MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c
SHA3-384 hash: fb005748d3a0e2ef7fac2c734bb7ffe006f26edb1d53c1955acbbff16c13f087a28a919776ab51ddb3ee00b2299d7843
SHA1 hash: 69fd005c7f4da455cc16198c308c02597aeed475
MD5 hash: fb89d57447db2445a18842b156ede54a
humanhash: moon-purple-king-fifteen
File name:fb89d57447db2445a18842b156ede54a
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'666'048 bytes
First seen:2022-03-30 21:12:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 49152:nIzcUX6VdGo3fr+K0qjrXfvi4ZS3DClp2NaoS:nIIE6+o3frkiviES3D0U5S
TLSH T1887533A3442ACF24DB86E6B2E707B3699A6FD2D1B116613B79500CC3FBD8D11B28CD41
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://37.120.222.60/mysite/catimages/239.exe
Verdict:
No threats detected
Analysis date:
2022-03-31 10:00:35 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/b5f9b5de-f953-4be9-bb7a-b0172147f85e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/259843/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed racealer virus wacatac
Link:
https://www.filescan.io/uploads/6244c7de1f204239485685e8/reports/e9d39ee9-89dc-4765-bb06-e45c5cafd15b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd892151-8249-401f-90eb-d33a7bf3a70d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/967917
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-30 01:03:04 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1 evasion infostealer spyware trojan
Link:
https://tria.ge/reports/220330-z2p79adebq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Malware Config
C2 Extraction:
116.202.11.19:24855
Unpacked files
SH256 hash:
708666f6ce885df0a8555bef003e86f85c4029405d9cb38c96b768e13be017a6
MD5 hash:
f54627b7c1e0fe806fcbba7256d32093
SHA1 hash:
4ea38ede27a8334acd844c29c6e2e2cd8c2f4cf3
Link:
https://www.unpac.me/results/26f3e82a-d014-4cab-91b5-a0529efe145a/
SH256 hash:
b2232b2515d166afac6f78495d45cb31d1ff7695bf9872a5debc63b13d7c4123
MD5 hash:
114f4d6cc2233fc85c34eae4a79bd9e6
SHA1 hash:
b0d82b8bd2673662e085253fb4aa05ea453ccafc
Link:
https://www.unpac.me/results/26f3e82a-d014-4cab-91b5-a0529efe145a/
SH256 hash:
12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c
MD5 hash:
fb89d57447db2445a18842b156ede54a
SHA1 hash:
69fd005c7f4da455cc16198c308c02597aeed475
Link:
https://www.unpac.me/results/26f3e82a-d014-4cab-91b5-a0529efe145a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 12dd9be4130d2815e1996e2179b5e0af874bc1bca280b455f17ff96aace7293c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2123254/
Cape
Cape
https://www.capesandbox.com/analysis/259843/

Comments


Avatar
zbet commented on 2022-03-30 21:12:26 UTC

url : hxxp://37.120.222.60/mysite/catimages/239.exe