MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 195f3b2557f24fa86f7d0aa9269bd6903922ce672964864a898daa44cc5f9600. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 195f3b2557f24fa86f7d0aa9269bd6903922ce672964864a898daa44cc5f9600
SHA3-384 hash: d8369ff81daaafa240d44b37eb59583e213e1e30c8d10942e481e035327872777c2fcdf5b92181790c681870e05539d3
SHA1 hash: 911683a953f31b7ce6f0961083af658d76f6735c
MD5 hash: a66907912115aacfc5da687f526a3ef2
humanhash: bravo-florida-diet-violet
File name:a66907912115aacfc5da687f526a3ef2.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'588'096 bytes
First seen:2022-01-27 23:15:46 UTC
Last seen:2022-01-28 00:59:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 98304:gxMp07cDMzneXpbZLz/jiCgq6yqBMQb6nS9+5Ose:Pp0pLgXLzeCg1a5Sc4se
Threatray 1'166 similar samples on MalwareBazaar
TLSH T1FFF53352E12CA29FC6836FB1B6121DAEC332C58D3288B609EB563B5FD44308DD6F5176
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
37.1.213.9:17292

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.1.213.9:17292 https://threatfox.abuse.ch/ioc/290524/

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/224712/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Connecting to a non-recommended domain
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61f327b76a7929f66a1cd954/reports/d7ca4fc2-6a1e-4058-bee2-1823549278c5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69a9a4da-23ad-4728-9b2d-cdaa4b618ad5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/929396
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/195f3b2557f24fa86f7d0aa9269bd6903922ce672964864a898daa44cc5f9600/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 17:33:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfptwjkx6jh2q335bkusng6wsa4sftthffsimsujrwvejtc7syaa._file
Verdict:
malicious
Similar samples:
05a0f7012de4482c552ffef69727209731444449357282ff49037f36503fbfa9
RedLineStealer
1e5ab160557152d712488a1fd2575231013f7c2fce3ac2dac52b9ea90f289729
RedLineStealer
3ed3b03c36265ddffd8382859b7545cec6955331f85907018adc4bacde22e70e
RedLineStealer
5ed9c8e4709af1af34ea8d1e6d5177c3d164c62c7dece9adcdd3d9c1b402484f
RedLineStealer
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
RedLineStealer
9c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
RedLineStealer
9fcaa9da6fe7fa15f35c891d33764bd8d47e7e87702aae69c1d48612f97b3956
RedLineStealer
b554c35225b03058b8a649646f8c8665100064e1442c458e4f7e1f5c61e19dec
RedLineStealer
e833a4e60afdb1923d7ef837e8333218f82c08bb5de60a3e565c95e5f6c61f2e
RedLineStealer
+ 1'156 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220127-285mmachb7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
978cffc93af4bbbee5d6ef3bf96cce3a83869253de0d292de88ebb7de6b2ace6
MD5 hash:
1fa0ff1b926dc85824cda6a633161a17
SHA1 hash:
cdcb74ada1f0db8c60528bc54f0597040f2c70cd
Link:
https://www.unpac.me/results/3ca56a3f-2bfd-4043-9fab-ee56a279af63/
SH256 hash:
195f3b2557f24fa86f7d0aa9269bd6903922ce672964864a898daa44cc5f9600
MD5 hash:
a66907912115aacfc5da687f526a3ef2
SHA1 hash:
911683a953f31b7ce6f0961083af658d76f6735c
Link:
https://www.unpac.me/results/3ca56a3f-2bfd-4043-9fab-ee56a279af63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/195f3b2557f24fa86f7d0aa9269bd6903922ce672964864a898daa44cc5f9600

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/224712/

Comments