MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc355fc1b46dccf580e160778acdfd476c848f22acdeeafd8e5dac7c8f734913. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc355fc1b46dccf580e160778acdfd476c848f22acdeeafd8e5dac7c8f734913
SHA3-384 hash: 37f903c6a9e6dfd9edd7185459d1fb5a529d9d2a4b9ad9d38d0a881d5249f4fea2dc844e795c1df80922dc9bdf020aba
SHA1 hash: 34466b8add91b8d1a3a050fcce7d8d2fc784aaa6
MD5 hash: 7d3bb5df10c080939d248274733bb550
humanhash: may-minnesota-cardinal-orange
File name:swift pdf.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:757'248 bytes
First seen:2022-07-18 10:15:32 UTC
Last seen:2022-07-18 10:49:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:lGzVB3NzB0WV09b2gb3IU3Fn6yYtTf3qqNiGM0vK6hW/a2waFlSNS:c33Nl0/d9Nqd/vPMOdRPaQS
Threatray 752 similar samples on MalwareBazaar
TLSH T13EF4F110BAA7DE23D2395B77C5E2540413B17B43A062E74F3FC921CA1A463DB8986F5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
192.227.128.150:6757

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.227.128.150:6757 https://threatfox.abuse.ch/ioc/838521/

Intelligence

File Origin
# of uploads :
2
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291554/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.17176.18303.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d53336ef2b0e63a821fe8f/reports/141561c8-c8cc-4165-b24a-8bf25e2c0f72/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bf4be0e-e726-47d2-98d1-6d88a3199a22
Result
Threat name:
Ficker Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1035651
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Ficker Stealer
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668146 Sample: swift pdf.exe Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 31 Malicious sample detected (through community Yara rule) 2->31 33 Yara detected RedLine Stealer 2->33 35 Yara detected Ficker Stealer 2->35 37 10 other signatures 2->37 7 swift pdf.exe 4 2->7         started        process3 file4 25 C:\Users\user\AppData\...\swift pdf.exe.log, ASCII 7->25 dropped 39 Adds a directory exclusion to Windows Defender 7->39 41 Injects a PE file into a foreign processes 7->41 11 swift pdf.exe 15 26 7->11         started        15 powershell.exe 23 7->15         started        17 swift pdf.exe 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 27 api.ip.sb 11->27 29 192.227.128.150, 49782, 49800, 6757 AS-COLOCROSSINGUS United States 11->29 43 Tries to harvest and steal browser information (history, passwords, etc) 11->43 21 conhost.exe 11->21         started        23 conhost.exe 15->23         started        signatures8 process9
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc355fc1b46dccf580e160778acdfd476c848f22acdeeafd8e5dac7c8f734913/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-18 10:16:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zq2v7qnunxgplahbmb3yvtp5i5wijdzcvtpov7molwwhzd3tjejq._file
Verdict:
malicious
Similar samples:
22b1bd5ff8d474bb70ad086e75dbba870aaeb52599d436b84ba35e9e612078b4
RedLineStealer
6481dd646e6b2c2c66d976781cc79ef769cb6a885566f8d965b304f58cf08061
RedLineStealer
96f58f7de3586db2204d85ddce02f7ef5c72b92fd9ab314b590752ddca7cf941
RedLineStealer
a01ed94d2c62ec929ec3cfc029fb61e4025be2f556ae559589304d5c7208d15f
RedLineStealer
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
RedLineStealer
b3c2f3b7b5ac0e9dbf48b6b243e98429232321f4570b5dba9e4c879d0ab78e9c
RedLineStealer
cf318f94ad9a7827d2cf4415549c9d3ceb92c0bae85c46e50420fbbe3fa8f3a4
RedLineStealer
d4169a35ad389cc7a7313bff271319fe5db7ff5894bd3a006cccfa34a308b1c7
RedLineStealer
f95825c13bfccaa3bffe49f65d584cd015ce109b265df7bc75ace85c72ce7435
RedLineStealer
+ 742 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:atnnn discovery evasion infostealer spyware stealer
Link:
https://tria.ge/reports/220718-massvabdc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
RedLine
RedLine payload
Malware Config
C2 Extraction:
192.227.128.150:6757
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/1f1dffc0-2689-45b4-9b3f-0d5f71c59ab4/
SH256 hash:
d118becad71d43554be878207a8c0c02c5c21b254b2c03da36cb49035942da7f
MD5 hash:
cc45ebfc9710ea45832cda6a089cd824
SHA1 hash:
8e8a9e1042eab88a374b1355bb7cc581484312dc
Link:
https://www.unpac.me/results/1f1dffc0-2689-45b4-9b3f-0d5f71c59ab4/
SH256 hash:
be67a5d5b858c949efa08a8777b891275774af446f759d53e1d045ff5661d6a7
MD5 hash:
e53760a70bd92a842429e31ee01fe974
SHA1 hash:
5217fa45df2016cb03c39efa8b40326deceb111b
Link:
https://www.unpac.me/results/1f1dffc0-2689-45b4-9b3f-0d5f71c59ab4/
SH256 hash:
a06b6edcb1343a42f608611b8f7a89c1c36d643dc58e8f544669410a0913a17c
MD5 hash:
91f3ea58470f1458882254e392a698b3
SHA1 hash:
2cdaa1d532d6e56bbdd2b548ddfd7e2f5234ebfc
Link:
https://www.unpac.me/results/1f1dffc0-2689-45b4-9b3f-0d5f71c59ab4/
SH256 hash:
c75780192c45ddaffd9cbab2d4505a0aa51e9878593b66928700bb77d21ec646
MD5 hash:
147b5cc1f0a4c25f146346e49416400d
SHA1 hash:
15ed881e8185c690e21542c8d9b12441a62f2427
Link:
https://www.unpac.me/results/1f1dffc0-2689-45b4-9b3f-0d5f71c59ab4/
SH256 hash:
cc355fc1b46dccf580e160778acdfd476c848f22acdeeafd8e5dac7c8f734913
MD5 hash:
7d3bb5df10c080939d248274733bb550
SHA1 hash:
34466b8add91b8d1a3a050fcce7d8d2fc784aaa6
Link:
https://www.unpac.me/results/1f1dffc0-2689-45b4-9b3f-0d5f71c59ab4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc355fc1b46dccf580e160778acdfd476c848f22acdeeafd8e5dac7c8f734913

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291554/

Comments