MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 017118612816b95f23b39dbb5a82ea128aaf3afe315ce0314c020a9848dd6d80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	017118612816b95f23b39dbb5a82ea128aaf3afe315ce0314c020a9848dd6d80
SHA3-384 hash:	55b13c91a38b0d839d189d4095c8ae4c7abd529dc1befd9be754deb84b381538a35f557f590618f2ab1697fb1198b431
SHA1 hash:	1835cedfee6af4bc44ff1a1f3b7db95afe739c46
MD5 hash:	b963bfa54595ba3df398a59b62d2b706
humanhash:	speaker-music-high-one
File name:	rolle.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	698'880 bytes
First seen:	2022-03-29 11:45:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	224a3deb95ca6706e4bcbf2a455a41b0 (1 x RedLineStealer, 1 x Stop)
ssdeep	12288:sXRf8TWc05ZnLT60jK6r5LC28wUobo+i9d0/SNIfuAuVunnbGAyFi8Q:IR9cQZLTr5L/8ns27IfTbGAMY
Threatray	924 similar samples on MalwareBazaar
TLSH	T19AE40130BA98D824F093163C44268EAD632DBDB195E1564336947B4E2E33E9F26E135F
File icon (PE):
dhash icon	327a7c7f727e6e62 (1 x RedLineStealer)
Reporter	b3ard3dav3ng3r
Tags:	exe RedLineStealer

b3ard3dav3ng3r

downloaded from http://dwefrfgqwgq.top/holler/

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/259151/

Detection(s):

Win.Dropper.Stop-9938042-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11990/overview

Behaviour

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6242f17c9253b276b79b4024/reports/a805c1b2-f9a2-4c7a-8a25-6784f7c67dbf/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLineStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6c26448e-f24a-4a62-a040-e8a2fbc1c322

Result

Threat name:

RedLine

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/966661

Signature

Antivirus detection for URL or domain

Connects to many ports of the same IP (likely port scanning)

Contains functionality to register a low level keyboard hook

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Autohotkey Downloader Generic

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/017118612816b95f23b39dbb5a82ea128aaf3afe315ce0314c020a9848dd6d80/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-03-29 11:46:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 42 (45.24%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5

RedLineStealer

a63806a04c7dc23ef99da422feb1192d69b6b627aa39ccc989362ae508af899e

RedLineStealer

b111141595018d6980a609315f572f827d7fa913454a785eebc7376019ece195

RedLineStealer

cf0f1aa6daa5e46b0a8a0ab76ed31b54a96c6125617ad0d0d508d08df6ec6b9b

RedLineStealer

de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229

RedLineStealer

feb32b614bc7f38cc0b553b5fee80b7e68ad8ae78df1f1cae4016a5aa1c4677a

RedLineStealer

+ 914 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix29.03 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220329-nxaffsddh2/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.70:21508

Unpacked files

SH256 hash:

c3b0d2d60c54abc2d30fc02dd05222c9a218e1ef957d96199ff3d3e9e1cac0d7

MD5 hash:

0ca7b0559a863ac753a577ac947eda93

SHA1 hash:

3cc942b83dcb6b90871e76961f14b853336d3ca4

Link:

https://www.unpac.me/results/00e147ca-e884-48ef-81a8-f65823c08c0b/

SH256 hash:

017118612816b95f23b39dbb5a82ea128aaf3afe315ce0314c020a9848dd6d80

MD5 hash:

b963bfa54595ba3df398a59b62d2b706

SHA1 hash:

1835cedfee6af4bc44ff1a1f3b7db95afe739c46

Link:

https://www.unpac.me/results/00e147ca-e884-48ef-81a8-f65823c08c0b/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/017118612816/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/017118612816b95f23b39dbb5a82ea128aaf3afe315ce0314c020a9848dd6d80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 017118612816b95f23b39dbb5a82ea128aaf3afe315ce0314c020a9848dd6d80

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2114626/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/259151/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample