MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16135392fa487e9de9d1d7ea95827622f885194648b0dde998d96878f20258dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	16135392fa487e9de9d1d7ea95827622f885194648b0dde998d96878f20258dc
SHA3-384 hash:	1bd9850d86827475288c05be8a29eda645c6d3495304c055cdb5e273661c8a144aa11dc28241f0c159dcf4383375a4d8
SHA1 hash:	0c1545bb48e5ae5b6c9b635d06f324ccbe8bfbb1
MD5 hash:	b19c47706166960800c20d9a8b123e44
humanhash:	muppet-fish-video-charlie
File name:	b19c47706166960800c20d9a8b123e44.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	400'896 bytes
First seen:	2021-11-08 08:55:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d65fd1d21865226dce1f880ff10ff6f8 (9 x RedLineStealer)
ssdeep	6144:GCAWROLNYIgx93C9CMciA4iIB6KogFKzE5LSduzbgwu6L7ITsqSigaTwVf:/AWROTc9tIBqOlSdunnn7s
TLSH	T13D84CFF176A9C834E1532E308C6D8AE11A3BB852D9206146B2346F5F1AF3BDC55F1B1E
File icon (PE):
dhash icon	fcfcb4f4d4d4d8c0 (19 x RedLineStealer, 16 x RaccoonStealer, 14 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.29:1102

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.29:1102	https://threatfox.abuse.ch/ioc/244872/

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/203204/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.1040.19894.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6188e6252084b424af0f534e/reports/d15a4f91-63de-4acb-b036-a85e0c449b3a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/99a724bc-d7cd-4878-855a-d5dd6f7da62e

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/885098

Signature

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16135392fa487e9de9d1d7ea95827622f885194648b0dde998d96878f20258dc/

Threat name:

Win32.Spyware.Convagent

Status:

Malicious

First seen:

2021-11-08 08:56:06 UTC

AV detection:

18 of 45 (40.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cyjvhex2jb7j32or27vjlatwel4ikgkgjcyn32my3fuhr4qcldoa._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211108-kv19lsggfr/

Behaviour

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.29:1102

Unpacked files

SH256 hash:

4f945b3df6be970ecde7cbab5f7cc47f47f71513b41c2e5f7dd9a6a1bacc74cf

MD5 hash:

7b95f76574d40932b2bff122f425bdf0

SHA1 hash:

d9ac7784a6b5a2d92ae7e55f2d07ea0b7353ea45

Link:

https://www.unpac.me/results/28389724-b01c-43be-8709-a9da7b8f2c83/

SH256 hash:

67a214ca514a123b181d0578b3b5563458ff0cf72c37345ccc361be33fe8ab35

MD5 hash:

953de33962656db478be2b12101018d4

SHA1 hash:

c1b168c3286cf1ee6ba06c2684e55e43aacc43f0

Link:

https://www.unpac.me/results/28389724-b01c-43be-8709-a9da7b8f2c83/

SH256 hash:

bfa7d2965044aa9b9badef2693dc6f7400952d4b00f506445463b9a5479acc99

MD5 hash:

4f5bba39068f1963fe555c8ce5e1647b

SHA1 hash:

38d5ba55954ca815776c049aa64d4a702a9fdc5f

Link:

https://www.unpac.me/results/28389724-b01c-43be-8709-a9da7b8f2c83/

SH256 hash:

16135392fa487e9de9d1d7ea95827622f885194648b0dde998d96878f20258dc

MD5 hash:

b19c47706166960800c20d9a8b123e44

SHA1 hash:

0c1545bb48e5ae5b6c9b635d06f324ccbe8bfbb1

Link:

https://www.unpac.me/results/28389724-b01c-43be-8709-a9da7b8f2c83/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/16135392fa48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/16135392fa487e9de9d1d7ea95827622f885194648b0dde998d96878f20258dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 16135392fa487e9de9d1d7ea95827622f885194648b0dde998d96878f20258dc

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1761749/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/203204/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample