MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c21c6b1ab7fcf40e8286562879a9e8977cd3ef8764a4baac711dbc3685dbda18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c21c6b1ab7fcf40e8286562879a9e8977cd3ef8764a4baac711dbc3685dbda18
SHA3-384 hash: 9228b2db5b64418ef05eb6a331d73214317bce4315a44cde4c995233883532426a58db0904d26d7b7878930fd02c46fd
SHA1 hash: f055d03afa4f6450eefdf053939dc5f2f6c47a8c
MD5 hash: 1e6a47b3c9485f414caec18b5c3f7f5e
humanhash: california-stream-bakerloo-lion
File name:file
Download: download sample
Signature N-W0rm
Create hunting rule
File size:4'630'200 bytes
First seen:2022-08-22 16:00:12 UTC
Last seen:2022-08-22 16:40:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 172750858dcc0719eed08c952858023c (117 x RedLineStealer, 3 x N-W0rm, 1 x AsyncRAT)
ssdeep 98304:csXZcD2CkxTpow610MXB06qu5wut3gIcJfHSjN5/9Kodxbw0:c1qC6TpoEZdudgIm/Sz/9fd/
Threatray 44 similar samples on MalwareBazaar
TLSH T17626027723614191D0F5C83DE527BEE4F2F6022A8B4198FA67D69DC116369E1F233A83
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 3cf0949cc6d4d0c0 (1 x N-W0rm)
Reporter andretavare5
Tags:exe N-W0rm signed

Code Signing Certificate

Organisation:Logitech ZC-9016 USA State of Washington
Issuer:Logitech ZC-9016 USA State of Washington
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-15T11:48:33Z
Valid to:2031-12-16T11:48:33Z
Serial number: 5fcd5e9349261c9449b88b4124df5004
Intelligence: 27 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 63aa80362de14c7d27647ef57cf3a4928f5dda32e3a54c46c72902172a42dea0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://cdn.discordapp.com/attachments/1005487487826788395/1011303550506246194/redgo.bmp

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
49.12.226.201:17054 https://threatfox.abuse.ch/ioc/844738/

Intelligence

File Origin
# of uploads :
2
# of downloads :
398
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-08-22 16:01:37 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/d8a382d9-e06b-4b11-a4a7-6fc680dc561e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300316/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.11408.32200.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/6303a88fc9bbd99097880f2d/reports/eb449c54-9a0e-4169-be07-50596aabf743/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/12e0acc3-60c1-474b-8371-2dc05fb137df
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055679
Signature
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c21c6b1ab7fcf40e8286562879a9e8977cd3ef8764a4baac711dbc3685dbda18/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 16:01:12 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yiogwgvx7t2a5augkyuhtkpis56nh34hmsslvldrdw6dnbo33ima._file
Verdict:
malicious
Similar samples:
3ea20ab6ac71f7252d2f3c4ccac94303b30ab139b812c66b69da08d6969dbe87
N-W0rm
573695b2ac9e3a239ecddee3b688aece5257db0677bf551a259a41b31db07050
N-W0rm
6052bfd7f65381d289ec23eed297c264949adbeac8ee84163ea9ec018ff12e22
N-W0rm
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
N-W0rm
9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79
N-W0rm
a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec
N-W0rm
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
N-W0rm
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
N-W0rm
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
N-W0rm
+ 34 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220822-tf7yaadac7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
879a5e544eb89f8a044959ba7eb1c366d0c5bff34e35aeb2125fc828afd8a0be
MD5 hash:
258c1fea7ce3fe5d9ec42804d59a3a06
SHA1 hash:
c0d27d8ed13cd2f2b68e58f5e5e098d54007366e
Link:
https://www.unpac.me/results/16b1b6e7-cdd0-4188-a032-5f241186daa6/
SH256 hash:
042838b1def8298f77d3765a76822b69d7c28a3b40e484cc212ea760e18b1c96
MD5 hash:
dc486821656f965f0c6a6ffbe6c74e20
SHA1 hash:
5a23a14f515f4b683ae4e02be108ca5b80e418ff
Link:
https://www.unpac.me/results/16b1b6e7-cdd0-4188-a032-5f241186daa6/
SH256 hash:
c21c6b1ab7fcf40e8286562879a9e8977cd3ef8764a4baac711dbc3685dbda18
MD5 hash:
1e6a47b3c9485f414caec18b5c3f7f5e
SHA1 hash:
f055d03afa4f6450eefdf053939dc5f2f6c47a8c
Link:
https://www.unpac.me/results/16b1b6e7-cdd0-4188-a032-5f241186daa6/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c21c6b1ab7fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c21c6b1ab7fcf40e8286562879a9e8977cd3ef8764a4baac711dbc3685dbda18

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/300316/

Comments