MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 121873343a2752cdfce8f990986da1fd6e05883b44e62bfd0639a7508c58e387. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments 1

SHA256 hash:	121873343a2752cdfce8f990986da1fd6e05883b44e62bfd0639a7508c58e387
SHA3-384 hash:	a18889cc46705bea840144fa7b240f17117e31211c9dae17287dce6c53fdbdd5f362b73594384edd7235cfe53ffd4b63
SHA1 hash:	d904118a4d9e4bef0316927922872ca1cc53ec8d
MD5 hash:	60a0c40ccd86968b550cfc34927638b8
humanhash:	south-steak-paris-leopard
File name:	60a0c40ccd86968b550cfc34927638b8
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	422'400 bytes
First seen:	2022-05-29 20:57:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c5df5f515f76bb815fad87fade1c304d (7 x RedLineStealer, 3 x Smoke Loader, 1 x DiskWriter)
ssdeep	6144:ACaIuycdLUplIx31UDlVZbCtcWUyrs1cooX6cE7U/AsuuXTezCliao00//a:laI+LUgJ1UDfZbZWWxFo/g8gAr
Threatray	3'472 similar samples on MalwareBazaar
TLSH	T1F094AE107A50E037F5B71AF4497583A8B92ABDA19B2471CB62D97AEE563C6D0FC30307
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9824e790c4e7215c (12 x RedLineStealer, 4 x Stop, 2 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

azorult

ID:

File name:

Port.Forwarding.Wizard.4.0.keygen.exe

Verdict:

Malicious activity

Analysis date:

2022-05-28 08:41:06 UTC

Tags:

evasion trojan rat azorult miner opendir loader pony fareit redline stealer

Link:

https://app.any.run/tasks/56988d3b-d034-4c11-aa5a-9e143f2228ac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/275275/

Detection(s):

Win.Ransomware.Stopcrypt-9950704-0

Win.Ransomware.Stopcrypt-9950820-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/20447/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed ransomware

Link:

https://www.filescan.io/uploads/6293de316bd27afab466fe0f/reports/8c53a9c0-849f-4930-ae6e-459eb9e371f6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7db2cd6-9a47-4282-98eb-f0816ebf03a4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003314

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/121873343a2752cdfce8f990986da1fd6e05883b44e62bfd0639a7508c58e387/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2022-05-28 17:58:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cimhgnb2e5jm37hi7gijq3nb7vxalcb3ittcx7ighgtvbdcy4odq._file

Verdict:

malicious

RedLineStealer

2d3a60652ef2eec8c8e7266ea38b1a1cbc3685315647bd3bddf6232444991c80

RedLineStealer

5d443509cccd42fff7c822682ad95d16e97e9f093190731bac07daa7fd70deb9

RedLineStealer

61908494916ed56bcbcdf4db45499ac7f46f7a8d3e06fb4a7ef5cfadd3741bae

RedLineStealer

663d6c13085975c11d0014705d9233430ab84ff53d0dd1a74b8e387c1e6f9dad

RedLineStealer

ab28b2a7c38a0218ba63ef35ded5de9ca0514855469dbb430a083f5bcfd86b7a

RedLineStealer

bf68d399e2f7f4103d1eeba804afef71535a60d54e4b69a56330b115d18462df

RedLineStealer

+ 3'462 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:lyla2 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220529-zr5vysdgfl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

185.215.113.201:21921

Unpacked files

SH256 hash:

f78ee6050322de3ea675fa81ab5d4f7ea0d1c92a2723cc3918fefbc170e67bed

MD5 hash:

fffb705283baf6c8c34533edc512f03c

SHA1 hash:

ed76ab37f40c043d1b3a5d92df8ff23dd662a7f5

Link:

https://www.unpac.me/results/2e1adcde-7f8c-4fd3-9519-13b0ee5003fd/

SH256 hash:

9af23fa714b3a3011ff70f4b630cb1f538eab75de42e911fb6c5483757438e72

MD5 hash:

ef52cb6eba55c7ff5424efd7deb3916e

SHA1 hash:

dd5adf710f3de184823ddbe9568eb6c35324ed59

Link:

https://www.unpac.me/results/2e1adcde-7f8c-4fd3-9519-13b0ee5003fd/

SH256 hash:

e5c0b3a94437fac397ff0592da8f17d26ff6661f77998cfc704898b5c5310ea9

MD5 hash:

6bf03e71a9b0b7d86021340f9c8ceebc

SHA1 hash:

01c52aef94e5c9d2062615379dee703a4f114536

Link:

https://www.unpac.me/results/2e1adcde-7f8c-4fd3-9519-13b0ee5003fd/

SH256 hash:

121873343a2752cdfce8f990986da1fd6e05883b44e62bfd0639a7508c58e387

MD5 hash:

60a0c40ccd86968b550cfc34927638b8

SHA1 hash:

d904118a4d9e4bef0316927922872ca1cc53ec8d

Link:

https://www.unpac.me/results/2e1adcde-7f8c-4fd3-9519-13b0ee5003fd/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/121873343a27/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/121873343a2752cdfce8f990986da1fd6e05883b44e62bfd0639a7508c58e387

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.