MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f1525a1cfd5a63392557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f1525a1cfd5a63392557
SHA3-384 hash:	39ba64626b7c69ed904428014d1de46699b837ebda50cc9c06cc3dfe1738aa434fd7a745d5da1f88527c98af304ccd70
SHA1 hash:	e721affa9784ea529a88d9ae37857c46754ec2e6
MD5 hash:	320dfb6627ba74c96d10b24497bcfa39
humanhash:	colorado-item-edward-sixteen
File name:	067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	372'224 bytes
First seen:	2021-11-18 18:41:24 UTC
Last seen:	2021-11-18 20:38:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5ec00bbaa469943db4b6795b01cc4091 (4 x RedLineStealer, 2 x Smoke Loader, 2 x ArkeiStealer)
ssdeep	6144:d/hUAC6pP6xkBLotTRzpfhgX3yQxuWNxSF6cmJNf2qisY28347a:jU6pHMTZpfWnyPWNxSMcmJ3is8X
Threatray	3'748 similar samples on MalwareBazaar
TLSH	T13584BE10ABE0C034F1B756F44A7693B8B93E79A16B7490CF52E526EE56396E1EC30307
File icon (PE):
dhash icon	badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
95.216.168.100:38784

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.216.168.100:38784	https://threatfox.abuse.ch/ioc/250769/

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f.exe

Verdict:

Malicious activity

Analysis date:

2021-11-18 18:42:54 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/f6897860-ca94-4005-9ea2-ee507e39264e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.11037.1618.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a custom TCP request

DNS request

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61969e7d4912a8c920a2dbdf/reports/892979a9-0bed-4dd6-b547-d6f97c5ca89c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5fb1155a-fc92-4d67-9f44-7e9854bd5f4a

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/892189

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f1525a1cfd5a63392557/

Threat name:

Win32.Rootkit.BootkitX

Status:

Malicious

First seen:

2021-11-18 18:38:05 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=az6ia6qhuwrkvdxfr5437bdkus4mleg77ji7cus2dt6vuyzzevlq._file

Verdict:

malicious

RedLineStealer

14392ce90022b570351972c94bfd451cce4f69e7d731de4fc21a275899b081ec

RedLineStealer

46bfd4ef142643e91a9c9e5d92d90b52100da882786e97c1502f1cc2a6ea9103

RedLineStealer

510ee83a33d4dac716941f04e3bc41d146406623197c8bec55be7dec8962b901

RedLineStealer

537b0c489b9e35fc06423d79171392e07d1147f9992d9219bd6ba597f438d6c0

RedLineStealer

6a7af1d145e133bfd37416108227befcfd1c15597f3a05fdf39ec95b9e8f1cfe

RedLineStealer

c325d98c7689964cadb138bf351b863372ee464a350f3d1fc11fe0906c8a1cb4

RedLineStealer

+ 3'738 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:1811 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211118-xcb8zsfbbj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

95.216.168.100:38784

Unpacked files

SH256 hash:

32b581b32370d39e23c3ef09ee343ef0dd3c5b2a5a852da36d0ac5d4a943225c

MD5 hash:

230c4cbe02163550b3f7b0cf55697860

SHA1 hash:

9a14616eb3c594456c48bb19818f04c2f2ec4d2c

Link:

https://www.unpac.me/results/11c596e5-cbe7-4cb2-8704-6b807e428bd8/

SH256 hash:

77027babe298e46885e1d3182f5bc34a1ab6bd2ae07d902e4c868a1c092209a8

MD5 hash:

fdb7485913262b8efe6cbea8029a09b4

SHA1 hash:

8caa8a8a0e5efaea224d25e0fb877fc9e08a0c56

Link:

https://www.unpac.me/results/11c596e5-cbe7-4cb2-8704-6b807e428bd8/

SH256 hash:

6198042db49e0403f6c5dd514a596e186cd9780c35e80294bc727b509bf3f3d1

MD5 hash:

102658510d05e463f0afa0ecd5f3c8b5

SHA1 hash:

31b925feff6274124d2eb1ce5605d1ec321db045

Link:

https://www.unpac.me/results/11c596e5-cbe7-4cb2-8704-6b807e428bd8/

SH256 hash:

067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f1525a1cfd5a63392557

MD5 hash:

320dfb6627ba74c96d10b24497bcfa39

SHA1 hash:

e721affa9784ea529a88d9ae37857c46754ec2e6

Link:

https://www.unpac.me/results/11c596e5-cbe7-4cb2-8704-6b807e428bd8/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/067c807a07a5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/067c807a07a5a2aa8ee58f79bf846aa4b8c590dffa51f1525a1cfd5a63392557

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/207338/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample