MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a2786ae6680459aa89e79fc3c93c73f9901be784ce2eb4267c5010d2c6d9b7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	1a2786ae6680459aa89e79fc3c93c73f9901be784ce2eb4267c5010d2c6d9b7b
SHA3-384 hash:	9f76045db21e9f0d003a917bbdf1bcd62d330a1e1f512897acc7217b765ab078996f53fc01a0d2eaf74089ca2f3d448b
SHA1 hash:	14de0c27ce0110715a4592ed238fe73b1bca286b
MD5 hash:	77f7945e48fab5c2efbc4ade2b6deac1
humanhash:	connecticut-two-happy-avocado
File name:	SecuriteInfo.com.Trojan.GenericKDZ.85453.19981.19333
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	414'208 bytes
First seen:	2022-03-21 05:47:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dd74d0a493381cbdbb2d3a82a03effd4 (8 x RedLineStealer)
ssdeep	6144:zKbKhbhKXDFbfrhDVaoV2TwrKwnq3CAR6Gz1GjJD8x5KOvGQt62:zKYbEXDFbfrHjV/r0bwjJDw
Threatray	4'785 similar samples on MalwareBazaar
TLSH	T1B794F12276D2C071C0863A707427CBF96ABBB432A535494737E8077D5F303E16AB639A
File icon (PE):
dhash icon	5c599a3ce0c1c850 (36 x RedLineStealer, 27 x Stop, 21 x Smoke Loader)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/253238/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.85453.19981.19333.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/9966/overview

Behaviour

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/62381198b94fb38cb4c04084/reports/deda33fc-16bc-4f5e-a255-499266119149/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/70515f4e-2222-4de0-b652-b45b6fd777b4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960412

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a2786ae6680459aa89e79fc3c93c73f9901be784ce2eb4267c5010d2c6d9b7b/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-03-21 05:48:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ditynltgqbczvke6ph6dze6hh6mqdptyjtrowqthyuaq2ldntn5q._file

Verdict:

malicious

RedLineStealer

a6c58dc411ddd6fae1977d92e601c483931fc6cba08bf003a23cdbeb74244b48

RedLineStealer

c7229a4bd75fb6d9169fc447cd50092a1c2bfd6787022d0dbac7b50a975cab8e

RedLineStealer

e1b05386a01969cedfe00a3ec9379dd2b25ce3cc535825c9efe8953701f2e0eb

RedLineStealer

fdfd1a10040479a0dc1e2d49865208eea68e68afc055322032a732ad2a3a51fc

RedLineStealer

+ 4'775 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220321-ghfwcshcd7/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.233.48.58:38989

Unpacked files

SH256 hash:

bda8528710fc8ffb9a5969afacdd25f5d24bb5793051af4d49beea9936ede2df

MD5 hash:

88c659cf001038d06e2605b3debf26cf

SHA1 hash:

e384ca99fd00c5eb4b7b936a096e4d7eda05abf8

Link:

https://www.unpac.me/results/4df5e33b-2087-4dc8-be94-0cdfa27502a8/

SH256 hash:

4f2231f29e06809d9442b1ce8535b6a0610c23a7baafc1c6c96a83281a4ec13a

MD5 hash:

de667cc858a905e6c3c7ad23c0356d24

SHA1 hash:

cec9d8efa8873eca0824d35906ef784a990b2ed7

Link:

https://www.unpac.me/results/4df5e33b-2087-4dc8-be94-0cdfa27502a8/

SH256 hash:

577006471b98395e407abea2739adf073654ebd5292ed12a1a76a12258b67b39

MD5 hash:

7b61a29887a66e0f37b2daba1a368f2e

SHA1 hash:

4cbba3c48e47c540c1f77c28b63be662084b5ab3

Link:

https://www.unpac.me/results/4df5e33b-2087-4dc8-be94-0cdfa27502a8/

SH256 hash:

1a2786ae6680459aa89e79fc3c93c73f9901be784ce2eb4267c5010d2c6d9b7b

MD5 hash:

77f7945e48fab5c2efbc4ade2b6deac1

SHA1 hash:

14de0c27ce0110715a4592ed238fe73b1bca286b

Link:

https://www.unpac.me/results/4df5e33b-2087-4dc8-be94-0cdfa27502a8/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1a2786ae6680/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1a2786ae6680459aa89e79fc3c93c73f9901be784ce2eb4267c5010d2c6d9b7b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/253238/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample