MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc973eb98def4aca2608cc493b2c5477d9049d6b316f482d8487b4394a1df90d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc973eb98def4aca2608cc493b2c5477d9049d6b316f482d8487b4394a1df90d
SHA3-384 hash: ea3be3bd9bd4f6d8a5a36ff723a5b7ede002ffda5e7714d1e997f0d7802007b1b18ccb786069e0eb7651dbf664056f19
SHA1 hash: 433abf4d5cffd2c1594ad4b1d638249a7c35ebc0
MD5 hash: b25499e349a9fbb46c08b7dca1c1f882
humanhash: emma-november-bacon-crazy
File name:b25499e349a9fbb46c08b7dca1c1f882.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'108'870 bytes
First seen:2021-12-22 10:21:59 UTC
Last seen:2021-12-22 12:27:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (55 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 98304:iX4eQmPZcoZGujZVzSqxiwi5tQa9BxU8JcX16xP0bBb55cGCyTLGJANFI2:4FqoZGuNdSqswe9nvUEP0NCamD2
Threatray 29 similar samples on MalwareBazaar
TLSH T1F9561227B268A13EC45923354573B5105CFBB7ACF412BE1266E4CC8DCFA64C01EFAA65
File icon (PE):PE icon
dhash icon 3271d4b6b6d47132 (11 x RedLineStealer, 2 x Adware.Generic, 2 x LummaStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
80.89.228.129:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.89.228.129:80 https://threatfox.abuse.ch/ioc/281658/

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b25499e349a9fbb46c08b7dca1c1f882.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-22 10:23:14 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c00f4139-6463-44db-a856-72fa553fe91c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215763/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Transferring files using the Background Intelligent Transfer Service (BITS)
Connecting to a non-recommended domain
Sending an HTTP GET request
Enabling the 'hidden' option for files in the %temp% directory
Enabling the 'hidden' option for recently created files
Downloading the file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2924/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed wacatac
Link:
https://www.filescan.io/uploads/61c2fc4d4ab5c44cbf4c98f5/reports/0284f2b4-4e70-45e9-a499-77a79c99b7da/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e9fd19db-d2f1-463c-bbaf-61f181f626ea
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
50 / 100
Link:
https://www.joesandbox.com/analysis/911480
Signature
.NET source code references suspicious native API functions
Creates a thread in another existing process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to download files via bitsadmin
Uses 7zip to decompress a password protected archive
Uses cmd line tools excessively to alter registry or file data
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543954 Sample: LruEqu1rpq.exe Startdate: 22/12/2021 Architecture: WINDOWS Score: 50 86 oniondq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh1001.biz 2->86 88 DKgfLhtCNBZKjIVcSPFUw.DKgfLhtCNBZKjIVcSPFUw 2->88 98 Multi AV Scanner detection for domain / URL 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 .NET source code references suspicious native API functions 2->102 104 2 other signatures 2->104 11 LruEqu1rpq.exe 2 2->11         started        15 svchost.exe 1 2->15         started        17 svchost.exe 1 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 file5 82 C:\Users\user\AppData\...\LruEqu1rpq.tmp, PE32 11->82 dropped 120 Obfuscated command line found 11->120 21 LruEqu1rpq.tmp 5 17 11->21         started        signatures6 process7 file8 74 C:\Users\user\...\DriverEasy.exe (copy), PE32 21->74 dropped 76 C:\Users\user\AppData\Local\...\is-FREDC.tmp, PE32 21->76 dropped 78 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->78 dropped 80 3 other files (none is malicious) 21->80 dropped 24 cmd.exe 3 2 21->24         started        27 cmd.exe 1 21->27         started        29 DriverEasy.exe 21->29         started        process9 file10 106 Suspicious powershell command line found 24->106 108 Wscript starts Powershell (via cmd or directly) 24->108 110 Tries to download and execute files (via powershell) 24->110 32 wscript.exe 1 24->32         started        35 7za.exe 7 24->35         started        38 powershell.exe 15 18 24->38         started        47 2 other processes 24->47 112 Tries to download files via bitsadmin 27->112 114 Uses cmd line tools excessively to alter registry or file data 27->114 116 Uses 7zip to decompress a password protected archive 27->116 41 conhost.exe 27->41         started        43 bitsadmin.exe 1 27->43         started        84 C:\Users\user\AppData\...\DriverEasy.tmp, PE32 29->84 dropped 118 Obfuscated command line found 29->118 45 DriverEasy.tmp 29->45         started        signatures11 process12 dnsIp13 92 Wscript starts Powershell (via cmd or directly) 32->92 49 cmd.exe 1 32->49         started        60 C:\ProgramData\ConsoleApp\ControlSet003.vbs, ASCII 35->60 dropped 62 C:\ProgramData\ConsoleApp\ControlSet001.bat, Little-endian 35->62 dropped 64 C:\ProgramData\ConsoleApp\kernel32.exe, PE32 35->64 dropped 90 oniondq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh1001.biz 45.147.197.220, 49761, 49802, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 38->90 66 C:\Users\user\AppData\...\iswin7logo.dll, PE32 45->66 dropped 68 C:\Users\user\AppData\Local\...\botva2.dll, PE32 45->68 dropped 70 C:\Users\user\AppData\Local\Temp\...\b2p.dll, PE32 45->70 dropped 72 29 other files (none is malicious) 45->72 dropped 94 Creates a thread in another existing process (thread injection) 45->94 file14 signatures15 process16 signatures17 96 Uses cmd line tools excessively to alter registry or file data 49->96 52 conhost.exe 49->52         started        54 reg.exe 49->54         started        56 reg.exe 49->56         started        58 9 other processes 49->58 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc973eb98def4aca2608cc493b2c5477d9049d6b316f482d8487b4394a1df90d/
Threat name:
Win32.Downloader.Bitser
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 11:08:16 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 28 (60.71%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zslt5omn55fmujqizretwlcuo7mqjhllgfxuqlmeq62dssq57egq._file
Verdict:
unknown
Similar samples:
06b795cf4007dfabb39adc54728d7bc4dabde17ff340ebac4e870856a1741fb7
RedLineStealer
2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799
RedLineStealer
38f4fb2c7c3fe5f0e99d716a9c50e5be8242ee54fd8f81f4c8f0016d42f8591d
RedLineStealer
43fd44a53e16097ae8b813e48be98cddfce369cd515efa1383fd0ea0b5a4c0bc
RedLineStealer
7130f3050718b8dc5bcf760bf129dc68da5285d058d59d27ae3f2c667c7a8809
RedLineStealer
9848335d47d8bb203145e2aca78fc8f9b42fb2ba1cd91561974172ea6da43851
RedLineStealer
dec159a766ac7dd06c32494caedac0fc8abd79d588ff347dac8f394fea760c6e
RedLineStealer
+ 19 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:main discovery evasion infostealer persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/211222-md8y8sgagl/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Download via BitsAdmin
Enumerates system info in registry
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Deletes shadow copies
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender notification settings
Modifies security service
RedLine
RedLine Payload
Malware Config
C2 Extraction:
80.89.228.129:80
Dropper Extraction:
http://oniondq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh1001.biz/hfile.bin
Unpacked files
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
395c370b426a2cf427b1a8ca700ff64c82c971ca0585b5350974102aa5f68429
MD5 hash:
3366fa560a3db2e620ab92148a737dc8
SHA1 hash:
c12a57e152001316d443912daaecbf706a0ae710
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
42fa16c9d9014e26858fe9b4cb3d36c375375560e2f6a3bfea0b33710f89f261
MD5 hash:
a715eb7da02e9a35954c337f1af4357e
SHA1 hash:
f5685d72a12308f5ad0874ed6b068148b886ae40
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
dfe25e9c801f828df9fb5e3baee41651ba72c1e00634be4b648d72f1ad8599e7
MD5 hash:
559ec2666c1b2a509aebf1cfd182add8
SHA1 hash:
d9fe1a0fc77eee967de02606f87c5a8c5c6d7729
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
1b703b0545b27c23921b3953f10acdb943db25a406d110d4f50120e5a6553d58
MD5 hash:
8c023fe5726daf6a14e6ec963d8a10a7
SHA1 hash:
d92ac2d1abd8f6a9379c0ab6fd6b3c38ff7906b9
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
55a7b6e88f03528c8cdcc4cfff9a7e5efce3c9d3d21023ef2b37aa228b530ddc
MD5 hash:
850d12295447dbcd9e38a073aef72fb6
SHA1 hash:
bb8e998ed8b2e07d5ffec82509019df134468643
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
a9c78e25952d72a1d27975cefcfe30c61b36e2dfc5057b810f037ea02b4a3d57
MD5 hash:
dd08ed5839252d79e27a3712f3f1536b
SHA1 hash:
b5b899f064b5e940779402c38e9ced82e9f84c2e
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
53d3b08f6b3a2cbbfdfd763e3efafd7acf33e641d73ea2d65dd6950aa7d5f72b
MD5 hash:
e1ba35dc85f8e5443d783a0336f7b51f
SHA1 hash:
996b13f8330f02fc1fca92577bee65efa7b85677
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
89b5030a8272a67ce36b279273da26c8e0495b89f9499dfe9a249e6105efaa77
MD5 hash:
56f55ac335d7b1ea6049c89ef20b2ba0
SHA1 hash:
6df8932e6e91fff7b7e053c2ffb1c4a2b49fdef1
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
e60d85e3225aad5397513fb3a1247da025c0602e233587c1193258dae92ead68
MD5 hash:
b41745d1c49c1b5327ad465151649793
SHA1 hash:
56035a9c146858082bb52aeb20d44e7e55dc18d1
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
70d3d71a330c2695fbc32e6748fa0fd7efc0d4d8ddf0d14e89fd8d38159e07ec
MD5 hash:
74c930c33f869a38cfe622769ac53b27
SHA1 hash:
51c39ca6392bc160aefcb4ff748dedc8579918b6
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
e3b69cb62d2be0dd4a7cc8c7b3de17adf50aea4e4ad0a8d05c1d2a5c6bdad47a
MD5 hash:
0b9d6249615b5fe89a9f2c3add205992
SHA1 hash:
449ef8652d6a43a2ed649f095d974679f7351bac
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
697a836b03239308249ff2dcaa2d63c902cfc4d6ec855cbb9cfdad73ccbcb91e
MD5 hash:
c3a5675dd7cf3b4129aefc91205f196a
SHA1 hash:
40737a09f09efaf964fd19abd6966a6c047abaeb
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
910210de1f1629ef9eb90af95fce0a0dbcdb9b255bcd0890ba5d08e55de932fb
MD5 hash:
d5bcac04f2a7a2e8f25650629164aca8
SHA1 hash:
2585a7f2b3908a27947f0966f5095720306a9d58
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
b669598850a71512e53e457d9b71380a8fba5c0d58c84ce3d69f053d304123e5
MD5 hash:
2c6629ade116e68be67893810f118187
SHA1 hash:
8528ac9af14246e951729fc47f82a7482f7f7322
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
e44efec2e0f1ea927cc9477e1fa599895d4107f0ea5643732f0ecbc5458188a4
MD5 hash:
c8ce12a7d0ab103b963f49bd83b68b7c
SHA1 hash:
61295bb6bbdbb9b11a70428cea205ca4dc599f8c
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
81dffb13a3d6b12af9fe87d64cc0b6211414d79bdb456d2ef6afef791436bba2
MD5 hash:
37275a5375572f7fb32b522b1323328d
SHA1 hash:
1be3a5dd5e0d8ac191c2a559cc630324e63e77a5
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
SH256 hash:
cc973eb98def4aca2608cc493b2c5477d9049d6b316f482d8487b4394a1df90d
MD5 hash:
b25499e349a9fbb46c08b7dca1c1f882
SHA1 hash:
433abf4d5cffd2c1594ad4b1d638249a7c35ebc0
Link:
https://www.unpac.me/results/e2d09ea6-6c8c-4bff-9b87-922229ed6295/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cc973eb98def/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc973eb98def4aca2608cc493b2c5477d9049d6b316f482d8487b4394a1df90d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/215763/

Comments