MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1194356c75e7dbbbcdb32cd8b7de2d1b202616b7732ffbe572b23ce8c7f83d98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	1194356c75e7dbbbcdb32cd8b7de2d1b202616b7732ffbe572b23ce8c7f83d98
SHA3-384 hash:	d3aa8d10b459a1e7cc0c79f34309bfa88544866771a5297c143c5722edce3908429d51d832090e3d365c09a65a6d33f3
SHA1 hash:	1ac46bf8b1a87ce0e23669150d76ae50ab83bda7
MD5 hash:	a399087a20fec585e3e7bb442c6bc484
humanhash:	cup-stream-uncle-missouri
File name:	a399087a20fec585e3e7bb442c6bc484.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	379'392 bytes
First seen:	2022-05-14 05:26:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ccca0b4d2554d5268e6682f1701c1c24 (7 x RedLineStealer)
ssdeep	6144:EPieEzoDkexKiuoT4l28Hzd0UOGFugfsnSYu:UieEUkyw02nHIg0m
Threatray	5'595 similar samples on MalwareBazaar
TLSH	T18884F111B3E1D032E0A7563484B4D7741EBFB1626275CA5B37582B3BAF303C169BA366
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	3cf88d8546c5add6 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.106.191.182:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.182:23196	https://threatfox.abuse.ch/ioc/563826/

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/270579/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17679/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed tofsee

Link:

https://www.filescan.io/uploads/627f3da789dc6403e783945b/reports/42b3e5b7-9458-4d14-a236-b941667caa08/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/99e7014b-77b7-401f-96f1-59d6f0d91028

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/994023

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1194356c75e7dbbbcdb32cd8b7de2d1b202616b7732ffbe572b23ce8c7f83d98/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-05-14 02:59:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cgkdk3dv47n3xtntftmlpxrndmqcmfvxomx7xzlswi6orr7yhwma._file

Verdict:

malicious

RedLineStealer

1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4

RedLineStealer

33e2d3a15c308cfdf2d22853a646c3d4dd10f97bf7a55d1fb5b101357bb6c532

RedLineStealer

77eb51b75a6a0d4b6f8c055396acf3b10a6441559d34ba1bd4a8fc547f72cfb3

RedLineStealer

884bec8d35a2a1f84dbb50d62b9a1e0abdd0ef8f3b09521508fae751e04e2db1

RedLineStealer

ce31a4699587ca5d80d259cdb4318cd5eafb91a3fa4b79b37d745c35b0a15f48

RedLineStealer

e7427002721245780de5196d6560e120fc0811537200db54e1b9541bf017941d

RedLineStealer

fb4985680c725726e991767d1dee970d97ffadf763941ffaf34986185eeb58a4

RedLineStealer

+ 5'585 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:51 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220514-f5efdahgcp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.106.191.182:23196

Gathering data

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1194356c75e7dbbbcdb32cd8b7de2d1b202616b7732ffbe572b23ce8c7f83d98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.