MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12155a842ef95b7c5e481c325508c0cc43bba8128174c548cd72b67f12a97362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	12155a842ef95b7c5e481c325508c0cc43bba8128174c548cd72b67f12a97362
SHA3-384 hash:	6d2668d5d8c70e70b92d593791f3a4d8630743ae40be32765361362b4c536591ddc028126ad4d8dbd797a7922842605d
SHA1 hash:	e6d944a48b829c33c3c3a7353064dc4ea3a88b7a
MD5 hash:	26a3952b5da45241d99af3371ca2307b
humanhash:	cold-jersey-edward-tennis
File name:	26a3952b5da45241d99af3371ca2307b.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	393'728 bytes
First seen:	2021-07-08 15:22:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6877f946bae2ca0d9e53a3d1d23bfb5c (4 x RedLineStealer)
ssdeep	6144:zqGmes1o5Y1xYbvrcissWCHFqyYxvx15W6jpLCdOZ0VZogPf5fZbUr:zqOXY1xYbvr8XsqyYVH5WqG2Soqf5Rb
TLSH	T141849D10BAA0C035E6F326F45ABA93B8A93D7AF15B2050CF52D46ADE57346E0EC31717
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

26a3952b5da45241d99af3371ca2307b.exe

Verdict:

Malicious activity

Analysis date:

2021-07-08 15:28:42 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/e7af8384-1f13-4f1e-9104-3437a62123af

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/170496/

Detection(s):

Win.Packed.Generic-9876400-0

Win.Packed.Generic-9876586-0

Win.Packed.Generic-9876630-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b0f6df3-7b2e-4305-9998-34603e4e7ff3

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/813591

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/12155a842ef95b7c5e481c325508c0cc43bba8128174c548cd72b67f12a97362/

Threat name:

Win32.Trojan.Reline

Status:

Malicious

First seen:

2021-07-08 01:03:35 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cikvvbbo7fnxyxsidqzfkcgazrb3xkasqf2mksgnok3h6evjonra._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pudt discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210708-sxz9wctfvn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

176.111.174.254:56328

Unpacked files

SH256 hash:

d3a86e8c7dfc6da4450f1a19e214637dc87e4bf9e0ad30034803ab80cace095c

MD5 hash:

cb5fc5dd3ba9fdd7af4b8eecf33f77d5

SHA1 hash:

d2bf6ecc946301c58381a88bf12d74204314b7e8

Link:

https://www.unpac.me/results/b8b318c7-c4b4-4894-8a44-d37fd5ddff87/

SH256 hash:

a3774922e16ff1224a3e509b6fffc7c1dabe5a9a680539608b78839e481d7f1e

MD5 hash:

651e96a0d52076aa5ed2d82739b5c9b1

SHA1 hash:

b1ccd75ad0feed1d11deecb72ef0abac5e3ecf09

Link:

https://www.unpac.me/results/b8b318c7-c4b4-4894-8a44-d37fd5ddff87/

SH256 hash:

e13e35685114980f612af2304d7916557b03dc43609ada58de42bfa1bd5929d1

MD5 hash:

d73b577cdc3854b7ba4b09f17a84e1db

SHA1 hash:

0b60823181914658cc07e8629fc9b5ddfcdf1fee

Link:

https://www.unpac.me/results/b8b318c7-c4b4-4894-8a44-d37fd5ddff87/

SH256 hash:

12155a842ef95b7c5e481c325508c0cc43bba8128174c548cd72b67f12a97362

MD5 hash:

26a3952b5da45241d99af3371ca2307b

SHA1 hash:

e6d944a48b829c33c3c3a7353064dc4ea3a88b7a

Link:

https://www.unpac.me/results/b8b318c7-c4b4-4894-8a44-d37fd5ddff87/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/12155a842ef95b7c5e481c325508c0cc43bba8128174c548cd72b67f12a97362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.