytes
First seen:2022-03-05 17:00:41 UTC
Last seen:2022-03-05 18:53:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:xyvjysbjCfWaPJw7e99uv3QS03ULaHNqrxlKIQNouU0kozS2gwvApi:ajy+sWaBwa94v3kEaHNYK3NUPP2s8
Threatray 1'586 similar samples on MalwareBazaar
TLSH T15DC42386E181FE55D80D0AF87832AC87707ADF3C5CE8A714E55B8ACBE87548777180B6
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.66:26416

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.66:26416 https://threatfox.abuse.ch/ioc/392582/

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247538/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12728be8-0ac5-4482-9285-e756ae6a780b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951204
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 583685 Sample: c0887fac0c1921b6678e81a9061... Startdate: 05/03/2022 Architecture: WINDOWS Score: 100 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for URL or domain 2->109 111 7 other signatures 2->111 10 c0887fac0c1921b6678e81a90619bda7f0ffb9abee995.exe 1 2->10         started        13 RegHost.exe 1 2->13         started        process3 signatures4 113 Writes to foreign memory regions 10->113 115 Allocates memory in foreign processes 10->115 117 Injects a PE file into a foreign processes 10->117 15 AppLaunch.exe 15 7 10->15         started        20 conhost.exe 10->20         started        119 Machine Learning detection for dropped file 13->119 121 Injects code into the Windows Explorer (explorer.exe) 13->121 123 Modifies the context of a thread in another process (thread injection) 13->123 22 explorer.exe 1 13->22         started        24 bfsvc.exe 1 13->24         started        26 conhost.exe 13->26         started        process5 dnsIp6 93 185.215.113.66, 26416, 49786 WHOLESALECONNECTIONSNL Portugal 15->93 95 transfer.sh 144.76.136.153, 443, 49791 HETZNER-ASDE Germany 15->95 83 C:\Users\user\AppData\Local\Temp\fl.exe, PE32+ 15->83 dropped 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->97 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->99 101 Tries to harvest and steal browser information (history, passwords, etc) 15->101 103 Tries to steal Crypto Currency Wallets 15->103 28 fl.exe 1 4 15->28         started        33 curl.exe 1 22->33         started        35 curl.exe 22->35         started        37 curl.exe 22->37         started        41 3 other processes 22->41 39 conhost.exe 24->39         started        file7 signatures8 process9 dnsIp10 91 185.137.234.33, 49792, 49793, 8080 SELECTELRU Russian Federation 28->91 85 C:\Users\user\AppData\...\RegModule.exe, PE32+ 28->85 dropped 87 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 28->87 dropped 89 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 28->89 dropped 125 Machine Learning detection for dropped file 28->125 127 Injects code into the Windows Explorer (explorer.exe) 28->127 129 Writes to foreign memory regions 28->129 131 3 other signatures 28->131 43 explorer.exe 1 28->43         started        45 bfsvc.exe 1 28->45         started        47 conhost.exe 28->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        53 conhost.exe 37->53         started        55 conhost.exe 41->55         started        57 conhost.exe 41->57         started        file11 signatures12 process13 process14 59 curl.exe 1 43->59         started        61 curl.exe 1 43->61         started        63 curl.exe 1 43->63         started        67 6 other processes 43->67 65 conhost.exe 45->65         started        process15 69 conhost.exe 59->69         started        71 conhost.exe 61->71         started        73 conhost.exe 63->73         started        75 conhost.exe 67->75         started        77 conhost.exe 67->77         started        79 conhost.exe 67->79         started        81 conhost.exe 67->81         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 17:01:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yceh7lamdeq3mz4oqguqmgn5u7yp7onl52mvqp7j6mqqpyexlyfq._file
Verdict:
malicious
Similar samples:
3a06f4cc6efdaf99f8ddeb7303f2a0b18db737261e29b95dc8571420af6fb0f7
RedLineStealer
3e099c7df6b2aa9383d0019e3c911b4f141e9425a792b2a06a8a4797f1fcca9a
RedLineStealer
527b3ec7f548207e3ef8509973591509e5d61c91d613c232329204dfa35535be
RedLineStealer
853b192bc9e988c1aa6d71f189b4bab87e4afe332aa1d83bd6486ba1999cf15a
RedLineStealer
ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2
RedLineStealer
c119d0bab75794fd6f36e8a3a790af438a9fc32a0c4573f206542cb4c3989d38
RedLineStealer
dd469d067ee8f95f77fa9de6ae88c95e3a3d1b35c908c04eeba82a46316d1990
RedLineStealer
+ 1'576 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220305-vjjkjaaddl/
Behaviour
Program crash
Unpacked files
SH256 hash:
851922c0e8af0c3839dd9fa7042aa38096531a0ec9336c5352e71c355ea2b96f
MD5 hash:
26a726bd1e699781f38bfd317a9c8ea6
SHA1 hash:
fda36a88da9d83c1f75f0287825d0821e83ca366
Link:
https://www.unpac.me/results/216934b0-9021-4228-bd45-801ef32f5e06/
SH256 hash:
7a74b0cf25f2a4932506d2a8a76c53077a445d3036233d57377ef873d4d9d24f
MD5 hash:
b72e70fdc0809255397616314798e87f
SHA1 hash:
1ae9c6d6392e040479988766a7b21d1f564e408b
Link:
https://www.unpac.me/results/216934b0-9021-4228-bd45-801ef32f5e06/
SH256 hash:
c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b
MD5 hash:
a9c63f792d6eee1784924ba712adc68a
SHA1 hash:
8283b232fd8be508043b5d151e1655dc4caf7769
Link:
https://www.unpac.me/results/216934b0-9021-4228-bd45-801ef32f5e06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/247538/
  
URLhaus
https://urlhaus.abuse.ch/url/2079520/
  
Delivery method
Distributed via web download

Comments