MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcc4e87f39108014864f82b22a34773dd6d7c9b0da4a32f6682e63b5d16e8066. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	dcc4e87f39108014864f82b22a34773dd6d7c9b0da4a32f6682e63b5d16e8066
SHA3-384 hash:	47ff7df2ea951be6c12987083994ad9b69e3b9cd960bdee406969b532607384cced376fe97763f7a96ff3d6eed1211f1
SHA1 hash:	08b0b68987f4b73344b285e9feffef9ceeafa2f1
MD5 hash:	637d210df73ff5f59bb2453e0f29fd7d
humanhash:	delta-pasta-connecticut-sixteen
File name:	637d210df73ff5f59bb2453e0f29fd7d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	570'368 bytes
First seen:	2022-03-10 16:26:28 UTC
Last seen:	2022-03-10 17:52:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	12288:1k4leSOXIJYw8+5WNZ0iyQS03ULaHNqrxlKIQNokg+aVsidnGuP:CAXOXk8+ADykEaHNYK3jHEnX
Threatray	1'649 similar samples on MalwareBazaar
TLSH	T195C423D65740B4D4C78E57FC2A517FED9A1A673ADBAC514AD06643021ED0883F83C2BD
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.253:4752

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.253:4752	https://threatfox.abuse.ch/ioc/390795/

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/249195/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/622a26e1dfdfa8501c86dd75/reports/bbffc3ed-85f3-45ae-9e8d-fa8cb42656b0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/342a296e-4748-4437-a95b-319d3590e210

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/954376

Signature

Allocates memory in foreign processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dcc4e87f39108014864f82b22a34773dd6d7c9b0da4a32f6682e63b5d16e8066/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-03-09 23:49:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 42 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3tcoq7zzccabjbspqkzcundxhxlnpsnq3jfdf5tifzr3luloqbta._file

Verdict:

malicious

RedLineStealer

5013372389580672743ad71d9ec522caa057a4f7863ae8fc460ebba005121fd8

RedLineStealer

55a7d2b17477a6d16a1666e267e9bdbb1d6201b0fa07dfb20d2fb5a1b184024d

RedLineStealer

63680cb50ca4c6ec5837dbc45a9a58f9b27fd33fb47e37e4e848225d0d0a1f2f

RedLineStealer

675fb06332308b4e20c18722d71d7ac4a4fa3414cf2c93720800f52deb217542

RedLineStealer

6b70b5494393d3644de4dd90ae5a906407175daea6ee97c0419997e99b4cdfd0

RedLineStealer

73b847df999248b0ade77878c380cf1f6e56a583a40645351558931b9c989e77

RedLineStealer

ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2

RedLineStealer

af5c1edc2e290ba4ecafee0f7f5b02182e5df7672ce8004ba3bafd320f2592f3

RedLineStealer

dd496554f084af7bdd9c216bdb8718cd3de154d804b8955f4894c0954dad266c

RedLineStealer

+ 1'639 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220310-tx6fsabhdr/

Behaviour

Program crash

Unpacked files

SH256 hash:

252892cf70e81403e448407b00298cd3280cd795c5c9b4c485b588801f2a739f

MD5 hash:

ff00da9e977cb5c5ad6114a75e152706

SHA1 hash:

91b908d877eb58f1248870664171e452044b2c0f

Link:

https://www.unpac.me/results/f668b892-0aca-4551-926b-c39301485067/

SH256 hash:

dad5cfe9add80386800726b86f61df36a46a3617297383b5841b69247b321576

MD5 hash:

94e8d288fe33c53f25284f4f6d063046

SHA1 hash:

f1c2f8ce7c6c55f438c97be1fdbc50b44fc65f22

Link:

https://www.unpac.me/results/f668b892-0aca-4551-926b-c39301485067/

SH256 hash:

dcc4e87f39108014864f82b22a34773dd6d7c9b0da4a32f6682e63b5d16e8066

MD5 hash:

637d210df73ff5f59bb2453e0f29fd7d

SHA1 hash:

08b0b68987f4b73344b285e9feffef9ceeafa2f1

Link:

https://www.unpac.me/results/f668b892-0aca-4551-926b-c39301485067/

Malware family:

RedLine.D

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/dcc4e87f3910/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dcc4e87f39108014864f82b22a34773dd6d7c9b0da4a32f6682e63b5d16e8066

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249195/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample