MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc0d7e5dcd6f5cc175ab3d6173220fb483570c8b1b81cc2ab68c95407368240e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc0d7e5dcd6f5cc175ab3d6173220fb483570c8b1b81cc2ab68c95407368240e
SHA3-384 hash: bd5a9e3809913d2a8239dbd9968439cb5fcd3317e360a64931c13520601ce3464fec8dae99c0afc17836a6c0359cf190
SHA1 hash: 19a3cf53a31c4f37c24c771264504e66d1be1193
MD5 hash: 3923f1a139494556ee41dde9b70acc67
humanhash: sodium-item-dakota-thirteen
File name:3923f1a139494556ee41dde9b70acc67.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:302'080 bytes
First seen:2022-11-24 12:25:24 UTC
Last seen:2022-11-24 13:30:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 36b641a29d896f854254088d7a23d111 (2 x RedLineStealer)
ssdeep 6144:pz5vw7NJFZBo20p9p3lcmkI7qG4ILzRiy8GEPZjmKsgA5oSsxHE:pzefFZB09VF7qG4I8y8GEPZjmngA5oSM
TLSH T1F3549E367252CB3DE8A7D8794EE9C270773C62343FB810D35B8C4A2D5520EEEA53951A
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
37.220.87.2:27924

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
3923f1a139494556ee41dde9b70acc67.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 12:28:53 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/a20d8d02-8f69-436c-96d1-4cce60bc7508

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338051/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.47263.28911.30522.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware zusy
Link:
https://www.filescan.io/uploads/637f62dc94f9bac087b339a1/reports/3591f71f-f805-40d7-9f43-0973b9cea8e4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb9cd7cf-94f0-46f9-b9de-f6f7f4b4f903
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120509
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753226 Sample: FKN6uh7y01.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 118 Snort IDS alert for network traffic 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for URL or domain 2->122 124 10 other signatures 2->124 10 FKN6uh7y01.exe 2 2->10         started        13 updater.exe 2->13         started        15 powershell.exe 2->15         started        17 4 other processes 2->17 process3 signatures4 166 Contains functionality to inject code into remote processes 10->166 168 Writes to foreign memory regions 10->168 170 Allocates memory in foreign processes 10->170 172 Injects a PE file into a foreign processes 10->172 19 vbc.exe 15 9 10->19         started        24 WerFault.exe 23 9 10->24         started        26 conhost.exe 10->26         started        174 Adds a directory exclusion to Windows Defender 13->174 28 powershell.exe 13->28         started        176 Creates files in the system32 config directory 15->176 30 conhost.exe 15->30         started        32 schtasks.exe 17->32         started        34 conhost.exe 17->34         started        process5 dnsIp6 112 37.220.87.2, 27924, 49700 ARTEM-CATV-ASRU Russian Federation 19->112 114 www.idpminic.org 19->114 116 2 other IPs or domains 19->116 94 C:\Users\user\AppData\Localbehaviorgraphoogle\ofg.exe, PE32 19->94 dropped 96 C:\Users\user\AppData\Local\...\chrome.exe, PE32 19->96 dropped 98 C:\Users\user\AppData\Local\...\brave.exe, PE32+ 19->98 dropped 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->140 142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->142 144 Tries to harvest and steal browser information (history, passwords, etc) 19->144 146 Tries to steal Crypto Currency Wallets 19->146 36 chrome.exe 19->36         started        40 brave.exe 19->40         started        42 ofg.exe 19->42         started        100 C:\ProgramData\Microsoft\...\Report.wer, Unicode 24->100 dropped 44 conhost.exe 24->44         started        46 conhost.exe 28->46         started        48 conhost.exe 32->48         started        file7 signatures8 process9 file10 102 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 36->102 dropped 148 Antivirus detection for dropped file 36->148 150 Multi AV Scanner detection for dropped file 36->150 152 Machine Learning detection for dropped file 36->152 162 5 other signatures 36->162 50 GoogleUpdate.exe 36->50         started        54 powershell.exe 36->54         started        56 schtasks.exe 36->56         started        66 2 other processes 36->66 104 C:\Users\user\AppData\Local\Temp\33C5.tmp, PE32+ 40->104 dropped 106 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 40->106 dropped 154 Writes to foreign memory regions 40->154 156 Modifies the context of a thread in another process (thread injection) 40->156 158 Found hidden mapped module (file has been removed from disk) 40->158 164 2 other signatures 40->164 58 cmd.exe 40->58         started        60 cmd.exe 40->60         started        62 powershell.exe 40->62         started        68 3 other processes 40->68 160 Uses schtasks.exe or at.exe to add and modify task schedules 42->160 64 schtasks.exe 42->64         started        signatures11 process12 dnsIp13 108 api.peer2profit.com 172.66.40.196, 443, 49704, 49706 CLOUDFLARENETUS United States 50->108 110 51.195.77.210, 443, 49705, 49707 OVHFR France 50->110 126 Detected unpacking (changes PE section rights) 50->126 128 Detected unpacking (overwrites its own PE header) 50->128 130 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 50->130 138 3 other signatures 50->138 78 3 other processes 50->78 70 conhost.exe 54->70         started        72 conhost.exe 56->72         started        132 Uses cmd line tools excessively to alter registry or file data 58->132 134 Uses powercfg.exe to modify the power settings 58->134 136 Modifies power options to not sleep / hibernate 58->136 80 11 other processes 58->80 82 5 other processes 60->82 84 2 other processes 62->84 74 conhost.exe 64->74         started        76 conhost.exe 66->76         started        86 2 other processes 68->86 signatures14 process15 process16 88 conhost.exe 78->88         started        90 conhost.exe 78->90         started        92 conhost.exe 78->92         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc0d7e5dcd6f5cc175ab3d6173220fb483570c8b1b81cc2ab68c95407368240e/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 18:37:18 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qgx4xonn5omc5nlhvqxgiqpwsbvodeldoa4ykvwrskua43ieqha._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline evasion infostealer spyware
Link:
https://tria.ge/reports/221124-pl66qadc53/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Stops running service(s)
RedLine
RedLine payload
Malware Config
C2 Extraction:
37.220.87.2:27924
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/76e39cb5-653c-4ba5-9d6d-ab644093de84
Unpacked files
SH256 hash:
d01a18d5008a2dd802eacc26d056dbf36361572580f890c1029bc12b606508e8
MD5 hash:
67d7748d1a30d18c5132ca387936335e
SHA1 hash:
f4529e72db99b096bffc2981eee0227def61f9d6
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/906e5122-2d5f-4619-8199-86b26586c74f/
SH256 hash:
dc0d7e5dcd6f5cc175ab3d6173220fb483570c8b1b81cc2ab68c95407368240e
MD5 hash:
3923f1a139494556ee41dde9b70acc67
SHA1 hash:
19a3cf53a31c4f37c24c771264504e66d1be1193
Link:
https://www.unpac.me/results/906e5122-2d5f-4619-8199-86b26586c74f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc0d7e5dcd6f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc0d7e5dcd6f5cc175ab3d6173220fb483570c8b1b81cc2ab68c95407368240e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/338051/

Comments