MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05afafa79827aee66c0caf542a4b2da4266d29f51913c102b70759059c040ce1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 14 File information Comments

SHA256 hash:	05afafa79827aee66c0caf542a4b2da4266d29f51913c102b70759059c040ce1
SHA3-384 hash:	566af80afead53cb157f2980e58c0aeba3066999509e705b8daebc47c61be9025c04139ddff096999099bbeb40770556
SHA1 hash:	a86dbffaa0ccb4cf46e0dc9fa17203e98940184b
MD5 hash:	b09ecdc2e54120e180a5b082d844a0b2
humanhash:	golf-kitten-hot-network
File name:	b09ecdc2e54120e180a5b082d844a0b2.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	445'440 bytes
First seen:	2022-04-18 04:21:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:t0esdAGkesdAEklXxs8iuO1e2yMYY8prBsmhA06CB/5znEQx2LFIx6r8zwy7FmKQ:t41lVz61D01QeHwwAwaMlC3ZPboxy
Threatray	4 similar samples on MalwareBazaar
TLSH	T19F94D00517885B31EFBF933DB81E6718C732E92B5107C3177690A8EB2E92747CA152A7
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13101/52/3) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
93.15.171.204:7026

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
93.15.171.204:7026	https://threatfox.abuse.ch/ioc/520820/

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/264254/

Detection(s):

Win.Malware.Bulz-9880537-0

Win.Packed.Bulz-9883367-0

Win.Packed.Bulz-9891195-0

Win.Trojan.Redline-9938775-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP POST request

Creating a file

Searching for the window

Sending a custom TCP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm cmd.exe fingerprint hacktool obfuscated packed redline replace.exe stealer

Link:

https://www.filescan.io/uploads/625ce780ffe27d5119fb1e2a/reports/d419d48f-3bd9-4618-97a9-3b80ce49da67/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/68f8c08c-0c9f-47ab-96ea-4bbef34e750c

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/978028

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Beds Obfuscator

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/05afafa79827aee66c0caf542a4b2da4266d29f51913c102b70759059c040ce1/

Threat name:

ByteCode-MSIL.Infostealer.RedLine

Status:

Malicious

First seen:

2022-04-14 19:57:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

34 of 42 (80.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=awx27j4ye6xom3amv5kcusznuqtg2kpvdej4cavxa5mqlhaebtqq._file

Verdict:

malicious

RedLineStealer

7e48bdcccc4cb2651c59053cf26e81deee86e2e22b4b7a400bd87493117c946e

RedLineStealer

b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed

RedLineStealer

c4bf94d97d6bf5016e92e0e7f81760ebf5f995ee895bdf2a632bccdcaffc849b

RedLineStealer

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220418-ey8j7saabn/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Beds Protector Packer

RedLine

RedLine Payload

Unpacked files

SH256 hash:

05afafa79827aee66c0caf542a4b2da4266d29f51913c102b70759059c040ce1

MD5 hash:

b09ecdc2e54120e180a5b082d844a0b2

SHA1 hash:

a86dbffaa0ccb4cf46e0dc9fa17203e98940184b

Link:

https://www.unpac.me/results/2b9bfbf8-0ada-47bd-902d-d6832e2eb81a/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/05afafa79827/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/05afafa79827aee66c0caf542a4b2da4266d29f51913c102b70759059c040ce1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	INDICATOR_EXE_Packed_Babel Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Babel

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector

Rule name:	INDICATOR_EXE_Packed_Goliath Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Goliath

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	NETDIC208_NOCEX Create hunting rule

Rule name:	NETDIC208_NOCEX_NOREACTOR Create hunting rule

Rule name:	NETDIC_208 Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/264254/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample