MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 125abd4f9c09ed884f83cebf8181ab9a073a8a3545b2aa09c8c0ac958ed78b28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 125abd4f9c09ed884f83cebf8181ab9a073a8a3545b2aa09c8c0ac958ed78b28
SHA3-384 hash: a500695e188abc3b1494e9ebaa86a3100e62e0f02d16f09b57a5ad134d85fb6341e56f0d428bb078846a27acdad17cdf
SHA1 hash: f77f75febd340c9d7ead94af4b614b3743253bbb
MD5 hash: 3ee418ea0a0c03ad9dbda58da28dabe1
humanhash: florida-mirror-summer-snake
File name:3ee418ea0a0c03ad9dbda58da28dabe1.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:370'176 bytes
First seen:2021-11-09 09:01:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c8725b7ab8753c936cc4c98a181b2488 (11 x RaccoonStealer, 8 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:GmH9a26wWHowmlMnbK+KkD1N76aKbfkjdnX/jVAfVbwLG8LC1uzbgwu6QigabwVf:7da2vWlmi2+KYTKb8jd7VAGq1unn5
Threatray 2'867 similar samples on MalwareBazaar
TLSH T1BD74DF3176E89834E5A31E308921CAED4B7BB8115970A10BE750679E1FF3F9C46E271E
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c8 (18 x RedLineStealer, 6 x ArkeiStealer, 5 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.183.32.184:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.183.32.184:80 https://threatfox.abuse.ch/ioc/245195/

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204384/
Detection(s):
Win.Trojan.Generic-9906916-0
Create hunting rule

Win.Malware.Fragtor-9907126-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/618a390cdec3347825a04b8c/reports/7ead1578-042b-4754-bf5c-e41562efd1e1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51593cba-074f-4243-9ca1-8843a5fbf4f5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/885820
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/125abd4f9c09ed884f83cebf8181ab9a073a8a3545b2aa09c8c0ac958ed78b28/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-11-09 04:01:46 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjnl2t44bhwyqt4dz27ydanltidtvcrviwzkucoiycwjldwxrmua._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
30afeeb95ae261026f5e0a300b4fa3b7a08a920cd7b0372cbc25cfb1abee4c04
RedLineStealer
45a61514d5ec9ef37d22edbd8ded4420f359358333c787ecd1c6997fabdfa374
RedLineStealer
68c309ec74f6dd5ec81d2fd23378a84b9d8091ccd28bc8e5f962fabd82e526f8
RedLineStealer
9b8839c52246d01b747d37af34403a800ac06bd4d1441ed948e0d06fc12307f7
RedLineStealer
a471c6e29bde00363fce770ed79fb8f9fff011febc26e87862c53ca32aa3f55c
RedLineStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RedLineStealer
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
RedLineStealer
e6ca993622f30ef00a363974264e50490b09782104c79d87f02ba17cd3746da3
RedLineStealer
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
RedLineStealer
ffb0bd5cf5a1716fa50f01a4b4fd98d396842c7c263d3ce03623748430b30a93
RedLineStealer
+ 2'857 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1132044836 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211109-kzfhpsbhbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.183.32.184:80
Unpacked files
SH256 hash:
9c6341b148ac2906f5c468d3932d5df78a8e08065a90a3598f3479aa459efed2
MD5 hash:
e622241b33225aae0481873b413fc903
SHA1 hash:
daf8a3224ba1cf5574f7f0136d1ecbbd12e6eb00
Link:
https://www.unpac.me/results/914f9c2e-9c91-4512-9ccc-e1fc43c0542e/
SH256 hash:
dab99fbee62e856c3f80521da9022887a2ae33d824212b6b8154dd441775d2c2
MD5 hash:
0733742afbdf09682d9a02de47ae699b
SHA1 hash:
6902bcd64f4cba3d0f8eff816ab2a2bbeeb916f8
Link:
https://www.unpac.me/results/914f9c2e-9c91-4512-9ccc-e1fc43c0542e/
SH256 hash:
b530575b72400c2e1234035e06f23b71cbda53c846cf66d13eeffaf5b53fc854
MD5 hash:
dde07eaa7dec57b2b69b3bf17c7bbf97
SHA1 hash:
224b8ef1870a054fe22930aa4fd85334017d35d6
Link:
https://www.unpac.me/results/914f9c2e-9c91-4512-9ccc-e1fc43c0542e/
SH256 hash:
125abd4f9c09ed884f83cebf8181ab9a073a8a3545b2aa09c8c0ac958ed78b28
MD5 hash:
3ee418ea0a0c03ad9dbda58da28dabe1
SHA1 hash:
f77f75febd340c9d7ead94af4b614b3743253bbb
Link:
https://www.unpac.me/results/914f9c2e-9c91-4512-9ccc-e1fc43c0542e/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/125abd4f9c09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/125abd4f9c09ed884f83cebf8181ab9a073a8a3545b2aa09c8c0ac958ed78b28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 125abd4f9c09ed884f83cebf8181ab9a073a8a3545b2aa09c8c0ac958ed78b28

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1738451/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/204384/

Comments