MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1576f4c2f31463121911c10c5bdfbe676eed69c510718d422ba2d2f0550b0012. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1576f4c2f31463121911c10c5bdfbe676eed69c510718d422ba2d2f0550b0012
SHA3-384 hash: 73a28a789d2e47ad8cb89cfb545ae983dc109c1bfff1dd2311d6c6f5bdf8649d7bb28ae3cfa82f89ebaa9df8f9a1c71d
SHA1 hash: c3e8b24428814bb6b3ca49f19e751540713215a8
MD5 hash: ca44e8e580c74216a7b0e00d7a6e2e20
humanhash: seventeen-neptune-maine-uniform
File name:ca44e8e580c74216a7b0e00d7a6e2e20.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'882'552 bytes
First seen:2022-05-22 05:15:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 37a87ba4c777dcd1db50684f6b029f1b (13 x RedLineStealer, 2 x ArkeiStealer, 1 x CoinMiner)
ssdeep 49152:8khNAbY4r4j71qjlYR8EIrLcpEMpTr5a3rbvvUIwGolJ6/qkJU5yXfJy1UeqSO8m:8khNAbY4r4jxqjGRJmgpEMpTr5a3rbvT
Threatray 184 similar samples on MalwareBazaar
TLSH T155959D7783A1215FE2967830C12EBB61A07117316E0F7AA767446AED9F3F1D0D621B83
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4505/5/1)
11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
11.4% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.106.191.16:28958

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.16:28958 https://threatfox.abuse.ch/ioc/621028/

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
ca44e8e580c74216a7b0e00d7a6e2e20.exe
Verdict:
Malicious activity
Analysis date:
2022-05-22 05:17:27 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2185968f-27e7-4824-bf2d-fede127ac047

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273385/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19494/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware overlay packed redline syrk wacatac
Link:
https://www.filescan.io/uploads/6289c713054dcf0ecadbb0be/reports/6fa23dea-04ea-4c3a-b443-64425875fb48/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07810ec2-9bd5-4ee3-a01c-ec5e79d9d01a
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999246
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1576f4c2f31463121911c10c5bdfbe676eed69c510718d422ba2d2f0550b0012/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-05-18 10:01:36 UTC
File Type:
PE (Exe)
AV detection:
28 of 40 (70.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cv3pjqxtcrrregiryegfxx56m5xo22ofcbyy2qrluljpavilaaja._file
Verdict:
malicious
Similar samples:
5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2
RedLineStealer
6e5c9c412179a461e72c92c7761980a9b85f7eb09a36157bf2d4fecdf673887d
RedLineStealer
7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e
RedLineStealer
8dff78ac919fb32a7153abdd3ef9ae3aed5f0e1a65a6362f61d9e3dc90365232
RedLineStealer
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
RedLineStealer
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
RedLineStealer
e69716b0ea13b412bf6e3ac4f9a0bca987d99788f9d20cedd8fcacee0a7c3f38
RedLineStealer
e97c06fddcb4bc7c94855da7044d64d45f3b9eba58e58a79b75f0bb57629a194
RedLineStealer
+ 174 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:xmrig infostealer miner persistence spyware stealer upx
Link:
https://tria.ge/reports/220522-fx5btsagdr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
XMRig Miner Payload
RedLine
RedLine Payload
xmrig
Malware Config
C2 Extraction:
193.106.191.16:28958
Unpacked files
SH256 hash:
80ffc8ac77cdd1367190a11c943594fbc04d2dd7730163c456ba2e2f11d9134c
MD5 hash:
563ccb9aee58397358ab318456e53644
SHA1 hash:
da84ab14452778ef7381a8c49dd889a966e8920a
Link:
https://www.unpac.me/results/986d7d0a-d332-4ed0-8db7-dd5f35f79a6e/
SH256 hash:
1576f4c2f31463121911c10c5bdfbe676eed69c510718d422ba2d2f0550b0012
MD5 hash:
ca44e8e580c74216a7b0e00d7a6e2e20
SHA1 hash:
c3e8b24428814bb6b3ca49f19e751540713215a8
Link:
https://www.unpac.me/results/986d7d0a-d332-4ed0-8db7-dd5f35f79a6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1576f4c2f31463121911c10c5bdfbe676eed69c510718d422ba2d2f0550b0012

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273385/

Comments