MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03e6cbf0499c16281e1fad318fed79c70ee3ebd0abc2d2577b8d5690759e5f2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	03e6cbf0499c16281e1fad318fed79c70ee3ebd0abc2d2577b8d5690759e5f2d
SHA3-384 hash:	3f7f0434802f9b195791bdbf1b47208eb53ba96b41fc676ff4a4ffdea61fef3bbfa60c5cacaac418b280e7477ba6369a
SHA1 hash:	38a6cc8563aace66ebd669758c34d0df72867104
MD5 hash:	aca968737c7f1f1e3537a2fb3c1aee62
humanhash:	double-failed-edward-oven
File name:	aca968737c7f1f1e3537a2fb3c1aee62.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	314'368 bytes
First seen:	2021-11-16 18:36:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fff777f42c1e485850e1fdc0085a1692 (4 x RedLineStealer, 4 x Smoke Loader, 1 x DanaBot)
ssdeep	6144:aj9AvU/silT6NmsQMQigXAVr+xz6eG5J3wVf:y9AvU/sihrsftSE
Threatray	4'074 similar samples on MalwareBazaar
TLSH	T13664F115B7F2CC3AE5A336346475D3B10B3BFA326971414B2B54266E5EB32E08A7131B
File icon (PE):
dhash icon	3064c4b9b3d24c30 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
109.107.188.167:37171

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
109.107.188.167:37171	https://threatfox.abuse.ch/ioc/249745/

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/206602/

Detection(s):

Win.Malware.Generic-9908035-0

Win.Packed.Fragtor-9908420-0

Win.Packed.Fragtor-9908805-0

Win.Packed.Fragtor-9908933-0

Win.Packed.Generic-9908949-0

Win.Dropper.Fragtor-9909325-0

Win.Packed.Fragtor-9909732-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

diskwriter greyware lockbit packed

Link:

https://www.filescan.io/uploads/6193fa4f2695a62af9f178f6/reports/81ba621d-9658-4238-9164-174434db40d0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/67872759-17cd-465a-967c-26f2f121dc3e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/890645

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03e6cbf0499c16281e1fad318fed79c70ee3ebd0abc2d2577b8d5690759e5f2d/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-12 13:59:36 UTC

AV detection:

33 of 44 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aptmx4cjtqlcqhq7vuyy73lzy4hoh26qvpbnev33rvlja5m6l4wq._file

Verdict:

malicious

RedLineStealer

433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3

RedLineStealer

45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374

RedLineStealer

46bfd4ef142643e91a9c9e5d92d90b52100da882786e97c1502f1cc2a6ea9103

RedLineStealer

510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901

RedLineStealer

537b0c489b9e35fc06423d79171392e07d1147f9992d9219bd6ba597f438d6c0

RedLineStealer

7b701421f0d7422472f29ec7a68e962ba44703e96c5d537b9b5b5dbd37f2677d

RedLineStealer

a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c

RedLineStealer

+ 4'064 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:build discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211116-w9gdjacaal/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

109.107.188.167:37171

Unpacked files

SH256 hash:

b1053d610bac0ecc43adde3da217a6cbc561ec670d81ca7ab4717741cad578e8

MD5 hash:

534a317438788eb4a48cf24995cb6914

SHA1 hash:

9ccf38bc3b77192786cb0a7c58bee12f37d46675

Link:

https://www.unpac.me/results/7f2535ad-970e-43e1-a5c5-92dab6f5c23e/

SH256 hash:

bc7046ca5585157f9052190b96a0b153f19c6746e86f15573caccfae5b0c856a

MD5 hash:

d7861a4c7b04895cdd98bc3cd468a7e2

SHA1 hash:

6df15a6e7776691c1c3e2ebe8c53ea2771c93b07

Link:

https://www.unpac.me/results/7f2535ad-970e-43e1-a5c5-92dab6f5c23e/

SH256 hash:

d8c4fcbd5472293a8067c7b384d0a00123463e83ec4f48b8cb92bd87a6ed7f55

MD5 hash:

66d78bec6c225a567fc29c4e2d674cc2

SHA1 hash:

2272ab1989d918a3fa40cc2b6c13e227f93b2ba3

Link:

https://www.unpac.me/results/7f2535ad-970e-43e1-a5c5-92dab6f5c23e/

SH256 hash:

03e6cbf0499c16281e1fad318fed79c70ee3ebd0abc2d2577b8d5690759e5f2d

MD5 hash:

aca968737c7f1f1e3537a2fb3c1aee62

SHA1 hash:

38a6cc8563aace66ebd669758c34d0df72867104

Link:

https://www.unpac.me/results/7f2535ad-970e-43e1-a5c5-92dab6f5c23e/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/03e6cbf0499c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/03e6cbf0499c16281e1fad318fed79c70ee3ebd0abc2d2577b8d5690759e5f2d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/206602/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample