MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3
SHA3-384 hash: 9ca47c44ec99a1fd33564eca8dfceda0a5869d75f2de6a133127a29ffad3f2bb64580e71073b9194446cf87b3a50c7f0
SHA1 hash: a4ceb95152163a3e614ee8fcf3245961fb0939f4
MD5 hash: 1709383fe9901262649ac4785d1d3ad8
humanhash: six-twelve-zulu-enemy
File name:1709383fe9901262649ac4785d1d3ad8.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:985'487 bytes
First seen:2024-02-23 22:00:13 UTC
Last seen:2024-02-23 23:23:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f3a7c5c46373967696674b9a526bbc2 (2 x Stealc, 1 x BunnyLoader, 1 x RedLineStealer)
ssdeep 24576:vz28lByb3iF9e7MxGFMCSwynoQzBP7qeceG7r8UAZ:vK8ANFMCQoQ1jqeq5AZ
TLSH T1C4250201E902923AF8B705F7CAFF687D672CAD51131954DB63CC18AE9B2ADD2793011B
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 45b169ede9717169 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
85.159.228.138:41572

Intelligence

File Origin
# of uploads :
2
# of downloads :
408
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477572/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.18977.13820.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a file to the %temp% subdirectory
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65d915a422703c3491ad0ba1/reports/d78c27c2-edce-43ca-b80a-188984d5434e/overview
Verdict:
Malicious
Labled as:
Fugrafa.Generic
Link:
https://www.hybrid-analysis.com/sample/c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03b90d47-ac8f-4f46-ac1b-959ea77cb408
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1397987
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1397987 Sample: nJAmHgBhKB.exe Startdate: 23/02/2024 Architecture: WINDOWS Score: 100 38 GbXgSUrLZlAGrRTQIFSGJXVHysyYi.GbXgSUrLZlAGrRTQIFSGJXVHysyYi 2->38 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 4 other signatures 2->48 9 nJAmHgBhKB.exe 11 2->9         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\Temp\...\Log, PE32 9->36 dropped 58 Contains functionality to register a low level keyboard hook 9->58 13 cmd.exe 1 9->13         started        16 conhost.exe 9->16         started        signatures6 process7 signatures8 60 Uses ping.exe to sleep 13->60 62 Drops PE files with a suspicious file extension 13->62 64 Uses ping.exe to check the status of other devices and networks 13->64 18 Programmer.pif 1 13->18         started        22 cmd.exe 2 13->22         started        24 cmd.exe 2 13->24         started        26 7 other processes 13->26 process9 file10 32 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 18->32 dropped 50 Found API chain indicative of debugger detection 18->50 52 Found API chain indicative of sandbox detection 18->52 54 Writes to foreign memory regions 18->54 56 Injects a PE file into a foreign processes 18->56 28 RegAsm.exe 5 4 18->28         started        34 C:\Users\user\AppData\...\Programmer.pif, PE32 22->34 dropped signatures11 process12 dnsIp13 40 85.159.228.138, 41572, 49716 EUROTELECOM-ASRU Russian Federation 28->40 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->66 68 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->68 70 Tries to harvest and steal browser information (history, passwords, etc) 28->70 72 Tries to steal Crypto Currency Wallets 28->72 signatures14
Score:
24%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-02-21 05:46:40 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ylwfqamrkjetkjnltfrmowh76534s2xsib2zs5i7yxyqbb2celzq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:muter discovery infostealer spyware stealer
Link:
https://tria.ge/reports/240223-1w7e1saf5w/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
85.159.228.138:41572
Unpacked files
SH256 hash:
9437b5cd85f01ae5f0fcffab34b33a10b18beee3d559431a512b977596576fd6
MD5 hash:
0e5f8c77f7d8e72afb90a58098bdfaf7
SHA1 hash:
4f7884661c4b200210ac250b914b2464ced3dd12
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/ae1db8d6-8bb2-4e3b-9e64-1600d483248b/
Parent samples :
99792e2eda5c50df332f2ba9bde7dbe158398acd913c16f980ff54bfda274f36
32a3ae3f8473db4b0526e456c67da605202afbfc4db584db9275d62e80884bf5
4315c14af0772f50b9b383cae378f26e71e77156886209344791c7f931d6425c
c70a6bb61af33042ad6131ed456847c36ddf8a20cfd711646d2f673ec851c754
8eed969439caae425cac85ad5b221e4f19ab22b40182a8d6beeb035dc50cf6a1
fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7
2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
b9371b217090aadf41da567face2032494d9fc5d7e4bb438dad702814c88fb97
2fcffd3914b2555cd521d7c2d3c43e8e8af300f9ee161d3ae0c028206f55775b
6a7afd800f236e6bf6cdaa2fc93869daade49c2b5698bbb39c3d8ecc13d0fd9c
6115d0dc0349f7cbab3fe4b4b769b389a60aab336519d4b42952bb0f0501428f
9f706c4488db8c3f51761fe450003199948b489b39bfaf56560eac498a954356
e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43
9ac629ed8e07b6c99b05edd46b86e1795e5f96908ab1fe85a06282b0a982cd1b
487aa8d7d2c3f85140a7dc9c8704329c6e42a296e6a89ec66a7e0de58d309ded
e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46
b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
40aa56690dafef35b08b83eebf12c694f5cec88c6ba1ff9f499fff5a5da1ef02
baeced1519471f5b87271beb193b279983078f0bba9ba4daef9af842b3c361b8
a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
7a3506f60a337bd104291e6f01bf18cbf3dad4058e9e79d7861fc2a1c11258c2
43c59cd33371691282d4f781b6f5d0b280da41d71fceeecc7b7052a1db11ac79
634bf075d6d8a187a316a7ff567c867dea7454f4c414fc1dfb5e8a6bae2ab38e
8b66a3ecbb30f4351758c45f1c11dfa8faa9804b2976e108e9557ba39bae3202
0464478d0f6c9992dcfd81471fe69b418deab070f4f7852d756a4138d21f5cac
bdf72e1c0964b7a7b96651b278b6f8d4b42849c01ff2aa6c6844b5ac2a893f3b
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88
1814457fbd890028ff409edc2d23a11bbac93fb7318aa54523ada7e04f53ea7f
c27c1e00bb778d222efa52a9dbb9335230052cd7eaacf34a8d28b4436aae580c
8ac262e42dc9b061481f38467e202f22271f204cf595b610eb0ad4f5bbcd560b
c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3
a857af8b33c62e7897af86264a2c8959545cacf74329b76730e2a84b35ef20a4
83f7e97876bb82d57f77f675e4b9ed0d3cd18c75e1cee4ec9661f653ba522e5b
6d4114742eb27a4e99c398904607bbfb07f91c2f2d25c921d888c0879f22d646
8bfa18179880147b29fd76adbba9c2818d5ba600ef22f17a5fcb9897287c4d34
fa8e3f10f85d54f5ac081ec4e9f5bb4c46716c55940c811489abd325d67a9fd1
44ed4970306de81ea87869369b9a1473e119d9a7d4a825fddd1405aa1f6dbe85
ec78b7b9f3560e19d0c723d7d114747d3833cb940631f9a3dbe83634e8d68491
087a6dafebbe457fd2085fc08162a3298891986290e3dd9fef21eec45e0df40f
4be740b7411f644b92749c5fd9be10b827f885c13690aaf7857a6d58b44e9c8c
d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd
ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
fa80871e2a0b0384f09f41d1a0a6715b7d32b915e70516152b10c32da4151556
80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2
379a446e3c57a9c7fd56eee88d1b9c8ad89c892307db989b3edd53be1d8913bf
0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451
585d0e01d18cf7acfb8cb1b7ba54ffbb64e187e0a69372e2dc7f6f6b285a8493
707d8153cfae722c0c834bb06bb9dc04d6f3224a39a9b9c33aa524389561ffaa
2ad1b5261442f87a5e7a1c53cd0335c61652b39da8f54587fe0adc45e0813661
a8b2c1d4067978b61076e9ad9848c27ff31611c3a201cafa0b8a4005d80e7321
e4fe2b92480a8ad512c643358c7add07588e8028c1526e5e874d292e6053d4a6
3a339d1c2c786bde38552618b21b647fd61e583ba7cefb9eee6b0647201e5ca6
add35b72ac24e4056dac7aa46dc03ac8ccf717b0891026da8028fb9cbd8f5b7f
SH256 hash:
c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3
MD5 hash:
1709383fe9901262649ac4785d1d3ad8
SHA1 hash:
a4ceb95152163a3e614ee8fcf3245961fb0939f4
Link:
https://www.unpac.me/results/ae1db8d6-8bb2-4e3b-9e64-1600d483248b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/477572/

Comments