MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e40b7a3aca5fa0302e9f6c2e4b10f738f8ad2e357cb0987f175c456f67e8e67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	1e40b7a3aca5fa0302e9f6c2e4b10f738f8ad2e357cb0987f175c456f67e8e67
SHA3-384 hash:	c48e9526dd45a488a44afb8bf9544f74fedbf9176187f73c474d1484f7f2fe438be65367ca4b0b036dca4f7574b504ae
SHA1 hash:	80ec89867818c9d9474aab54090a021f560b34fd
MD5 hash:	a2aa55cd5d008b8cccadb5e4d92acb31
humanhash:	robert-winner-chicken-lemon
File name:	a2aa55cd5d008b8cccadb5e4d92acb31.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	1'553'729 bytes
First seen:	2022-07-20 19:40:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep	24576:pAT8QE+k3f5gA4LW7g3q8FBmaRDUQJ3HLqzHCXO7sPLcL3uQfjxjQJp2mFSsKcm0:pAI+Mf5Cy7g3vqQpICXOYjcbuQfGodWz
TLSH	T19C752239A641867BC0511971945FA3F9B836BB001F3C5DCFB3DE0E1C8A2339A1E9539A
TrID	86.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 5.6% (.EXE) InstallShield setup (43053/19/16) 1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.7% (.SCR) Windows screen saver (13101/52/3) 1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.106.92.226:40788

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.106.92.226:40788	https://threatfox.abuse.ch/ioc/838881/

Intelligence

File Origin

# of uploads :

# of downloads :

352

Origin country :

n/a

Vendor Threat Intelligence

Detection:

generic

Link:

https://www.capesandbox.com/analysis/293003/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader45.4877.6364.31479.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Delayed reading of the file

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a file in the Program Files subdirectories

Modifying a system file

Creating a process from a recently created file

Launching a process

Creating a process with a hidden window

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Running batch commands

Unauthorized injection to a recently created process

Stealing user critical data

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/26884/overview

Behaviour

MalwareBazaar

CPUID_Instruction

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

60%

Tags:

bladabindi coinminer fingerprint greyware mikey overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62d85a2d8fbcdde36060eb6e/reports/109da7f0-f80f-48e0-afbe-fa76d13ec321/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Tandem Espionage

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9bb6712d-2b0a-47fa-b074-e9e4bd62273a

Result

Threat name:

RedLine, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

74 / 100

Link:

https://www.joesandbox.com/analysis/1037906

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e40b7a3aca5fa0302e9f6c2e4b10f738f8ad2e357cb0987f175c456f67e8e67/

Threat name:

Win32.Trojan.RedlineStealer

Status:

Malicious

First seen:

2022-07-20 13:10:49 UTC

File Type:

PE (Exe)

AV detection:

26 of 39 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dzalpi5mux5agaxj63bojmipoohyvuxdk7fqtb7roxcfn5t6rztq._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:eternity family:redline family:vidar botnet:1513 botnet:1521 botnet:4 botnet:@hashcats botnet:@tag12312341 botnet:nam3 collection discovery infostealer persistence spyware stealer

Link:

https://tria.ge/reports/220720-yd3yrsghf4/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Kills process with taskkill

Modifies Internet Explorer settings

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Detects Eternity stealer

Eternity

RedLine

RedLine payload

Vidar

Malware Config

C2 Extraction:

185.106.92.226:40788
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
https://t.me/korstonsales
https://climatejustice.social/@ffoleg94
103.89.90.61:18728
31.41.244.134:11643
62.204.41.144:14096

Unpacked files

SH256 hash:

ae821495b07f0e11b7d35fca4ae10ca75858e763ec3110a4018e6850c16b3ba6

MD5 hash:

97398f81a3f8bc1247090e9d0350e66b

SHA1 hash:

b4a1f2d59305f93dbefbf5b388dacaca1bef15b9

Link:

https://www.unpac.me/results/bd83a0d4-835b-4790-a3fb-8bcae2b62e85/

SH256 hash:

13dc5c659c070ad1e67a25d5f695daafb1d2deef09b524557ad4e1f4bb01f1e4

MD5 hash:

537c28e504d00b10c44372744ea0c67f

SHA1 hash:

28776fe7df07cd87b33c8db4bd99536d05675c82

Link:

https://www.unpac.me/results/bd83a0d4-835b-4790-a3fb-8bcae2b62e85/

SH256 hash:

1e40b7a3aca5fa0302e9f6c2e4b10f738f8ad2e357cb0987f175c456f67e8e67

MD5 hash:

a2aa55cd5d008b8cccadb5e4d92acb31

SHA1 hash:

80ec89867818c9d9474aab54090a021f560b34fd

Link:

https://www.unpac.me/results/bd83a0d4-835b-4790-a3fb-8bcae2b62e85/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1e40b7a3aca5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e40b7a3aca5fa0302e9f6c2e4b10f738f8ad2e357cb0987f175c456f67e8e67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers