MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 131ee99afd92973afbf840c3c40dca30629c2d2fe05d6e26d6a34e7af65b8d68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	131ee99afd92973afbf840c3c40dca30629c2d2fe05d6e26d6a34e7af65b8d68
SHA3-384 hash:	e393c8d1bfd2adcd445d97e15a75d5883ce723d1a7361cc3f6272b738d3364cb6f69b8c2facfa001555980511ad03794
SHA1 hash:	9a24fc1c9c92ed490552a7856df452078eb3c9da
MD5 hash:	8ab2ccb657213da6ebdb91a78232fb2d
humanhash:	romeo-princess-arkansas-arkansas
File name:	131ee99afd92973afbf840c3c40dca30629c2d2fe05d6.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	953'344 bytes
First seen:	2022-03-08 23:26:34 UTC
Last seen:	2022-03-09 00:48:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	24576:Kz3iPKCunxuKY9JifZfgelQoJQZkEaHNYK3S+K5Dyox5H:hY0K/G0QooNaY+M1H
Threatray	1'614 similar samples on MalwareBazaar
TLSH	T14E15339F926EBA07D2CE6B789F243A5B119CB40DC4DED434E2068728BF7E845F41A50D
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
2.56.56.116:5766

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
2.56.56.116:5766	https://threatfox.abuse.ch/ioc/393128/

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/248515/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6227e649b94fb38cb441e9ef/reports/cd5c634d-14d3-4c84-8179-d2c7c91921c7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7216b179-b5b0-4079-affa-9832ecd8386b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/953047

Signature

Allocates memory in foreign processes

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/131ee99afd92973afbf840c3c40dca30629c2d2fe05d6e26d6a34e7af65b8d68/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2022-03-08 23:27:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmpotgx5skltv67yidb4idokgbrjyljp4bow4jwwunhhv5s3rvua._file

Verdict:

malicious

RedLineStealer

1635567f96d69d53a64c49fb4a8cb5d65663d545f4ae4ea7c6465b49e4c297f4

RedLineStealer

5013372389580672743ad71d9ec522caa057a4f7863ae8fc460ebba005121fd8

RedLineStealer

59131e55898be4de6efa846f46a69f71e7ab941e6b0e3f6fc01b80693d68ea44

RedLineStealer

5b54867f600777e8cec30c3386a3d42f08da4e1a3a4e636f135e25e2d9850603

RedLineStealer

7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa

RedLineStealer

7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574

RedLineStealer

932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e

RedLineStealer

b63ab3c3d30931c5c5297641b70cd011151334a03151287e57d7b6d7a32ba457

RedLineStealer

dd496554f084af7bdd9c216bdb8718cd3de154d804b8955f4894c0954dad266c

RedLineStealer

+ 1'604 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220308-3feq6sbfc3/

Behaviour

Program crash

Unpacked files

SH256 hash:

ec8708a9cef56e7a283e57d09803089176bddf937bfd637e79a62ce3dbefb5d8

MD5 hash:

8f1c0b08d37e8cbc18f20b45e0d805a9

SHA1 hash:

64d9293571a80d29cc43b78ddcf9f3fb7ba01c33

Link:

https://www.unpac.me/results/ab7bda32-5350-47f6-a148-d15c3ad6ca12/

SH256 hash:

b35b01c5262e1c9908ab9971d340cc8a8fc1fb14ed97228b40caf98cad844d9c

MD5 hash:

97abe51c5d5e902f28af3c84841e8847

SHA1 hash:

d27688e9a14f9efbfabc1f9c3b27478cd674bc9e

Link:

https://www.unpac.me/results/ab7bda32-5350-47f6-a148-d15c3ad6ca12/

SH256 hash:

131ee99afd92973afbf840c3c40dca30629c2d2fe05d6e26d6a34e7af65b8d68

MD5 hash:

8ab2ccb657213da6ebdb91a78232fb2d

SHA1 hash:

9a24fc1c9c92ed490552a7856df452078eb3c9da

Link:

https://www.unpac.me/results/ab7bda32-5350-47f6-a148-d15c3ad6ca12/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/131ee99afd92/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/131ee99afd92973afbf840c3c40dca30629c2d2fe05d6e26d6a34e7af65b8d68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/248515/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample