MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c81ccfef5ce97e9647b89a79b4adbdb73feceea4c8ed0fa88b33f02e52859b8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c81ccfef5ce97e9647b89a79b4adbdb73feceea4c8ed0fa88b33f02e52859b8f
SHA3-384 hash: d435da0dc18affdf4d743447b7a67f8db1d865bce7b0b6e3b288661a2b302716af826e9a931a030f676541930577f335
SHA1 hash: d9b6aea303abac942f632459349a361cae9fa9a3
MD5 hash: 0602d74b76caa2200b12f83c8a77b617
humanhash: oven-avocado-bulldog-orange
File name:0602d74b76caa2200b12f83c8a77b617
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'102'567 bytes
First seen:2021-07-30 20:34:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a011f8d93026fd9f5e9442faeeff606d (8 x RedLineStealer, 2 x ModiLoader, 1 x ServHelper)
ssdeep 24576:O7WVBJ21Phu7NbcPEipoZDO7yeLa0kKA+Br/PWkZTRMA:IGFqEi2Za7/Lx3p/+SB
TLSH T12535BDA0F993A366E4DA8DB08F0EED52AD6C2A1411D54F5E5F74EF36AF283887711103
dhash icon 71ccb2a8e8b2cc71 (1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
146.185.239.11:80 https://threatfox.abuse.ch/ioc/164979/

Intelligence

File Origin
# of uploads :
1
# of downloads :
541
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
610203_Voicemod-Pro-21.zip
Verdict:
Malicious activity
Analysis date:
2021-07-29 01:25:10 UTC
Tags:
evasion trojan loader stealer kelihos rat redline autoit raccoon vidar phishing
Link:
https://app.any.run/tasks/d69a2e06-1a7c-4b0a-b06f-4f4a199b4ab3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175361/
Detection(s):
Win.Malware.Crypzip-9882195-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f31d34dc-4f3a-407e-b744-307c93e62ccb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824703
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457115 Sample: pNO46TA01F Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected RedLine Stealer 2->60 62 Yara detected RedLine Stealer 2->62 11 pNO46TA01F.exe 7 2->11         started        process3 signatures4 72 Contains functionality to register a low level keyboard hook 11->72 14 cmd.exe 1 11->14         started        process5 signatures6 74 Submitted sample is a known malware sample 14->74 76 Obfuscated command line found 14->76 78 Uses ping.exe to sleep 14->78 80 Uses ping.exe to check the status of other devices and networks 14->80 17 cmd.exe 3 14->17         started        20 conhost.exe 14->20         started        process7 signatures8 52 Obfuscated command line found 17->52 54 Uses ping.exe to sleep 17->54 22 Scegliendo.exe.com 17->22         started        24 findstr.exe 1 17->24         started        27 PING.EXE 1 17->27         started        process9 file10 29 Scegliendo.exe.com 1 22->29         started        40 C:\Users\user\AppData\...\Scegliendo.exe.com, Targa 24->40 dropped process11 dnsIp12 50 WkzPWeDhlRXhpXuMD.WkzPWeDhlRXhpXuMD 29->50 42 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 29->42 dropped 82 Writes to foreign memory regions 29->82 84 Injects a PE file into a foreign processes 29->84 34 RegAsm.exe 15 27 29->34         started        file13 signatures14 process15 dnsIp16 44 zimasaueta.xyz 146.185.239.11, 49726, 49728, 49729 PINDC-ASRU Russian Federation 34->44 46 iplogger.org 88.99.66.31, 443, 49730 HETZNER-ASDE Germany 34->46 48 api.ip.sb 34->48 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->64 66 May check the online IP address of the machine 34->66 68 Performs DNS queries to domains with low reputation 34->68 70 3 other signatures 34->70 38 conhost.exe 34->38         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c81ccfef5ce97e9647b89a79b4adbdb73feceea4c8ed0fa88b33f02e52859b8f/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 15:56:39 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zaom73245f7jmr5ytj43jln5w476z3vezdwq7kelgpyc4uuftohq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210730-j694n3x3wx/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
zimasaueta.xyz:80
Unpacked files
SH256 hash:
c961ad69e2095ca22e9f6566d57f383f592f418fb26454a02f4f2ab8302e84c6
MD5 hash:
596dcdd5c918cb944960612093d43cff
SHA1 hash:
b21b1b79461d6f453e7a5ffb61d175b72c9d1842
Link:
https://www.unpac.me/results/2c0f2492-a1a6-4198-99c4-9ad73e8a87ab/
SH256 hash:
c81ccfef5ce97e9647b89a79b4adbdb73feceea4c8ed0fa88b33f02e52859b8f
MD5 hash:
0602d74b76caa2200b12f83c8a77b617
SHA1 hash:
d9b6aea303abac942f632459349a361cae9fa9a3
Link:
https://www.unpac.me/results/2c0f2492-a1a6-4198-99c4-9ad73e8a87ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c81ccfef5ce97e9647b89a79b4adbdb73feceea4c8ed0fa88b33f02e52859b8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe c81ccfef5ce97e9647b89a79b4adbdb73feceea4c8ed0fa88b33f02e52859b8f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175361/
  
URLhaus
https://urlhaus.abuse.ch/url/1493606/

Comments