MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19d390fbe3da552929498622c2588a3bcba4cf9c13b8fe98503f94fe6ce5fa38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	19d390fbe3da552929498622c2588a3bcba4cf9c13b8fe98503f94fe6ce5fa38
SHA3-384 hash:	d37b941e0328598461effcdf395d907be111593f9979b451d2461d9a678f9aeba7cc57e8f9271142cba4e818bda1ddde
SHA1 hash:	5ac0ce24fb565fd5000d50f92ed9c59bd409a4ce
MD5 hash:	a61020210efb3d65c3ee06d385dd979c
humanhash:	two-violet-washington-foxtrot
File name:	19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	321'024 bytes
First seen:	2021-10-01 04:16:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d31cc935cd1c6935cd48a10ef09a7414 (4 x RaccoonStealer, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	6144:Be+tFeY7oybsLsO/uihb12zmuOTPdENzye3E3QWCLQnBJ/6WbEoJFI:BF3/7oyc/em+Nzye3PX0BJ/6+Jw
Threatray	2'453 similar samples on MalwareBazaar
TLSH	T18C64BF10BBE1C034F2B712B648BA9379A52D7EB09B24C1CF63D16AEA46746E4DC31357
File icon (PE):
dhash icon	c00ecdc36278b152 (1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
77.232.36.199:32336

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
77.232.36.199:32336	https://threatfox.abuse.ch/ioc/229067/

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe

Verdict:

Malicious activity

Analysis date:

2021-10-01 04:17:11 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/79a5e9fd-ebfd-4694-8b58-e175fba2775b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/193835/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Connection attempt

Sending a custom TCP request

Launching a service

DNS request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d17664fd-00af-4871-8305-6e34988c0de8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862444

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19d390fbe3da552929498622c2588a3bcba4cf9c13b8fe98503f94fe6ce5fa38/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-09-30 22:27:00 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhjzb67d3jksskkjqyrmewekhpf2jt44co4p5gcqh6kp43hf7i4a._file

Verdict:

malicious

RedLineStealer

176acbd438f1dbf033098a230dc2b5066b38d53a2018a4da03c6cc2bfb8ade99

RedLineStealer

3ec482600f9fbb506f8a8706dd80d33ef16f0dd7929c7bdfe2b2755ddb059a66

RedLineStealer

41a07231a545437d57e20e3863390f8c529a27d75515c903937f2b488e124e75

RedLineStealer

7528f5fc6feac45e0e9d7e8e2f2e050f73da78d65937db34595904a284ca2f93

RedLineStealer

7872580d5105bd09cf386f9713b28854711d356fae34118bd855a9a694da4f1e

RedLineStealer

9ba1db35f1faf6730c60c798a290ad44ca12170b002b4e721428aa2750b4d31c

RedLineStealer

9fd2dbfb299190390df123585a1173313973c7ad0ed52cbc28fab95280f816c4

RedLineStealer

a6876f1c666576ddea4b4c4f7d4ade1c98154e3ea63a711beee37bfa9a5467d1

RedLineStealer

fb6bc2d81a684ce79e18aac92629f12193f6ebb69652c8d5119daf13f73d3cd5

RedLineStealer

+ 2'443 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:build1 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211001-ewdl2sagd6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

77.232.36.199:32336

Unpacked files

SH256 hash:

38285611b34e3ae5e14a3e8b60e2f30bb212b715463984d99e8f44fa1a78c882

MD5 hash:

cbd875a1663a2f49f633348c3664905a

SHA1 hash:

d690c2fe53a3838c77506838e8ae8ba1e1e40eee

Link:

https://www.unpac.me/results/992c0d1c-8d58-410e-b9c8-81aa1c40047f/

SH256 hash:

7035043c077f08ac711b56b7586bde454960f97e0e1ecff9047a5d7992f1a8df

MD5 hash:

b5be2cc6accd8ec7bd14f266fa154fb1

SHA1 hash:

cc52a6b65c0bec9c59097500098b04a8a6533283

Link:

https://www.unpac.me/results/992c0d1c-8d58-410e-b9c8-81aa1c40047f/

SH256 hash:

332e6c5151afdad349b09b7ec40a7d78328052d2cf8450e50c6a7d82c6dfb30f

MD5 hash:

a3dd5068abe3d314408306f15ea15fb9

SHA1 hash:

7450b1e64a9c00e738748d88ecc4ec5c1c6201bf

Link:

https://www.unpac.me/results/992c0d1c-8d58-410e-b9c8-81aa1c40047f/

SH256 hash:

19d390fbe3da552929498622c2588a3bcba4cf9c13b8fe98503f94fe6ce5fa38

MD5 hash:

a61020210efb3d65c3ee06d385dd979c

SHA1 hash:

5ac0ce24fb565fd5000d50f92ed9c59bd409a4ce

Link:

https://www.unpac.me/results/992c0d1c-8d58-410e-b9c8-81aa1c40047f/

Malware family:

RedLine.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/19d390fbe3da/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19d390fbe3da552929498622c2588a3bcba4cf9c13b8fe98503f94fe6ce5fa38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193835/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample