MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 106af3cf7223c24a58a93664cd347115c43fbca230912da84f9a10f551d98f6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments

SHA256 hash:	106af3cf7223c24a58a93664cd347115c43fbca230912da84f9a10f551d98f6e
SHA3-384 hash:	5f0ca662a02796b3609c141f05803f31ee4524e33c5c5a0e363507c994f69526bb8671f3cb1bfda1892df3193929f220
SHA1 hash:	0af79e30989090ef6b1895de0a88e5a572531570
MD5 hash:	3971e44068b86c55bbc4ec02b42f9010
humanhash:	november-emma-september-happy
File name:	3971e44068b86c55bbc4ec02b42f9010.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	378'880 bytes
First seen:	2022-05-14 19:51:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dd4be8f23d3ac7747a72e3c3786bd4d0 (8 x RedLineStealer)
ssdeep	3072:mm695z0jCWxCjbXt014AJEmktCFnVXHw1vMNzCnEiHgxrPT7nGt2Zveyv+H99GD5:yz0jCW6aqxJOFVCnEiYXVTrKLQM
Threatray	5'548 similar samples on MalwareBazaar
TLSH	T16D84F111F3E0E032D427553084798BB62FBF756231715E9E37A45B394F306C28AB67AA
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f48a0d4d0eece020 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.182:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.182:23196	https://threatfox.abuse.ch/ioc/563826/

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/270673/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17751/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter greyware packed tofsee

Link:

https://www.filescan.io/uploads/6280086d6b2a366ce40e652f/reports/c0730527-8757-4cd3-b5e8-119ac08eedb9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c1edb83e-ffca-4c17-a3cc-2548f25b9318

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/994178

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/106af3cf7223c24a58a93664cd347115c43fbca230912da84f9a10f551d98f6e/

Threat name:

Win32.PUA.RedLineStealer

Status:

Malicious

First seen:

2022-05-14 19:52:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cbvpht3sepbeuwfjgzsm2ndrcxcd7pfcgcis3kcptiipkuozr5xa._file

Verdict:

malicious

RedLineStealer

2bfcd736ba1089eee38f5c284bd623d0da3bbee0ec0d10e2bec2e8c1ab8b9a53

RedLineStealer

85493af191f86a712a8b5ed6dff3e9d26c0169908440c4837c8c2dedac033ceb

RedLineStealer

967e98b250c72d4222068a1dcef714211a3c3bf5562c5befd98b43e443f107eb

RedLineStealer

a812037f6f0fac88f2657d2b53ed68c520373f71391c174586a039a16b849a1a

RedLineStealer

ce31a4699587ca5d80d259cdb4318cd5eafb91a3fa4b79b37d745c35b0a15f48

RedLineStealer

d0dfea9c873b70d7bfada6a3590a83e70fde63d6a04d24de514a70c1a6e3d4c3

RedLineStealer

+ 5'538 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:51 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220514-yldc3sbde6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.182:23196

Unpacked files

SH256 hash:

b99b70911c884e46c82f28485822efb33a7b53e78b9063ce90395d48846ed364

MD5 hash:

6013993adcd783c4c360bcbfed2f4494

SHA1 hash:

919d64660cc1130f50d7ebe1fbdf0665695d6002

Link:

https://www.unpac.me/results/a8d178a7-7fbe-44fd-bb25-4996d709bc7c/

SH256 hash:

17538b2538f67429a972395298bb43a7aa381333eef157d5a909d5caf57abca9

MD5 hash:

b1f64e24e08b37a303a651085e8c9785

SHA1 hash:

732e122523fcd1e2ead43825b493f84defe26b3d

Link:

https://www.unpac.me/results/a8d178a7-7fbe-44fd-bb25-4996d709bc7c/

SH256 hash:

063d72d43584696f4109c5fbfb6f07b1cd80c1f38505b6a78d1fd63c5ea1afb3

MD5 hash:

d47bb83b074327c04e48c8cf9ebf0070

SHA1 hash:

295d0c7c8108fc7bbba6acdc558817a4d3dba96f

Link:

https://www.unpac.me/results/a8d178a7-7fbe-44fd-bb25-4996d709bc7c/

SH256 hash:

106af3cf7223c24a58a93664cd347115c43fbca230912da84f9a10f551d98f6e

MD5 hash:

3971e44068b86c55bbc4ec02b42f9010

SHA1 hash:

0af79e30989090ef6b1895de0a88e5a572531570

Link:

https://www.unpac.me/results/a8d178a7-7fbe-44fd-bb25-4996d709bc7c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/106af3cf7223/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/106af3cf7223c24a58a93664cd347115c43fbca230912da84f9a10f551d98f6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.