MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1de7290995e43ef59ed48500035448580267086b51e24a4d36be4e71ebe1b635. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 1 File information Comments

SHA256 hash:	1de7290995e43ef59ed48500035448580267086b51e24a4d36be4e71ebe1b635
SHA3-384 hash:	fc7c7166b717e5f3da48c8f98d8897d8d394e7d11c7bfb345db4b8764ea72dd71a476bf8f84ed4d543e66bb74bfcf0d8
SHA1 hash:	429b96782936ae029308c2b01017fc038385ed65
MD5 hash:	17bdd374c11bcb0664a21001f8466efb
humanhash:	hydrogen-mexico-potato-emma
File name:	17bdd374c11bcb0664a21001f8466efb.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	367'616 bytes
First seen:	2021-09-25 08:41:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	658c49f2b142429657b3337ed8c9de9e (4 x RaccoonStealer, 3 x RedLineStealer, 1 x DanaBot)
ssdeep	6144:iStAJDL21/kBIRlWw5pjY83e4DSgbNyhNDmEQ:iStAJDa1/hRBMqbfyh1v
Threatray	6'416 similar samples on MalwareBazaar
TLSH	T10A74CF10B7E0C034F5B723F999B993B9A92DBDB06B78D5CB66C506EA52606E0CC30357
File icon (PE):
dhash icon	ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.20:13441

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.20:13441	https://threatfox.abuse.ch/ioc/226443/

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

17bdd374c11bcb0664a21001f8466efb.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 08:44:21 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/6f65a9d2-04e1-4ecc-b071-646ab5078e73

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/191393/

Detection(s):

Win.Packed.Generic-9896112-0

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c359945a-60f7-4bca-9d5e-d756782045c4

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/857852

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1de7290995e43ef59ed48500035448580267086b51e24a4d36be4e71ebe1b635/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-09-24 23:08:00 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dxtsscmv4q7plhwuquaagvcilabgocdlkhreutjwxzhhd27bwy2q._file

Verdict:

malicious

RedLineStealer

24335bb0da5b5ea367db042fb02e815796c1f19293cb894809788f385720a6bc

RedLineStealer

3668ef74bccc72fe12cb1dfe661a5a3eccb4a4b07f2080db423f0b4f1cc3f10d

RedLineStealer

682e5e64fce5e223b588ef7f5a0951e94659fa52c4fb3111d12245a3da3461b0

RedLineStealer

8a084943c9646b225021d55f472e2d10633079a2158b08564163f3602b237360

RedLineStealer

97e26db316059a3660d3912d74e7d546f2a830d5c016daa883bf97b2aa5967cf

RedLineStealer

a6b1c71eb37fde7da57be8cb54e7433d40d1418425b69f37bb3ec74270bb6009

RedLineStealer

c4d603632e2899f6542261b071867afe9b0edaa59f65b578fd4b26d2545ae779

RedLineStealer

d0147cf80fda24d6c0b3358464909084a13fa07f17bf26040699f9926d1363f8

RedLineStealer

ff061e51cc408d07d54ac73f7bb7725cf8266aadf6b7ddc336a84f2eff2d1e7b

RedLineStealer

+ 6'406 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:udp discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210925-kl25jsagbm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.20:13441

Unpacked files

SH256 hash:

90b0e7d902727351e4a88f3b02c2d3d15d202b2a0ea118c961c21c258617c1cf

MD5 hash:

6ac070b383c57c84bce059f1611a8bc0

SHA1 hash:

f8768f72c0cc63945cbe31b75e39a9d207db06b5

Link:

https://www.unpac.me/results/4c967952-0219-492f-8148-185066d870df/

SH256 hash:

74ec8e7f6661e87226bb95a4ba97ae828c45f3142b78d068492cff7162bbbd47

MD5 hash:

f007c18cee4cbdd6992122a8a216ccc0

SHA1 hash:

5b931b76947bb4484ae7b94a60e83c65f92b21b3

Link:

https://www.unpac.me/results/4c967952-0219-492f-8148-185066d870df/

SH256 hash:

fc667313899f6647f9d67a16af1234ac6b109223b7c3ce0d178614985cfd27e9

MD5 hash:

24eb234842defb045592109e300bed32

SHA1 hash:

4fa3017ddf932a7f7ae7fbbeda7eacbea609f283

Link:

https://www.unpac.me/results/4c967952-0219-492f-8148-185066d870df/

SH256 hash:

1de7290995e43ef59ed48500035448580267086b51e24a4d36be4e71ebe1b635

MD5 hash:

17bdd374c11bcb0664a21001f8466efb

SHA1 hash:

429b96782936ae029308c2b01017fc038385ed65

Link:

https://www.unpac.me/results/4c967952-0219-492f-8148-185066d870df/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1de7290995e4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1de7290995e43ef59ed48500035448580267086b51e24a4d36be4e71ebe1b635

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191393/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample