MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfcd348313cae67c169897bd5ccaa8c7cdf1f99b4776cf942d587eca6e94004b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	cfcd348313cae67c169897bd5ccaa8c7cdf1f99b4776cf942d587eca6e94004b
SHA3-384 hash:	5331298f4ba390ebb005d770dc07e73e7ecd0a44cdb15d11516fd08eeaaef533864bc0e43d2d3ede68a93260dc9eb9a7
SHA1 hash:	157ddcf827ce62433a0dba6b752e937eb42ac1a8
MD5 hash:	ca33fec46476f8b933d518e5b80f2292
humanhash:	winner-high-don-kentucky
File name:	ca33fec46476f8b933d518e5b80f2292
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	311'296 bytes
First seen:	2022-06-10 17:42:01 UTC
Last seen:	2022-06-10 18:49:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1436c045ba5c1a8b146943d159fa9855 (1 x ArkeiStealer, 1 x RedLineStealer)
ssdeep	6144:eBzullY+9k7WZvaQjvg4AH/gSRWeboc9huIwI9tKsF4:etuHY+9kqZv1s4ygSRWebbVf8sa
Threatray	6'495 similar samples on MalwareBazaar
TLSH	T191640210B3F1D833E7E38A308890E6A29A367C3141B549C7B758877D2F6569127BE3B5
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	5c59da3ce0c3c850 (12 x Stop, 11 x RedLineStealer, 8 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

337

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

ca33fec46476f8b933d518e5b80f2292

Verdict:

Malicious activity

Analysis date:

2022-06-10 17:47:58 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/d8d5f51a-38a1-404e-a091-d1cf3a753a37

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/278745/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.39779056.16641.21010.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Sending a custom TCP request

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Query of malicious DNS domain

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware packed ransomware

Link:

https://www.filescan.io/uploads/62a382a82d4be2eac84a605e/reports/36696399-383d-4397-84bc-60b407226038/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/337f4201-c4f5-46a8-bddc-e05af94cb306

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1011027

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cfcd348313cae67c169897bd5ccaa8c7cdf1f99b4776cf942d587eca6e94004b/

Threat name:

Win32.Spyware.RedLine

Status:

Malicious

First seen:

2022-06-10 06:36:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z7gtjaytzlthyfuys66vzsviy7g7d6m3i53m7fbnlb7mu3uuabfq._file

Verdict:

malicious

RedLineStealer

43656b3aec1f1157f5f3bc34cad394d0653a74417a0203413066e57b39eb940c

RedLineStealer

b2114af6bb8149e6c3860e64aa47475e5c35726dcd8e28891caab5d04054f6d0

RedLineStealer

b7cea1f983cf8ed41120e2d4a17b7fe2ec6693d2d990172568cdbbd6b9fbd319

RedLineStealer

b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

RedLineStealer

beea56a23dafd425aa57b3b05cd4d44c7615633292b20fb9bb22e08469fa6634

RedLineStealer

c404cc3a18e98ff81b63518df694118ecdec9948ce72f511cc828f93af5c4e7e

RedLineStealer

+ 6'485 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:privatos discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220610-v9zz7sabe9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

185.215.113.75:81

Unpacked files

SH256 hash:

42f12cb63f735d191110b80d0845e382f903118ff45e284dea95c15db63f6882

MD5 hash:

03a2542d0b5331c15477e69a9d99bb92

SHA1 hash:

9303ed201aab9a45c3d7f42a77eab5830244c7f1

Link:

https://www.unpac.me/results/4550b323-efa0-4509-9ac1-4f30437f0145/

SH256 hash:

7110d4c4c813967155c49d7c75067e4ac4ab36d88c491d550df684884a8466b9

MD5 hash:

35aaee9bc6a9ec938d896cddc234a68c

SHA1 hash:

7c689923c79b99e2a686bf03fa201f460cadfccf

Link:

https://www.unpac.me/results/4550b323-efa0-4509-9ac1-4f30437f0145/

SH256 hash:

9c2910ca8d353362055003385747776b01cddd6c68c850e1f74a7af48310e98d

MD5 hash:

5ebbecdb1c5ee85925eb643bb50204dc

SHA1 hash:

05458171499d8d4e1bd959e8c1f5f295da2d70c3

Link:

https://www.unpac.me/results/4550b323-efa0-4509-9ac1-4f30437f0145/

SH256 hash:

cfcd348313cae67c169897bd5ccaa8c7cdf1f99b4776cf942d587eca6e94004b

MD5 hash:

ca33fec46476f8b933d518e5b80f2292

SHA1 hash:

157ddcf827ce62433a0dba6b752e937eb42ac1a8

Link:

https://www.unpac.me/results/4550b323-efa0-4509-9ac1-4f30437f0145/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cfcd348313ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cfcd348313cae67c169897bd5ccaa8c7cdf1f99b4776cf942d587eca6e94004b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.