MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8527c2290557836600fdc6fca744588da832226e65e48e446eb3e6de6e28a23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments

SHA256 hash:	c8527c2290557836600fdc6fca744588da832226e65e48e446eb3e6de6e28a23
SHA3-384 hash:	64df7b00dc202be5c36b9eecccd905b0ccb6f77b72ab03ee40a049f307e8ac62c3122517944c957de761a29c5faec64a
SHA1 hash:	30a3d7760edd6a00a4e0baa61532466e9df4886a
MD5 hash:	f89586d19b55707bd8c4e0cbac9275cd
humanhash:	freddie-pip-floor-georgia
File name:	c8527c2290557836600fdc6fca744588da832226e65e4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	456'704 bytes
First seen:	2022-02-20 23:05:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cfab3cc80f484d1f798accf1fb24254c (3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep	12288:0+kE7XZPjHc/uqUm35LUYMhV2OLFtkDRoKUpeeJYIFJLM8bo:FB7Hc/uqT35LUYMhV2OLIloKFjQo
Threatray	2'595 similar samples on MalwareBazaar
TLSH	T123A4BF40BBA1C03DE0B355F47875D3BCA52E7EA1A72451CB62D56BEA06386E0DCB530B
File icon (PE):
dhash icon	2dec1378399b9b91 (25 x Smoke Loader, 22 x RedLineStealer, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.26:505

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.26:505	https://threatfox.abuse.ch/ioc/389724/

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/242823/

Detection(s):

Win.Packed.Filerepmalware-9939423-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6811/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6212c960a2660f3bb914f88e/reports/bfc05851-93ce-493e-89e5-2caec916db58/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6aa1bce-89a7-4937-9495-1a7e0a81bfaa

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/942925

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8527c2290557836600fdc6fca744588da832226e65e48e446eb3e6de6e28a23/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-02-20 23:06:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zbjhyiuqkv4dmyap3rx4u5cfrdnigirg4zperzcg5m7g3zxcrirq._file

Verdict:

malicious

RedLineStealer

0ba7dc012a6d64f8759b1d30629f56daa130bcec36e42c318cada88a2ad1d351

RedLineStealer

51e380e872b007b342e94119d6665cc15ce492964c82799117e50e2f103a5ac3

RedLineStealer

53284c3dc0078ff9aa534d3401a7cb1235e10a301d84dc362d6d2384cfbf7b64

RedLineStealer

556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5

RedLineStealer

63116a7686b86bf85bfc4e27fa6f465f8dea270f165c431cac19dd647579fbc5

RedLineStealer

7d45f54744ff5c0cee3b3053ce2173a115251862eeba050b429ea911f7c36296

RedLineStealer

9f157ceaee5858d2f77f1f828d9dc8417c7c99a65b4412896ac0231416336393

RedLineStealer

ba195a9f090cb803df55df40d839f95e335234a13d3207f65efa46c3d0f837d0

RedLineStealer

+ 2'585 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:stress discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220220-23eh9acghr/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

185.215.113.26:505

Unpacked files

SH256 hash:

0d32d7c0d8958b6009b646ea3d525324205f3c41eb538f6e32eba3ffa8e35f92

MD5 hash:

a550d7b053cb93e303c8654434bf6f88

SHA1 hash:

d3ff4777d26820f7b89ea9a5dfb9d20883f47a02

Link:

https://www.unpac.me/results/68d3370a-b408-4ea9-b130-16a4832db923/

SH256 hash:

5f0d001d4518a61519aa443256ee4b35413fb643c57507f641c0607cbd6d5c74

MD5 hash:

964278d7dbde29966d111996d27620cd

SHA1 hash:

b461def767ddc1f0de2afc80ceb05c02968bfe2e

Link:

https://www.unpac.me/results/68d3370a-b408-4ea9-b130-16a4832db923/

SH256 hash:

fac7e5f47970c9551f5263960060dcc915dbf6e300b3bb2ef1faf4144917889d

MD5 hash:

2922bdff1a2cfe7418c6fe9c82777ef4

SHA1 hash:

06c196287cb3a778174b9bec73451a3d8aa8d3be

Link:

https://www.unpac.me/results/68d3370a-b408-4ea9-b130-16a4832db923/

SH256 hash:

c8527c2290557836600fdc6fca744588da832226e65e48e446eb3e6de6e28a23

MD5 hash:

f89586d19b55707bd8c4e0cbac9275cd

SHA1 hash:

30a3d7760edd6a00a4e0baa61532466e9df4886a

Link:

https://www.unpac.me/results/68d3370a-b408-4ea9-b130-16a4832db923/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c8527c229055/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8527c2290557836600fdc6fca744588da832226e65e48e446eb3e6de6e28a23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.