MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cff9a1b58d27045ffbe799d15b1735af2c99dbc233040ad8e1f6be71c821578b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	cff9a1b58d27045ffbe799d15b1735af2c99dbc233040ad8e1f6be71c821578b
SHA3-384 hash:	525ffce798b86e5c560ffdaa5b34a357daab049ea3dce33ae9fcbf107d2d9c8c24edd08b01d907e2e0845a50dca18589
SHA1 hash:	e4e1f840474ad1e98d44d2de5a867d3d5331a03d
MD5 hash:	8ae6a3f4e9063b56b2b416af7b5d1c09
humanhash:	stairway-mango-floor-victor
File name:	File.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	368'128 bytes
First seen:	2022-05-23 11:14:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0e837cd9eccfae6a38651c08666c9fa2 (2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	6144:47WD+iIdmcq/rXEi+KqxDE9/QlDT2BhaLGWA+tS8k/zhr:47qigD/ruKqxDs/Mn2BWu8k/
Threatray	217 similar samples on MalwareBazaar
TLSH	T17B74AE107A90D037E1B316F89AB693B8B92E7EA16B2540CB52D53AFE56347D0EC31317
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter	JAMESWT_WT
Tags:	exe RedLineStealer teambot dropped teambot2

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

File.exe

Verdict:

Malicious activity

Analysis date:

2022-05-23 11:14:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3e5aeeee-fbf0-4f16-be84-ce6e7d831799

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/273606/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Creating a file in the system32 subdirectories

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Creating a window

Searching for the window

Launching a process

Launching cmd.exe command interpreter

Launching the default Windows debugger (dwwin.exe)

Blocking the Windows Defender launch

Unauthorized injection to a recently created process

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19642/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware packed redline

Link:

https://www.filescan.io/uploads/628b6cd4054dcf0ecae2bfd2/reports/7b3cf512-7865-457c-a499-d5e4d88560bc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0059db8a-0379-462b-b5f4-3bba6fbb33e5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/999696

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disable Windows Defender real time protection (registry)

Downloads files with wrong headers with respect to MIME Content-Type

Found C&C like URL pattern

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cff9a1b58d27045ffbe799d15b1735af2c99dbc233040ad8e1f6be71c821578b/

Threat name:

Win32.Backdoor.Zapchast

Status:

Malicious

First seen:

2022-05-22 17:02:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2

RedLineStealer

7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e

RedLineStealer

8101c71c2c31df8da09ed7dd55da9bbd949b028f8f54f0e1cbffab82b192ed87

RedLineStealer

a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e

RedLineStealer

a5453a830d01639ad537320c94e68565341328c872a8f2d3456221a0bec6f3e9

RedLineStealer

afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420

RedLineStealer

bec113f52e725b1e43720bb9ab1faece1043fc4562f1de3c3d43c1cfc97f2ada

RedLineStealer

d66c835ffce7413ed28d1252c814787083aab6fcdc20df38120b5da13991f9c3

RedLineStealer

e69716b0ea13b412bf6e3ac4f9a0bca987d99788f9d20cedd8fcacee0a7c3f38

RedLineStealer

+ 207 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:amadey family:djvu family:redline family:smokeloader family:vidar botnet:517 botnet:937 botnet:@humus228p backdoor discovery evasion infostealer ransomware spyware stealer suricata trojan upx vmprotect

Link:

https://tria.ge/reports/220523-ncjtdsdae3/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Program crash

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Sets file to hidden

UPX packed file

VMProtect packed file

Vidar Stealer

Amadey

Detected Djvu ransomware

Djvu Ransomware

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Vidar

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

Malware Config

C2 Extraction:

185.215.113.38/f8dfksdj3/index.php
http://ugll.org/test3/get.php
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
185.215.113.24:15994
https://t.me/netflixaccsfree
https://mastodon.social/@ronxik12
https://t.me/verstappenf1r
https://climatejustice.social/@ronxik312

Dropper Extraction:

http://31.41.244.231/0x?0=RedLine
http://31.41.244.231/0xMine/RegAsm.go
http://31.41.244.231/0xMine/go.go
http://31.41.244.231/0xSocks/go.go

Unpacked files

SH256 hash:

4aa606a0a542d44bf4aa6f7ebcdc2684bf914c65a344bfed77aa34c8c20768a2

MD5 hash:

d8933905daf436fde88523508f9f0eae

SHA1 hash:

53045b6bd40ee9848d8869a20229d83476d31ea1

Link:

https://www.unpac.me/results/6e39cb43-bf62-4bf7-9101-427f548ce086/

SH256 hash:

cff9a1b58d27045ffbe799d15b1735af2c99dbc233040ad8e1f6be71c821578b

MD5 hash:

8ae6a3f4e9063b56b2b416af7b5d1c09

SHA1 hash:

e4e1f840474ad1e98d44d2de5a867d3d5331a03d

Link:

https://www.unpac.me/results/6e39cb43-bf62-4bf7-9101-427f548ce086/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cff9a1b58d27045ffbe799d15b1735af2c99dbc233040ad8e1f6be71c821578b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/1ZRR4H/status/1528588805980229632?s=20&t=caalhHOqijMXMCqDFyp3mg

Cape

https://www.capesandbox.com/analysis/273606/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample