MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16dbdb3363f27163fa3d862ed38a1f2e69f654f9116907004fe351840861d055. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	16dbdb3363f27163fa3d862ed38a1f2e69f654f9116907004fe351840861d055
SHA3-384 hash:	f01977ad26ff432b2a1294a4e308f3c28c2d7f4bcc49b3a510cf47dcc9cdf2f40cf661f6763e6fce53c0809b08c082e7
SHA1 hash:	df2b44503905927d560cc4fc5215e3c6fc900177
MD5 hash:	7110ac78a317961aab57b05e34f6e283
humanhash:	oranges-april-fourteen-muppet
File name:	16dbdb3363f27163fa3d862ed38a1f2e69f654f911690.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'421'120 bytes
First seen:	2021-11-16 13:56:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e48cc266501c282987b27f2c1f654e2d (52 x RedLineStealer, 3 x RaccoonStealer)
ssdeep	98304:aGsy3ugjxnTvPkfTdZnc9S5pV1gcBqWwEn9AuSnHt0HApeUK:r+QxnTH+TdZcM5pVCsRYN4ApeX
TLSH	T19726336F7905ADA7C12BFBB41223549317A91188848E76CBCC6B3AA71D87478414F3FE
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
92.119.113.176:1291

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
92.119.113.176:1291	https://threatfox.abuse.ch/ioc/249682/

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/206479/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Trojan.Generic-9907417-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Connection attempt

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Running batch commands

Creating a process with a hidden window

Creating a file in the Windows directory

Creating a service

Launching a service

Deleting a recently created file

Stealing user critical data

Launching the process to interact with network services

Enabling autorun for a service

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6193b8b043e8f62b6695666b/reports/f389d462-deef-44c2-bf19-5d8012556b79/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c4ce165e-1dda-45f0-812b-64a250b6a931

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/890421

Signature

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16dbdb3363f27163fa3d862ed38a1f2e69f654f9116907004fe351840861d055/

Threat name:

Win32.Trojan.AsprotectAGen

Status:

Malicious

First seen:

2021-11-16 13:57:05 UTC

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c3n5wm3d6jywh6r5qyxnhcq7fzu7mvhzcfuqoacp4niyicdb2bkq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211116-q89e2abafr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Unpacked files

SH256 hash:

53bce2dac7ceb6790bcb2c7e15f0f2d0a540ccefc08993b0580654c16fa56567

MD5 hash:

9aceb3f3823436ddd387cde1246e5e98

SHA1 hash:

bec3f278b777b301cfa5b5ed835db0ebfcacb864

Link:

https://www.unpac.me/results/e0b1829e-5832-426c-8219-b0730eefa19c/

SH256 hash:

16dbdb3363f27163fa3d862ed38a1f2e69f654f9116907004fe351840861d055

MD5 hash:

7110ac78a317961aab57b05e34f6e283

SHA1 hash:

df2b44503905927d560cc4fc5215e3c6fc900177

Link:

https://www.unpac.me/results/e0b1829e-5832-426c-8219-b0730eefa19c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/16dbdb3363f2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/16dbdb3363f27163fa3d862ed38a1f2e69f654f9116907004fe351840861d055

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/206479/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample