MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1733a30d0e7acb953730092047086555a39f5cb2ee2549021e253cbdc931fb91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	1733a30d0e7acb953730092047086555a39f5cb2ee2549021e253cbdc931fb91
SHA3-384 hash:	73e16b985c84694a626fd800a72029c8c63786d7f9e2e7ab45ee4e6c09721df273a8d3932ae6b679f9fcc31710328da4
SHA1 hash:	3864724e9136d3090cd2e7afa5ae4a348e07e0e4
MD5 hash:	a6602f490e70a0c9846906944c01b1ba
humanhash:	nuts-fruit-gee-cola
File name:	SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.25862
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	219'136 bytes
First seen:	2021-02-23 16:02:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	3072:2DKW1LgppLRHMY0TBfJvjcTp5X1aRIPZJxxJXa6sQ8ksg4oNWfl:2DKW1Lgbdl0TBBvjc/OWA4Vsg4td
Threatray	362 similar samples on MalwareBazaar
TLSH	9424BE1171C1C2B2C4BB113145E6CB799A797032077A96E7B7DD1BBA6E203E1A3352CE
Reporter	SecuriteInfoCom
Tags:	RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/118707/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61624.27953.25862.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/615679

Signature

Antivirus / Scanner detection for submitted sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/1733a30d0e7acb953730092047086555a39f5cb2ee2549021e253cbdc931fb91/

Threat name:

Win32.Trojan.Dopping

Status:

Malicious

First seen:

2021-02-13 04:42:20 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4z2gdioplfzknzqbeqeocdfkwrz6xfs5ysusaq6eu6l3sjr7oiq._file

Verdict:

malicious

RedLineStealer

2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190

RedLineStealer

475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2

RedLineStealer

4b6db0ab009cf8babc3d2f5390b8dba1ae7367c24cb0988dd96d04a4b25a2b4a

RedLineStealer

58472769f4701ccaef3d6cb6e32317f49a680dfaf1dc7ac1e8de76a02b41c7f3

RedLineStealer

823ac795c82f035c86b71f68c8e77eea1ef916c77502d78fc2081d3fd660cde0

RedLineStealer

b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2

RedLineStealer

b4711ee19363ec125911ae1356714720a9d9b463848b1044d08d56977cb960db

RedLineStealer

c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424

RedLineStealer

f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48

RedLineStealer

+ 352 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline discovery infostealer spyware

Link:

https://tria.ge/reports/210223-67lxffyek6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Unpacked files

SH256 hash:

7f6f2cbf32ac2f3f1bb576d7931ede7f7500bcf299acd44d50d0a1ae4101bcae

MD5 hash:

f6105f8ed902047ab9f22d2c8c4dd1ca

SHA1 hash:

02abf17f9fe1462ec7ae38ade5bf9b4d7617f08b

Link:

https://www.unpac.me/results/674b3970-e4af-4451-baea-15ba54ae7315/

SH256 hash:

7363dd84eb3b1907ae9467eb250cfa98df987d9f38e747f7dcd2de9467bf349e

MD5 hash:

7659240ca59644e85b1180f1ef3e63da

SHA1 hash:

bdec72bfe099de54e87cf12f86b9d1b1c692a376

Link:

https://www.unpac.me/results/674b3970-e4af-4451-baea-15ba54ae7315/

SH256 hash:

1733a30d0e7acb953730092047086555a39f5cb2ee2549021e253cbdc931fb91

MD5 hash:

a6602f490e70a0c9846906944c01b1ba

SHA1 hash:

3864724e9136d3090cd2e7afa5ae4a348e07e0e4

Link:

https://www.unpac.me/results/674b3970-e4af-4451-baea-15ba54ae7315/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1733a30d0e7acb953730092047086555a39f5cb2ee2549021e253cbdc931fb91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.