MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0968fb0d2e59645c5e510d7f195c5fade1624a23d57777f3878245921c3ac752. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	0968fb0d2e59645c5e510d7f195c5fade1624a23d57777f3878245921c3ac752
SHA3-384 hash:	05ad22dea7c95409930747f7da72db1182fa4ec1e467af9dc337a80f45e39c5a18e71742c30660cdf0dc122963e3c38c
SHA1 hash:	26031c5adec6123bf336d3149208b5d417a3ecc5
MD5 hash:	af905c1b0c1c36a80fc5c32ac3b015ff
humanhash:	table-skylark-social-idaho
File name:	af905c1b0c1c36a80fc5c32ac3b015ff.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	414'720 bytes
First seen:	2021-12-06 17:35:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56620115eb6e0830bdf5b4ae97062a04 (3 x RedLineStealer, 2 x Smoke Loader)
ssdeep	6144:/NOxa811dFKY9nVXDHVEpcWJnEgDowlOES8jLF1D:/Nl81EOVDHVEp3JnI9IFx
Threatray	3'312 similar samples on MalwareBazaar
TLSH	T11294D01172C0C072D0A765728D25DBB19EBEB4745A224A8FBFC85BBD9F247C1972630E
File icon (PE):
dhash icon	d2b1e4d4ecb987f9 (38 x RedLineStealer, 18 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

af905c1b0c1c36a80fc5c32ac3b015ff.exe

Verdict:

Malicious activity

Analysis date:

2021-12-06 19:14:20 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/fcea0261-2bbf-4fce-ad5a-1440e1b3164e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/211898/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/1135/overview

Behaviour

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61ae4a04fa72c81b5b0eba4b/reports/92307a4f-5b1c-4c18-9775-1af0c00d72ee/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6d283fd-1446-4237-8af3-49c8d5c3ea16

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/902521

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0968fb0d2e59645c5e510d7f195c5fade1624a23d57777f3878245921c3ac752/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-06 17:36:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

RedLineStealer

61945cb0d37bfb32d2f818e6b118d9968213903e73570769eda83a4405c5d783

RedLineStealer

6c90a4a65b4d10539243734b9783c414e8a95501e1272e1ef1de6b0e284d5899

RedLineStealer

a78ca974527199f93fa840fb13ccfc1808fb5d8288fc717e9136f3aff43efeee

RedLineStealer

c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347

RedLineStealer

ea19fbcf50356b81e6e2984caa0bf981b25cc4387fbb29868908ed2d5eb6f5b9

RedLineStealer

+ 3'302 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udpn discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211206-v55d5aeffn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

91.241.19.213:46284

Unpacked files

SH256 hash:

4d974e1d08460bd8fcf65788cea59bc96748ce0cc1c1497dd277619cbe34bf1d

MD5 hash:

cfa560544e482399ce9c943000d7b0d1

SHA1 hash:

f251de97b1da28e9c611d67266ad0d3c17d72b9f

Link:

https://www.unpac.me/results/848f6e6b-cb17-424f-8145-b3ac9034e06b/

SH256 hash:

4fbabb708d043b641d6dce6b770b9f2c7dc39475dc240ba6ebff80f084b82295

MD5 hash:

a5ca74c6f82faead6d24dcde250525d4

SHA1 hash:

ae0754a38ab2494507017074d805f5dda7e1a285

Link:

https://www.unpac.me/results/848f6e6b-cb17-424f-8145-b3ac9034e06b/

SH256 hash:

14468ffb4a7c03c4ae0975e2942cd5aed4bed4ea422f150df39fed87bc22f091

MD5 hash:

0877917441bf162620ffb8599e3c485b

SHA1 hash:

172be7c10124ab861f364f7e669635c338ae8a66

Link:

https://www.unpac.me/results/848f6e6b-cb17-424f-8145-b3ac9034e06b/

SH256 hash:

0968fb0d2e59645c5e510d7f195c5fade1624a23d57777f3878245921c3ac752

MD5 hash:

af905c1b0c1c36a80fc5c32ac3b015ff

SHA1 hash:

26031c5adec6123bf336d3149208b5d417a3ecc5

Link:

https://www.unpac.me/results/848f6e6b-cb17-424f-8145-b3ac9034e06b/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0968fb0d2e59/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0968fb0d2e59645c5e510d7f195c5fade1624a23d57777f3878245921c3ac752

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 0968fb0d2e59645c5e510d7f195c5fade1624a23d57777f3878245921c3ac752

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1849999/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/211898/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample