MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0cc77c6928ac5d190b4e064dfde524d1ce4df9bb009f2757427e951a6e296c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0cc77c6928ac5d190b4e064dfde524d1ce4df9bb009f2757427e951a6e296c7
SHA3-384 hash: 7c8f401fb64e2a1e720ea1a438484459e4664e5f16b73193a75b613bb750ae6f0c85da6098f0bf32c96d5fa6277e6147
SHA1 hash: e287a18d71df1e0612dfac523be71ba534e76292
MD5 hash: 67ac76101675144fa3416891afd2cd67
humanhash: pluto-sad-mango-zebra
File name:@NorthBearStation-454eeabe-4b02-4cc3-bad6-94eefdbe6030.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:294'520 bytes
First seen:2022-05-13 19:40:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4f73c52fbbb5469bef44876849c61a9 (1 x RedLineStealer)
ssdeep 6144:SBmEDavWB90VyMT+AOWNP6gOXBbZmXAP7ddZBFfW98:PoavW0+MMLJY98
Threatray 33 similar samples on MalwareBazaar
TLSH T1B454AF04B4D68432D9B2113006E48B795F7DFA615B5199AFB3D40FBE4F302A0AE356BE
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter nyyuzyou
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270504/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17580/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware overlay packed packed
Link:
https://www.filescan.io/uploads/627eb48b40028d3247d1d461/reports/dc4d3f14-bbe0-4021-bccd-eaa3a2b5d5bc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/08ad5db6-9be7-4b2f-96f7-63ec2e31ec2e
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993862
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626357 Sample: @NorthBearStation-454eeabe-... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 6 other signatures 2->40 9 @NorthBearStation-454eeabe-4b02-4cc3-bad6-94eefdbe6030.exe 1 2->9         started        process3 signatures4 46 Contains functionality to inject code into remote processes 9->46 48 Writes to foreign memory regions 9->48 50 Allocates memory in foreign processes 9->50 52 Injects a PE file into a foreign processes 9->52 12 AppLaunch.exe 15 7 9->12         started        17 conhost.exe 9->17         started        process5 dnsIp6 30 62.204.41.141, 24758, 49774 TNNET-ASTNNetOyMainnetworkFI United Kingdom 12->30 32 siasky.net 46.183.219.217, 443, 49783 DATACLUBLV Latvia 12->32 28 C:\Users\user\AppData\Local\Temp\start.exe, PE32+ 12->28 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 60 Tries to steal Crypto Currency Wallets 12->60 19 start.exe 12->19         started        file7 signatures8 process9 signatures10 42 Multi AV Scanner detection for dropped file 19->42 44 Tries to harvest and steal browser information (history, passwords, etc) 19->44 22 cmd.exe 1 19->22         started        process11 process12 24 conhost.exe 22->24         started        26 choice.exe 1 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0cc77c6928ac5d190b4e064dfde524d1ce4df9bb009f2757427e951a6e296c7/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 19:41:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
13 of 41 (31.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15581c22b60eae59d0e5e7c8a50f3d96d5d561dc417ef670098bb07226aca9b4
RedLineStealer
3ee9814c18b0d55b57844adc047e61f7c94283904788e03d1a02e2941bd01058
RedLineStealer
aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e
RedLineStealer
c31d6090687230bebcc417d6827c9f5df5cdd1be6fe3678252fee9a176f540a1
RedLineStealer
cf2198177383fac5199447ba3f6e34bd8c38432c6f7c73ef829055c4d28938ad
RedLineStealer
cf3233845da04579c378f45a79eabd92db919c802662dc885259e11792cd6cad
RedLineStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware stealer upx
Link:
https://tria.ge/reports/220513-yd3yrsdhbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
RedLine
RedLine Payload
Malware Config
C2 Extraction:
62.204.41.141:24758
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0cc77c6928ac5d190b4e064dfde524d1ce4df9bb009f2757427e951a6e296c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RedLineStealer

Executable exe c0cc77c6928ac5d190b4e064dfde524d1ce4df9bb009f2757427e951a6e296c7

(this sample)

Executable exe 4cbe62ea4c09d6e5ff8141917c8caa78029e64b27475332b8dd372f0a989d981

Cape
Cape
https://www.capesandbox.com/analysis/270504/
  
Dropping
SHA256 4cbe62ea4c09d6e5ff8141917c8caa78029e64b27475332b8dd372f0a989d981
  
Dropping
MD5 ead8d8a0bbae33c40614e710b572f66e

Comments