MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0392bf70244ded4e9d61bdb9197864881a4f5c85a8314b675388e54b8080c3fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0392bf70244ded4e9d61bdb9197864881a4f5c85a8314b675388e54b8080c3fb
SHA3-384 hash: f92c7cb1ea9e24a1dfb7b3b32f480eb699b3ac5391671374b31f10fe56c9286a5d7486255c8344e97f3b8f9155569208
SHA1 hash: fd02152e31c1650d695ce7b541fb5f6f621dc7ef
MD5 hash: 85c2b4dc426a3020849e4e44d6d356f7
humanhash: mountain-lake-echo-fourteen
File name:85c2b4dc426a3020849e4e44d6d356f7.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:399'872 bytes
First seen:2021-10-16 14:35:01 UTC
Last seen:2021-10-16 15:59:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baf5c2110fa8a268441421686d4e3331 (2 x RedLineStealer, 1 x CryptBot)
ssdeep 6144:SNsixpSUnmJLee1Mjlua+Eob/XNJN4cIQ5cOfmmGDOwqk3K9GLy:esDWmJL91MluGu/J4cIQ59GywqkZ
Threatray 2'856 similar samples on MalwareBazaar
TLSH T1BE84BF10B7A0C035F5F352F846B59278A63E7AA0A764A4CF52D527EE4A347E1EC3035B
File icon (PE):PE icon
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
491
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
85c2b4dc426a3020849e4e44d6d356f7.exe
Verdict:
Malicious activity
Analysis date:
2021-10-16 14:42:31 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/ec7f8209-40b8-42f4-824d-a1fe76917354

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197899/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.21029.2564.8228.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a service
Creating a window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616ae3219a5a1e91c5c29f25/reports/5b852cf0-74e0-4a1e-9f82-ac8a2446e858/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25f3cec7-bc37-42ad-8eb3-8ab3395af88d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871590
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0392bf70244ded4e9d61bdb9197864881a4f5c85a8314b675388e54b8080c3fb/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 12:37:44 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aojl64bejxwu5hlbxw4rs6derane6xefvayuwz2trdsuxaeayp5q._file
Verdict:
malicious
Similar samples:
1bbc078db5d1d7f8003ac55c86d5e925d50cd79ce2b4e1b95cda63b5242f000e
RedLineStealer
665b0cd8dfe3967ce59155497f7226118f0b840b2c9a8361bd1ae3630698f3a4
RedLineStealer
93cab9c0bb921b19441630eaff516d547c8083dd1e2bd7b8b799ec282af5ef23
RedLineStealer
a1c2a8d328a756b25f0f871843dd68cf12f266291f9764523d9ed1d909e43a22
RedLineStealer
c406c0b632f53da9dda00cb1114c086c099ac059b37a64d6cad6b64e7e096300
RedLineStealer
d0dda5dfd52eedeb0c31cc69428a488f7af8f66e6c3a736ff88c6ea1c8ebed35
RedLineStealer
f934020452d58f327c22060903f625f8b9b39429afad32dc05faf58f4e3f32f9
RedLineStealer
+ 2'846 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:paladin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211016-rx4wvacah4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
37.228.129.48:29795
Unpacked files
SH256 hash:
2b580bef9687ce1ac43ce36d86da6c95a0673c040c74e6854b94a258399ee10b
MD5 hash:
f7fd2c3f4ca13720d939a6ea97d274a8
SHA1 hash:
7b73809a2d8a7a6d4db7434ec0844011060cbe1d
Link:
https://www.unpac.me/results/7adaa230-8c55-41fb-9bf2-4e17a4f55ca0/
SH256 hash:
750d494160bb549b3161bb320e711c038e02c62f0747f06761fc7e1434c9600b
MD5 hash:
f5f6f26cea37124d9a592a3d0cc638f3
SHA1 hash:
398c0139c9b7db0de1d566747cc9977c385086fe
Link:
https://www.unpac.me/results/7adaa230-8c55-41fb-9bf2-4e17a4f55ca0/
SH256 hash:
84fba1208ac10a8f93273fd161788db8c3a051fce6c164c7518e00cd29a9f875
MD5 hash:
e244e72cb30dba89114f178fd08c1db9
SHA1 hash:
03467db09e3fa27c49da7c34e5aad3ee059a324e
Link:
https://www.unpac.me/results/7adaa230-8c55-41fb-9bf2-4e17a4f55ca0/
SH256 hash:
0392bf70244ded4e9d61bdb9197864881a4f5c85a8314b675388e54b8080c3fb
MD5 hash:
85c2b4dc426a3020849e4e44d6d356f7
SHA1 hash:
fd02152e31c1650d695ce7b541fb5f6f621dc7ef
Link:
https://www.unpac.me/results/7adaa230-8c55-41fb-9bf2-4e17a4f55ca0/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0392bf70244d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0392bf70244ded4e9d61bdb9197864881a4f5c85a8314b675388e54b8080c3fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 0392bf70244ded4e9d61bdb9197864881a4f5c85a8314b675388e54b8080c3fb

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/197899/
  
URLhaus
https://urlhaus.abuse.ch/url/1666143/
  
Delivery method
Distributed via web download

Comments