MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd2475a36c231403d7d3e778342c67b250c625901fd7122e5a0fa90306c649ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	cd2475a36c231403d7d3e778342c67b250c625901fd7122e5a0fa90306c649ce
SHA3-384 hash:	8710ae045cc99a3068a21b5273b2f0534789174671f6959a06393ae1a230ad46d60374c78a5d58a09aecbefe87896561
SHA1 hash:	e0dddab3c8e2f8f18649f0898bd8897123543a64
MD5 hash:	06460c3c3512dd77b3eaf3350b63e8d1
humanhash:	island-green-sweet-red
File name:	06460c3c3512dd77b3eaf3350b63e8d1.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'867'072 bytes
First seen:	2022-03-03 09:02:43 UTC
Last seen:	2022-03-21 06:27:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fddc083fa31a17c938d0a17ec7cd3025 (141 x RedLineStealer, 4 x RaccoonStealer, 1 x Formbook)
ssdeep	98304:6JBSUeUmfncRy9kh2+lupGNsv4bqEzGJUSHC+hNE/6qHzBhzZ:+SRncOFvyGDrJqHzV
Threatray	4'896 similar samples on MalwareBazaar
TLSH	T1A43633C020057ADAF19D0F39B0849E610DB56AF6EBD6DE3636FAC706587103B6F501AE
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246817/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a85e9a8a-000e-4821-9692-b536942dbca0

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949822

Signature

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd2475a36c231403d7d3e778342c67b250c625901fd7122e5a0fa90306c649ce/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-03-03 09:03:17 UTC

File Type:

PE (Exe)

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

0caba418b4b1ec32a00cdd52e3f6f28b7e8de0ffec030cfd8ae661538619b72b

RedLineStealer

24fe35fea083b89f0cc62ef8b9df0de29395be57b0ee1b160229d667785b6bf0

RedLineStealer

29e2eb857dc6f1b5c2ce97acdad6c3957cbb8dc61b3a5dcaa81e9e925bc006a5

RedLineStealer

c57ec94c7fed128887694b07d817af02c2d19aac98d8d1fbd4004a8accee4ee5

RedLineStealer

f4036a8affaa6f227d3fce3a98b5b9bb752cd434f04587ea4105c58fc96404e2

RedLineStealer

+ 4'886 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220303-kz22psabb2/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

6ec73213f841d4480265990fc1e004f5f0952b0c184bfe4fd79723133134dbe6

MD5 hash:

cc7ab773b6341d844ea0a450db1d3b88

SHA1 hash:

586ba6717553f418dec7ce97da304dded9fcf5a2

Link:

https://www.unpac.me/results/82031498-7ed5-4118-8358-01b80b7ee971/

SH256 hash:

e97b67f91fc19e23f24777f2090d336e40399b6f44fa1ebdf7f19c41d0b3171e

MD5 hash:

92bae642e7666482b6c3e088135c07ef

SHA1 hash:

4669cdf5f71b13fb87f68e10a110cbbc370ab882

Link:

https://www.unpac.me/results/82031498-7ed5-4118-8358-01b80b7ee971/

SH256 hash:

cd2475a36c231403d7d3e778342c67b250c625901fd7122e5a0fa90306c649ce

MD5 hash:

06460c3c3512dd77b3eaf3350b63e8d1

SHA1 hash:

e0dddab3c8e2f8f18649f0898bd8897123543a64

Link:

https://www.unpac.me/results/82031498-7ed5-4118-8358-01b80b7ee971/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/cd2475a36c23/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/cd2475a36c231403d7d3e778342c67b250c625901fd7122e5a0fa90306c649ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.