MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc5cf343121b5e6ac962622babf726b1ca590760793396176546bbd7420400a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	dc5cf343121b5e6ac962622babf726b1ca590760793396176546bbd7420400a3
SHA3-384 hash:	84f0542f6a809691c268fb298d13d46e89228ecc445b3b3d73b6626c079b659e21422db763de986d10653f88bc5c2d4a
SHA1 hash:	0cdd6bfa4db900674addd15d294798417dae5c1a
MD5 hash:	ac8f7a45a57c16b994a015d3cc3c4071
humanhash:	august-cold-enemy-oxygen
File name:	ac8f7a45a57c16b994a015d3cc3c4071.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	432'713 bytes
First seen:	2023-09-29 22:20:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	408ba2c23dce610d3cd9003c6890be58 (4 x RedLineStealer)
ssdeep	3072:QUaWHhdKJMcrUnx+he4VSp4qbrJ1OZIaxzZiqqowg7xrD5XpYwNLx:QUXh4HUnYQSKazUUpN
Threatray	32 similar samples on MalwareBazaar
TLSH	T1B7946D11E408ECE2F0D306B59864FA40AA5FF398016C19077A73BA6E59B7EC33566D4F
TrID	52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.5% (.EXE) Win32 Executable (generic) (4505/5/1) 3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	336b13233b3b3b2b (2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
65.109.240.180:8443

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/452082/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.8550.12988.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Stealing user critical data

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay

Link:

https://www.filescan.io/uploads/65174dd11edabd9982a217de/reports/83d472a9-d1db-467d-857a-4c97a2a27a33/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/dc5cf343121b5e6ac962622babf726b1ca590760793396176546bbd7420400a3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2fd79d6e-1f1f-425c-acdc-bf7ce5d668bb

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1316942

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc5cf343121b5e6ac962622babf726b1ca590760793396176546bbd7420400a3/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-09-27 22:43:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ropgqysdnpgvslcmiv2x5zgwhffsb3apezzmf3fi255oqqeacrq._file

Verdict:

malicious

RedLineStealer

51effd873582cae518e49918c2eb6dc2490b7c73505f34bdb61536d8491db256

RedLineStealer

612164ec216f6e25c1f821784bc36d3262acc5846d097ab3e1c92350c3ab4261

RedLineStealer

6f6d07ed35bc32b2a5e34d905d76758fadc5d096b0a47956f5f5a69d408d62a1

RedLineStealer

924303207226c6dc5e773813f446a0c3d30c340beeb086d2b7583ca3877d289e

RedLineStealer

e1c5d328eaf0228e5d1ae9bf8ef3d6bf734f88dfb411cb5afa25d15f1f023ab0

RedLineStealer

fda009c7da2fb93445472162677e113625b0aa7205aacc517f35efe8fb37fbf6

RedLineStealer

+ 22 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:5844778753_99 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/230929-19myjaeh8t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

https://pastebin.com/raw/8baCJyMF

Unpacked files

SH256 hash:

06dc4fc6cfdb33c0e492c5bfc31fb8918a8cb1b91cd11305c0f09943be03abd6

MD5 hash:

e1639a4402f3cef5d3a6c429c48da9fa

SHA1 hash:

f9e40aeb0f34acaad4ea48dafc254d8898745896

Detections:

redline

Link:

https://www.unpac.me/results/5fbc2e9e-32ee-44a9-a741-320b53885d80/

SH256 hash:

dc5cf343121b5e6ac962622babf726b1ca590760793396176546bbd7420400a3

MD5 hash:

ac8f7a45a57c16b994a015d3cc3c4071

SHA1 hash:

0cdd6bfa4db900674addd15d294798417dae5c1a

Link:

https://www.unpac.me/results/5fbc2e9e-32ee-44a9-a741-320b53885d80/

Malware family:

RedLine.E

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dc5cf343121b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/dc5cf343121b5e6ac962622babf726b1ca590760793396176546bbd7420400a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	redline_stealer_2 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/452082/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample