MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cecc0d25318bfe6b3f927d8ad5304c84e98c29142f243794619e6cb044cd4bb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	cecc0d25318bfe6b3f927d8ad5304c84e98c29142f243794619e6cb044cd4bb3
SHA3-384 hash:	9cb20a07e046650d493d1823b32cadabec03b1d3457e3b60cbd7fffd40a0f62671cd8dbc528e2e6a73bb9a4d5be68766
SHA1 hash:	2531f53b49e637c08f60b286f1b62359e2374c48
MD5 hash:	ede690e47cd28b61c55b2a2a59dce3c9
humanhash:	angel-lemon-virginia-gee
File name:	ede690e47cd28b61c55b2a2a59dce3c9.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	296'960 bytes
First seen:	2021-08-16 17:14:41 UTC
Last seen:	2021-08-16 18:15:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	afa9d305770588dfca258b9c4b376c5d (1 x RedLineStealer)
ssdeep	6144:WL7DHlZB6gGLSn5wADB4llzci1mh1llhA:WnDHlZXGLSn5wASrNQFl
Threatray	4'423 similar samples on MalwareBazaar
TLSH	T16554F1117590D872C481057C86A6FAE4EA29B910E7B4436F3B4A1F9F6F713E2B237709
dhash icon	14367878727e7636 (2 x RedLineStealer, 1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ede690e47cd28b61c55b2a2a59dce3c9.exe

Verdict:

Malicious activity

Analysis date:

2021-08-16 17:18:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6d32812b-bc23-4ead-a80e-281283cf4918

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/179642/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.17302.20716.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Creating a file

Sending a UDP request

Connection attempt to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/52b7b8c0-6d13-46eb-8917-7a7c4986d7b4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/833782

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cecc0d25318bfe6b3f927d8ad5304c84e98c29142f243794619e6cb044cd4bb3/

Threat name:

Win32.Trojan.Mokes

Status:

Malicious

First seen:

2021-08-16 17:15:16 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z3ga2jjrrp7gwp4spwfnkmcmqtuyykiuf4sdpfdbtzwlargnjozq._file

Verdict:

malicious

RedLineStealer

1da5852a2c29d3adcd71f17785e5f8e858e5bf82753d7c8ef9a06aaa2db31dff

RedLineStealer

4023763ad7b1f3cae1395dcfbfb15317c006526c355914ecf7d8506696e3b1ce

RedLineStealer

5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96

RedLineStealer

637a0494e576015bdbc53a9a3d5efd6ed2cac129facef169a06ed4f2d07188d2

RedLineStealer

6ad1cf3b42e1c571f6a7a402ad29e289ea119a6929345660a98e2786a3ddace4

RedLineStealer

8498f560c45b7d2db3427aaf5a481a4e584a1aa8f59767147e895b60e08286cf

RedLineStealer

cc2bef9329a741ecf4c4b92d6af68a78a7de8165b4876d598998abc6dd1a7903

RedLineStealer

ebfe4a01a842ddcf434e44a288773454c4c5c35602a5fba3a31e47ff010a1314

RedLineStealer

+ 4'413 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210816-aq89gw785x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.114:8887

Unpacked files

SH256 hash:

896327f3b8ffb0108da0ba4bb4177ecf34b2b537c70ba775f3b8d05f7337e480

MD5 hash:

9ef3832f3b00631ed09c7931e494e3e5

SHA1 hash:

bffc8ce4c382f443820d1d089db72c267090bb3d

Link:

https://www.unpac.me/results/4b8576a6-c53e-4944-9248-a410e3937e28/

SH256 hash:

5a9bcd47b183892a42b3b68a53e442a93c0bb016fb94abbd8d42b6477e982194

MD5 hash:

9d700a739ff25fd446ab24994185abd7

SHA1 hash:

73eaeff4f6ec5d342f9c5ccf045eab616281d7d0

Link:

https://www.unpac.me/results/4b8576a6-c53e-4944-9248-a410e3937e28/

SH256 hash:

98a398c51f219ad1ad34f1190a276355212cd4228797708ee2fae4c43b1186cf

MD5 hash:

8cf1348cb3c4ea66ef1664c23478b56c

SHA1 hash:

5e79ef8bfed82f2713b589c7cd24b2e241b2a16d

Link:

https://www.unpac.me/results/4b8576a6-c53e-4944-9248-a410e3937e28/

SH256 hash:

cecc0d25318bfe6b3f927d8ad5304c84e98c29142f243794619e6cb044cd4bb3

MD5 hash:

ede690e47cd28b61c55b2a2a59dce3c9

SHA1 hash:

2531f53b49e637c08f60b286f1b62359e2374c48

Link:

https://www.unpac.me/results/4b8576a6-c53e-4944-9248-a410e3937e28/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cecc0d25318bfe6b3f927d8ad5304c84e98c29142f243794619e6cb044cd4bb3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe cecc0d25318bfe6b3f927d8ad5304c84e98c29142f243794619e6cb044cd4bb3

(this sample)

Cape

https://www.capesandbox.com/analysis/179642/

URLhaus

https://urlhaus.abuse.ch/url/1533784/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample