MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 014d9e246efaad3a91e21a36303842275f2b767245e3989143a75995babb653e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 014d9e246efaad3a91e21a36303842275f2b767245e3989143a75995babb653e
SHA3-384 hash: a72048b0292f9f9c774a17ce9bbe2bcb6d1fe5f190240250aeb3f884aa9b8a9cc6cd5328aba99be068884dc55732d477
SHA1 hash: f8fbc01d3a8203d4623609011ed0ccd2ce5133dd
MD5 hash: 832c2e7384f4332a3dbe91ce0f0a8da0
humanhash: william-delta-three-king
File name:832c2e7384f4332a3dbe91ce0f0a8da0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:404'992 bytes
First seen:2022-01-20 06:36:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 125adc129c50285a2cd4524417d3fdd8 (11 x RedLineStealer, 2 x Smoke Loader, 2 x ArkeiStealer)
ssdeep 6144:jwDbLbV2YtYleLndyQ40oaOZZANNx5pJoPqlOn/2H0wMpHs:jw3l2Yt8eLnkq9OZaNnpJIe0wn
Threatray 4'466 similar samples on MalwareBazaar
TLSH T1CB84E0F07580E931C4865A32C41ACFA11EBEFC710866964377A43B6EBE726C1636725F
File icon (PE):PE icon
dhash icon fcfcb4b4b4d4d9c1 (24 x RedLineStealer, 10 x Smoke Loader, 4 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.111:1355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.111:1355 https://threatfox.abuse.ch/ioc/303028/

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220868/
Detection(s):
Win.Malware.Generic-9936948-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4833/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e90324d32385db630d3b92/reports/d7f400ea-9ec7-40eb-855a-8ef1a71cc3e7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af9c7902-cc1c-490d-b67d-46195025d879
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924010
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/014d9e246efaad3a91e21a36303842275f2b767245e3989143a75995babb653e/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 07:19:01 UTC
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=afgz4jdo7kwtvepcdi3daocce5psw5tsixrzrekdu5mzlov3mu7a._file
Verdict:
malicious
Similar samples:
02a1be5f6bac2f03f8dc06a3b94f346ab67f18b70703b80d91ca47478f6d8c5f
RedLineStealer
0e08cc4751863c2150282dae704864e2b80feb930314ee9b3db331ec8fc4043b
RedLineStealer
22a58e79e643f6f422a1394de4fe4e78d2638370815eb23ecae037b99693926a
RedLineStealer
2e6a515f6f0f4c6afeee0504513de753828975c0a0ee4630ccd4474f0ca8e002
RedLineStealer
4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba534d34e70f12ecec70f
RedLineStealer
5169eb4aac96b3333dcf7c0eb628a340f6997c65c54e8728a0f6c8501ae6742f
RedLineStealer
a981e21aac19c98e126737f1ffeb2e4040cca00f393d4c3a9b705baf9df00986
RedLineStealer
c616122ddb20e0572157aad9871b38b1e395187e9a3d6127d2dd17371194527f
RedLineStealer
e3d47cf720441db8fad6021333ef201927e070bda5e781f5c2bb2f95d2d0b137
RedLineStealer
+ 4'456 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220120-hdgsjagden/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ccf2a17a23a01fe16ea37413010d2d845aac780c9fb534491ef177c0d67016dc
MD5 hash:
4ed3c840e3f554f5f6c0ac741f4e02b4
SHA1 hash:
b775d1fa3fc54de998025bedd9e24d6f76bd5164
Link:
https://www.unpac.me/results/b1054e43-4f53-4c54-8151-fcfbdee07fcb/
SH256 hash:
5b75832f6fc38242618176c8acbca8795b722282aaeaeebffbc6752eabc7dd23
MD5 hash:
3dbe3099613073992b69bb52b4f0a0f8
SHA1 hash:
ade1dc6acff6a3babfe86fffa73c2b8e28efb87d
Link:
https://www.unpac.me/results/b1054e43-4f53-4c54-8151-fcfbdee07fcb/
SH256 hash:
6f1b3f902f153ac2c41b58cd2faed0698993cf6c38b726e8a3112ecde80c7a68
MD5 hash:
afb109167a037d3bc519538a433f4f6b
SHA1 hash:
51a10bbff21cc9e47535368a77032fa31a09e0f1
Link:
https://www.unpac.me/results/b1054e43-4f53-4c54-8151-fcfbdee07fcb/
SH256 hash:
014d9e246efaad3a91e21a36303842275f2b767245e3989143a75995babb653e
MD5 hash:
832c2e7384f4332a3dbe91ce0f0a8da0
SHA1 hash:
f8fbc01d3a8203d4623609011ed0ccd2ce5133dd
Link:
https://www.unpac.me/results/b1054e43-4f53-4c54-8151-fcfbdee07fcb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/014d9e246efaad3a91e21a36303842275f2b767245e3989143a75995babb653e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 014d9e246efaad3a91e21a36303842275f2b767245e3989143a75995babb653e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1978543/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220868/

Comments