MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02a5a4a60619915dd81f8a178298793689088cbfd0523b6b99ab99c85c51298e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	02a5a4a60619915dd81f8a178298793689088cbfd0523b6b99ab99c85c51298e
SHA3-384 hash:	9abb3ccbd8218a8f0d8c961578737eeffd3ff78f2d475cd50ef347767ce42c167d6f5c492ad2df6065244e10cdd1e0b7
SHA1 hash:	0050f628b046297a26492f058c198f406be802cf
MD5 hash:	c0985e8fa2d0a194b764f7641b74a187
humanhash:	lamp-avocado-hydrogen-sixteen
File name:	c0985e8fa2d0a194b764f7641b74a187.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'480'192 bytes
First seen:	2022-05-18 00:33:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:9CEaqLkpjYvxU9W1ri2y9Er7x75F3Cy8BJVUw8:9CEjWjYpxSwF58tXVU9
Threatray	1'229 similar samples on MalwareBazaar
TLSH	T1B765294C631A4906EC40DB75DDB32F53BBABE7BA5C424B12A795BB3DC06B3BC1910252
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	69f8ccece0d0c504 (3 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.142.146.212:28823

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.142.146.212:28823	https://threatfox.abuse.ch/ioc/587839/

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c0985e8fa2d0a194b764f7641b74a187.exe

Verdict:

No threats detected

Analysis date:

2022-05-18 00:38:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8897af4a-b637-49e8-a628-fa66f5330104

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/271809/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed remote.exe wacatac

Link:

https://www.filescan.io/uploads/62843f02fd71ca8b2eed8ba8/reports/ebd6beac-c4f7-4e74-b30d-1811e9fbed1d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/03bb0dbc-2efe-4da7-ba79-dd785fdc91da

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/996360

Signature

.NET source code contains potential unpacker

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02a5a4a60619915dd81f8a178298793689088cbfd0523b6b99ab99c85c51298e/

Threat name:

ByteCode-MSIL.Spyware.Solmyr

Status:

Malicious

First seen:

2022-05-11 01:15:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 41 (58.54%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aks2jjqgdgiv3wa7rilyfgdzg2eqrdf72bjdw24zvom4qxcrfgha._file

Verdict:

malicious

RedLineStealer

4404699dcbab3651da1046a95dadefadda2b88751d933c94a2bf85023e382333

RedLineStealer

8502f7db79a06b2327d4894e79d7936cad1d42b45589f1938cbac8506a4624e3

RedLineStealer

8a54db382066229c50cc8e6feab1bc532431ee7804e54efceeffd696422e64d4

RedLineStealer

afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2

RedLineStealer

+ 1'219 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:torrentold discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220518-awrfpadggl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.142.146.212:28823

Unpacked files

SH256 hash:

565bd0f65f0366c15afbc1669b153d002f06fe7eb2eaee20a63ac8fcb3b8609a

MD5 hash:

6062c18fa526a9da8161a50848a15413

SHA1 hash:

d6b71328ddb1c6fe171c66d5fe3a0c7f1c9e94cb

Link:

https://www.unpac.me/results/d25be10a-6698-40e7-abb8-7f75c684942c/

SH256 hash:

02a5a4a60619915dd81f8a178298793689088cbfd0523b6b99ab99c85c51298e

MD5 hash:

c0985e8fa2d0a194b764f7641b74a187

SHA1 hash:

0050f628b046297a26492f058c198f406be802cf

Link:

https://www.unpac.me/results/d25be10a-6698-40e7-abb8-7f75c684942c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02a5a4a60619915dd81f8a178298793689088cbfd0523b6b99ab99c85c51298e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/271809/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample