MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb3685962d9ff91cf33b96743e762ed6216084c7704170beeb2ba69810b9b44a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb3685962d9ff91cf33b96743e762ed6216084c7704170beeb2ba69810b9b44a
SHA3-384 hash: df7029483177d12ffb77103052f18091a77326f9a7400a375d7158076a43097f31f22a38d920b9158dc99a4c916a0f73
SHA1 hash: 1d3c4bc40cf11f4e7cce1dd20d8cd06a7e5707bf
MD5 hash: 9ea5574a5f857adc1a85a10537581d90
humanhash: river-nevada-yellow-oven
File name:9ea5574a5f857adc1a85a10537581d90.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:771'482 bytes
First seen:2022-06-02 00:22:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:pzxzTDWikLSb4NS7u3waYpGXQOsuzd8Ii/jAWlEHwF9BgcCC69fMXRU:TDWHSb4NHG/uzd8xjAWlEQbqrdMXS
TLSH T1AFF40202FD9155B3D67209350A29BB61A93C7A201F20CBDBF3D44A5DEA351E1B731BA3
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 96cc6965646533c8 (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.106.92.86:48678

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.106.92.86:48678 https://threatfox.abuse.ch/ioc/646508/

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ea5574a5f857adc1a85a10537581d90.exe
Verdict:
Malicious activity
Analysis date:
2022-06-02 00:25:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c3b3574-61a7-435c-9a28-985dd8da732f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276199/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97717c30-ce67-4287-9fbd-c1256f78ea21
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005421
Signature
Contains functionality to inject code into remote processes
Contains functionality to prevent local Windows debugging
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637917 Sample: NJBscoGqly.exe Startdate: 02/06/2022 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 10 NJBscoGqly.exe 9 2->10         started        process3 file4 41 C:\Users\user\AppData\Local\Temp\update.exe, PE32 10->41 dropped 43 C:\Users\user\AppData\Local\...\install.exe, PE32 10->43 dropped 13 install.exe 1 10->13         started        16 update.exe 1 10->16         started        process5 signatures6 61 Multi AV Scanner detection for dropped file 13->61 63 Machine Learning detection for dropped file 13->63 18 AppLaunch.exe 13->18         started        21 WerFault.exe 23 9 13->21         started        23 conhost.exe 13->23         started        25 conhost.exe 16->25         started        process7 signatures8 55 Contains functionality to inject code into remote processes 18->55 57 Injects a PE file into a foreign processes 18->57 27 AppLaunch.exe 7 18->27         started        30 AppLaunch.exe 18->30         started        process9 file10 45 C:\ProgramData\AdobeSoft\JMMCD.exe, PE32 27->45 dropped 32 cmd.exe 1 27->32         started        process11 process12 34 JMMCD.exe 32->34         started        37 conhost.exe 32->37         started        39 timeout.exe 1 32->39         started        signatures13 59 Contains functionality to prevent local Windows debugging 34->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb3685962d9ff91cf33b96743e762ed6216084c7704170beeb2ba69810b9b44a/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-05-28 16:42:56 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zm3ilfrnt74rz4z3sz2d45ro2yqwbbghobaxbpxlfotjqefzwrfa._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/220602-apgb5scdf4/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
RedLine
Malware Config
C2 Extraction:
185.106.92.86:48678
Unpacked files
SH256 hash:
a0cd16b32f232d506dd4c7d1a3828bf29351437097c2985cb2f324fd2a5f25f1
MD5 hash:
744545c7b1a185ffd1aa2f012d5eb788
SHA1 hash:
e22d5b58a0fd2fc8f86ba8dcbf2b6d1893065910
Link:
https://www.unpac.me/results/b2843013-0f01-478c-92cf-341f8c588b90/
SH256 hash:
c3a3a4833569c578c1fc6af8848b3d8c55f2c9592968b18430081bbfb7a923c0
MD5 hash:
1707e7651bb373aaebfb85f0f7b26c3d
SHA1 hash:
d5c9f851563de2422226cc134b8630cc8a492e07
Link:
https://www.unpac.me/results/b2843013-0f01-478c-92cf-341f8c588b90/
SH256 hash:
987b8f84d3bb93b4e995f5069aea96634012dfcd912f657e56fe2c1be7efb320
MD5 hash:
1c31b7a941698f3efb9362e4d87ce1ff
SHA1 hash:
34c7be8696201ce2cd5eaf8991fcf8af9b78d337
Link:
https://www.unpac.me/results/b2843013-0f01-478c-92cf-341f8c588b90/
SH256 hash:
fd24360c82d2aeb98d1ecf5c7097a8d7a6c601c90a44834cd46ba450e61d92a6
MD5 hash:
a651c7ca8a4a85082737de85d122cfbf
SHA1 hash:
5a90377f73f89bbd98d9bcba10ab061999474428
Link:
https://www.unpac.me/results/b2843013-0f01-478c-92cf-341f8c588b90/
SH256 hash:
950c03774ca5e95343ed5f27081e9cde0faac7fb3439c75cf85e18396568bd31
MD5 hash:
7f2eed92325f66bd12bdd76a0ac886cf
SHA1 hash:
034d54a77fe5db9cd003456de42280e41ab971ba
Link:
https://www.unpac.me/results/b2843013-0f01-478c-92cf-341f8c588b90/
SH256 hash:
cb3685962d9ff91cf33b96743e762ed6216084c7704170beeb2ba69810b9b44a
MD5 hash:
9ea5574a5f857adc1a85a10537581d90
SHA1 hash:
1d3c4bc40cf11f4e7cce1dd20d8cd06a7e5707bf
Link:
https://www.unpac.me/results/b2843013-0f01-478c-92cf-341f8c588b90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb3685962d9ff91cf33b96743e762ed6216084c7704170beeb2ba69810b9b44a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276199/

Comments