MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 162a370d13beddcabc22b041e488b05a53e6eb44cb571fda3b5e276b330d28d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	162a370d13beddcabc22b041e488b05a53e6eb44cb571fda3b5e276b330d28d3
SHA3-384 hash:	4a04c53d1335dbb46d435b9fc04613783fbfcf94ec8e181d6e7bd3c3a13a6f61622eae64684a2f81bf7f1dd3e1f2bcd7
SHA1 hash:	aaf33b7a1b9df07339e50d1fb34120dbcf2e1010
MD5 hash:	28efe09f50608b4fd62b4cfe7c95f2e4
humanhash:	romeo-utah-fifteen-vermont
File name:	28efe09f50608b4fd62b4cfe7c95f2e4.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	683'984 bytes
First seen:	2022-01-16 19:31:41 UTC
Last seen:	2022-01-16 21:43:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d123a69e1a76a1d4c228975990208112 (4 x RedLineStealer, 1 x TVRat, 1 x ArkeiStealer)
ssdeep	12288:XfqiW7cjltqSt/QL9I2+zlJfK3MlDiRTzvBX9/oat6fnyabuQy7S68Xerm:Pn2Kpt/MExped5X9/qJbdMb8Xerm
Threatray	2'103 similar samples on MalwareBazaar
TLSH	T130E423A9FBDC0EABDD003232549BBB0237B5F29287B39793B065436A7C33741AE44595
File icon (PE):
dhash icon	78996869d4dadae0 (3 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
92.38.241.101:36778

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
92.38.241.101:36778	https://threatfox.abuse.ch/ioc/295763/

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

28efe09f50608b4fd62b4cfe7c95f2e4.exe

Verdict:

Malicious activity

Analysis date:

2022-01-16 19:35:50 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/6bb977eb-a9a2-4fe5-b11c-358315f4c3d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/219643/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.31811.31150.12684.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug greyware overlay packed

Link:

https://www.filescan.io/uploads/61e472b81883c5ba4ed4ebb7/reports/55abb53c-9774-4a52-a730-e356239e850c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7fbff40c-5446-4485-89a4-3fbc2bda3829

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/921444

Signature

Antivirus detection for URL or domain

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Infostealer.RedLine

Status:

Malicious

First seen:

2022-01-14 15:12:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 43 (69.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cyvdoditx3o4vpbcwba6jcfqljj6n22eznlr7wr3lytwwmynfdjq._file

Verdict:

malicious

Label(s):

ryuk

RedLineStealer

190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5

RedLineStealer

2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7

RedLineStealer

2cc3cdf16a17e24f338f93481d25e9082bf062a65303686b8521466aea5de780

RedLineStealer

4fe1cb64f16f7fa987407a906a4319520972f5a8f5749e3b071a831825559a45

RedLineStealer

530e0002c120d13962f54641655060f420625a3ee39b740dac62a644bda96ede

RedLineStealer

98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb

RedLineStealer

aa3abbd93819a58f0612b60cf1cfcc3a296e10d1b776555b8a3f967608b00f06

RedLineStealer

+ 2'093 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/220116-x8zddsgcej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

5aeb681ff5c53fb36b95c68a0237402c17eb7443f7e11adb982ac2ab140d992f

MD5 hash:

1b3bdcb4a02fc6ca7076f0d09c6c3280

SHA1 hash:

f960db6c37cbd7a8da72c7dae289137a7737aaec

Link:

https://www.unpac.me/results/4ace4491-5f0f-45d9-a784-9d48ee8d1650/

SH256 hash:

4910d072a8401f6dc39dc0273f8f7ac4d57900efe3971534c42a9f475c47187c

MD5 hash:

9939d3a0af9eabfb608172ae6b7d04b7

SHA1 hash:

d20054fe7a290397a569dd6618690e5efb83cdeb

Link:

https://www.unpac.me/results/4ace4491-5f0f-45d9-a784-9d48ee8d1650/

SH256 hash:

64f37fe33612bebbc7168e46ebf87a82cbae0d3d63dde9a90e1c86754dca3efe

MD5 hash:

238d023b941a0538723746ca814c1ea2

SHA1 hash:

e2707f02843231dc361d1d6a2d349651f13a4dfb

Link:

https://www.unpac.me/results/4ace4491-5f0f-45d9-a784-9d48ee8d1650/

SH256 hash:

162a370d13beddcabc22b041e488b05a53e6eb44cb571fda3b5e276b330d28d3

MD5 hash:

28efe09f50608b4fd62b4cfe7c95f2e4

SHA1 hash:

aaf33b7a1b9df07339e50d1fb34120dbcf2e1010

Link:

https://www.unpac.me/results/4ace4491-5f0f-45d9-a784-9d48ee8d1650/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/162a370d13beddcabc22b041e488b05a53e6eb44cb571fda3b5e276b330d28d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/219643/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample