MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccb3f33850b9cb5b09591cbf7aa2ede80c3b79a497e32e295e624651c1cbb526. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccb3f33850b9cb5b09591cbf7aa2ede80c3b79a497e32e295e624651c1cbb526
SHA3-384 hash: 9a5042a49a6d561d5f99c19434f3c0417657224988d379cc8d94a8ef16d98aed6d2b2664330f866d98e9d8d60e25c160
SHA1 hash: f650bb4c726d997834c92aab205834d105ed91fa
MD5 hash: 43b76904f981bdbb4ba498774d61b8b2
humanhash: sodium-cup-network-potato
File name:43B76904F981BDBB4BA498774D61B8B2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:676'264 bytes
First seen:2021-05-02 22:50:07 UTC
Last seen:2021-05-02 23:45:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:mbgdF1fQ4aj1q+2gJDzZlE6TSSR0o6y2/g:5q41n0fTSSR0o6y2I
Threatray 1'180 similar samples on MalwareBazaar
TLSH 91E4D6DABD888DC0D972F2F0E04A866207A41D55E88C86CC4DF97CBA45755ABED1B03F
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.112:5006

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.112:5006 https://threatfox.abuse.ch/ioc/28057/

Intelligence

File Origin
# of uploads :
3
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147971/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46213584.9475.28731.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
DNS request
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/706623
Signature
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccb3f33850b9cb5b09591cbf7aa2ede80c3b79a497e32e295e624651c1cbb526/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-05-01 07:57:52 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsz7gocqxhfvwckzds7xvixn5agdw6nes7rs4kk6mjdfdqolwuta._file
Verdict:
malicious
Similar samples:
0c12eec00f01190811ea2908499be0a7bbcc290dc1112a83b633de60f909fa20
RedLineStealer
390ed9bdc93761ae5230c41f4aef13b5ccd10811dd73876977e7145523dfd33f
RedLineStealer
61da17e31e4f4f844284f90c0a96f999a45f34cb4a0611ef7312b459ec80aed3
RedLineStealer
6e8a0a30744ed0130a2b32997e03ba5c07339ddf22e76c7ca64882d5d3f8cc4f
RedLineStealer
8c2bcfb8657193f893a95fac8d90cabad1b35ed4ed2402dc717523ef255b9e2e
RedLineStealer
9a048c8436c448e99a3a7047781ddc5d14a323660bd69f9fd7432c316083e3b6
RedLineStealer
a0e27e9c690f3635e024021f5a106807511a035380a4af4441adaeb45f4f3189
RedLineStealer
a7c2a6377df88d4b4645dfa97aaf4dcef4239ca97de556f1f55962fada7f3d3c
RedLineStealer
c7d5dd0beceb52c4fff552eaaabea06762ef25df633576867798137dbfe8dc8d
RedLineStealer
c954ae080338f706fc7490498f532dd18258d15609d45c4992baf2ef9cd36cc7
RedLineStealer
+ 1'170 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:triple kill infostealer
Link:
https://tria.ge/reports/210502-5479exqfxe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
RedLine
RedLine Payload
Malware Config
C2 Extraction:
junglespirit.xyz:5006
Unpacked files
SH256 hash:
81593084033765d5ed4efdc020827b54563f11699b115c5b292c07feccf405d6
MD5 hash:
4c6e3b469fb77ade38e85b4145b375fb
SHA1 hash:
8b37142e394ef3b47214c342c5b75fd362635752
Link:
https://www.unpac.me/results/fb0a7b84-2dc1-4d8d-bdd6-df287095d91d/
SH256 hash:
5b5a2e7d1ce8843f198bdfb97da5bc533e7e911789f88abacb27210df3d77f01
MD5 hash:
1d9c4b1ac72459079ef99cbd3cd2f1a9
SHA1 hash:
68cfd4522a24a623a7f4635cd56776aeda199314
Link:
https://www.unpac.me/results/fb0a7b84-2dc1-4d8d-bdd6-df287095d91d/
SH256 hash:
ccb3f33850b9cb5b09591cbf7aa2ede80c3b79a497e32e295e624651c1cbb526
MD5 hash:
43b76904f981bdbb4ba498774d61b8b2
SHA1 hash:
f650bb4c726d997834c92aab205834d105ed91fa
Link:
https://www.unpac.me/results/fb0a7b84-2dc1-4d8d-bdd6-df287095d91d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.32
Link:
https://yomi.yoroi.company/submissions/ccb3f33850b9cb5b09591cbf7aa2ede80c3b79a497e32e295e624651c1cbb526

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147971/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-02 23:00:14 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection