MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e
SHA3-384 hash: cdbc5570726953dd094a11817794674e9e095b7a36aab34f7e434432aa273bad8032e528ad28eeb4491fe3b4a08775f2
SHA1 hash: 68e6485d4cbeb4f440b7fba76c95f3914f72d8be
MD5 hash: d57a47e4f750addd9e703cec987330aa
humanhash: bakerloo-tango-iowa-winter
File name:d57a47e4f750addd9e703cec987330aa.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:386'048 bytes
First seen:2021-08-14 11:37:04 UTC
Last seen:2021-08-14 12:51:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15f5af8eb180c685d7e8c475dd6ce4a1 (4 x RaccoonStealer, 1 x DanaBot, 1 x RedLineStealer)
ssdeep 6144:O98nUNg+i51yM6SHEZxpa/E5xv2h3t4goLsz0+OCII9JQRdrGl2EcCC3+4:VUa+i58HSHEx5xuIt+wIzbT9yd
Threatray 4'437 similar samples on MalwareBazaar
TLSH T15B84BE30B690C435F5F711F595BA8378A52D7EA3AB3440CB62E536EE1A342E4ED31287
dhash icon d824e790c4e72158 (30 x RaccoonStealer, 18 x RedLineStealer, 16 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d57a47e4f750addd9e703cec987330aa.exe
Verdict:
Malicious activity
Analysis date:
2021-08-14 11:39:42 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/bc3ab748-ac6b-43c6-ac5c-6999d401a6a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179224/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.11932.28046.6061.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Sending a UDP request
Query of malicious DNS domain
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fce8bd4b-3764-4c6a-b562-0df9d6473c24
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832863
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-08-14 11:38:11 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cinui2msdawzfhvbkjbjkj3gejjpgdrkh3qvi2ffaakxmdd4j4ha._file
Verdict:
malicious
Similar samples:
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
11ad18a9ef0f2fbf0489f2251089be22c2ef32a1cfc044cbd3afac90abc851cb
RedLineStealer
1f6b966f75c70c2659f6d7ead3d8939aa36938f15cac6e74d30c366adf699f5f
RedLineStealer
24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52
RedLineStealer
b3c8e26b99261ebbda8111d45cf333b28bbde4ac32ff8e750f538dd998fcf858
RedLineStealer
cc2bef9329a741ecf4c4b92d6af68a78a7de8165b4876d598998abc6dd1a7903
RedLineStealer
ce113b28e0dcd742e696907a708883af3a9450edcbf34925578bffd5825e7a14
RedLineStealer
df462937835934f9edafab767c440457a7416ccc2791955db97d4714a406d5ce
RedLineStealer
+ 4'427 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ruz discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210814-jnzdwyjq1e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
sandedean.xyz:80
Unpacked files
SH256 hash:
9e8421c625e29deb885fcef539b2cd191439dfc9de20fa6e81ae52615e116ae6
MD5 hash:
d0280f661789684149d8bcf21ea5bf30
SHA1 hash:
cb914a2421b7c8e8398b9a44a691c0b63b271c7b
Link:
https://www.unpac.me/results/05ca5f35-6746-4a80-977a-b1ad28787e3a/
SH256 hash:
b1cbfbfb11d944dc9e2040df2f5e4ebd0cc29ac4f32a801fa915639d135bba19
MD5 hash:
23134802d0c7d7321977d912ce42f509
SHA1 hash:
47ce5f6363e6296b919b6efc309e739675e83b78
Link:
https://www.unpac.me/results/05ca5f35-6746-4a80-977a-b1ad28787e3a/
SH256 hash:
1f32901d8aaee63834268724cba4ca382bcc092fa6ebe29e34a5e70297593688
MD5 hash:
37e842e5e6abb037dd12383bbaaef6e7
SHA1 hash:
23a8eee40c1de860b6fc7293f76b063d17c7d119
Link:
https://www.unpac.me/results/05ca5f35-6746-4a80-977a-b1ad28787e3a/
SH256 hash:
121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e
MD5 hash:
d57a47e4f750addd9e703cec987330aa
SHA1 hash:
68e6485d4cbeb4f440b7fba76c95f3914f72d8be
Link:
https://www.unpac.me/results/05ca5f35-6746-4a80-977a-b1ad28787e3a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/121b44699218/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1481367/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179224/

Comments