MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1447cb2dad9989ba635245dfda43e0522966633c03f65299bfcbf572f2d0020e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	1447cb2dad9989ba635245dfda43e0522966633c03f65299bfcbf572f2d0020e
SHA3-384 hash:	c099ebb58660cc887c0a1a19edbfbddbea949ac89d0383d1bc1b1d4ff072538093fcbbef35c716d9fb6f0124cab57842
SHA1 hash:	0afbdea35127c716a524d1129e354fe654e5e054
MD5 hash:	32709b2638fe8de096272849a3a3c4bb
humanhash:	potato-magnesium-cup-texas
File name:	32709b2638fe8de096272849a3a3c4bb.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	232'448 bytes
First seen:	2021-09-23 12:54:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f7987bf55fcab080da60dcb9686a7f63 (9 x RedLineStealer, 3 x RaccoonStealer, 2 x Tofsee)
ssdeep	6144:azBfsEFkPzmTqPl5Wm+V1TJO3O/1NkHD:azhsEEmTqPl5WPV4+QD
Threatray	2'135 similar samples on MalwareBazaar
TLSH	T1EC34E0717AA1C43FE7E36674C970C7E4663BB5637B70808A76440BAE1E613A0D96D313
File icon (PE):
dhash icon	1072c293b0381906 (17 x RedLineStealer, 5 x Stop, 4 x DanaBot)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/190758/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.27500.13099.UNOFFICIAL

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33a61373-06ae-4031-9757-eafc5e397a09

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/856717

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1447cb2dad9989ba635245dfda43e0522966633c03f65299bfcbf572f2d0020e/

Threat name:

Win32.Trojan.Racealer

Status:

Malicious

First seen:

2021-09-23 12:55:12 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=crd4wlnntge3uy2sixp5uq7akiuwmyz4ap3ffgn7zp2xf4wqaiha._file

Verdict:

malicious

RedLineStealer

121b446992182d929ea152429527662252f30e2a3ee15468a50015760c7c4f0e

RedLineStealer

1d91ab82e01d7682deecbeef7b441f26e405c0053e0354e92fdb5cfe61b097b0

RedLineStealer

24bb15d093025a935e0de62e850056aea484990c713517cd53de6696b5e9db52

RedLineStealer

5b094e96a4340aa3f6cecc2ec4cab35444b8e10013e4d870d02e0362f54a8af7

RedLineStealer

8832cf1dd4faca7dbfad5d6629a6a5e6feab4e15f97655179f91283283a4d51e

RedLineStealer

9f154115fa8045aa05f15f7cd1de9623ebe32e8ea400279ecb5dfa3596952e3b

RedLineStealer

a24441968ca077c1815b1b038292951ceeb8346bea45d63f87360354be9b6c8f

RedLineStealer

cd517a0b8edbf878a10147ece991468cd24a8e8dc17ad7afa098c82894a7ee63

RedLineStealer

+ 2'125 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:paladin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210923-p5t1haeec8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

188.124.36.242:25802

Unpacked files

SH256 hash:

e9905446c858326e8f0fe12f6df777542180608381f1ccae4bda9a8356b04abc

MD5 hash:

74200bd872e0b3d75b1d85332c3be083

SHA1 hash:

78a644acda865dbf7db531e02f25a452337c789c

Link:

https://www.unpac.me/results/65d8ea6c-91ad-4c4b-816a-a1ae19f67068/

SH256 hash:

3acbb58ac3b5a60432bddf39ae7fde7eb83d8f294b920ee6c650dfd627603875

MD5 hash:

a217837fb37dec1ca8dba528b8c71c6a

SHA1 hash:

3e890e7a33a94919212100e6267aee771792d58d

Link:

https://www.unpac.me/results/65d8ea6c-91ad-4c4b-816a-a1ae19f67068/

SH256 hash:

0e2b2a949f5b38e59b8b0fed9bc16e95e6253e6badef7dddefabf3488d757eec

MD5 hash:

ea7b364183ffab0676748bb491509d76

SHA1 hash:

24dbe7482d4ed0c5607f35722452908e8a965bbc

Link:

https://www.unpac.me/results/65d8ea6c-91ad-4c4b-816a-a1ae19f67068/

SH256 hash:

1447cb2dad9989ba635245dfda43e0522966633c03f65299bfcbf572f2d0020e

MD5 hash:

32709b2638fe8de096272849a3a3c4bb

SHA1 hash:

0afbdea35127c716a524d1129e354fe654e5e054

Link:

https://www.unpac.me/results/65d8ea6c-91ad-4c4b-816a-a1ae19f67068/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1447cb2dad9989ba635245dfda43e0522966633c03f65299bfcbf572f2d0020e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.