MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20d7a48f836b6c3f9ae4af6e2d9a1d8e2bebae334c43dba287d53873e796d222. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	20d7a48f836b6c3f9ae4af6e2d9a1d8e2bebae334c43dba287d53873e796d222
SHA3-384 hash:	2ae86149ad029224b6b6ddb58a1e9d4888a670ddc3c37f1c67f25b2f0452191c1eb0e176c6c2b18062aba4f5a8c9951a
SHA1 hash:	f0ebc4ed31c376f0f70c6224c2c52790387778bc
MD5 hash:	4e9bcd66c56dc292fd56a639cf486052
humanhash:	island-nine-comet-neptune
File name:	4e9bcd66c56dc292fd56a639cf486052.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	303'104 bytes
First seen:	2021-11-01 18:17:40 UTC
Last seen:	2021-11-01 20:06:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	51877faeb7f9e92bd6de75ecea40ae83 (2 x RaccoonStealer, 2 x RedLineStealer, 1 x Stop)
ssdeep	6144:jndIDn896UI5X1XeeAYMYPAA6ny7Z6hT/+y6s6P8ZM4yKa3A8+rD:jndIzs6UI5X1XeDpcqXnZSw8+H
Threatray	3'554 similar samples on MalwareBazaar
TLSH	T16054E0117E97D836DC9BC5300834CBE0DA7EBC625935918B77A8372EADB02C05A7D396
File icon (PE):
dhash icon	fcfc94d4d4d4d8c8 (6 x RedLineStealer, 1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4e9bcd66c56dc292fd56a639cf486052.exe

Verdict:

Malicious activity

Analysis date:

2021-11-01 18:21:11 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/54395d71-2f17-4e5a-9c4e-8c9d14a772c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/201171/

Detection(s):

SecuriteInfo.com.Trojan.PWS.StealerNET.113.19467.27313.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61802f5fa9d585e6d53da069/reports/c2224e4e-a825-47bc-b4e9-7420012cbe58/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/87ee0406-a282-4d81-94ec-a3030e248a06

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/880655

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20d7a48f836b6c3f9ae4af6e2d9a1d8e2bebae334c43dba287d53873e796d222/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-11-01 18:18:09 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

malicious

Label(s):

asyncrat

RedLineStealer

384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc

RedLineStealer

68c309ec74f6dd5ec81d2fd23378a84b9d8091ccd28bc8e5f962fabd82e526f8

RedLineStealer

bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c

RedLineStealer

c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b

RedLineStealer

ec9a5087c5d52277f50dcd3a7383cfc38b6c793adcc6cfd685fe5ae38b8ae7aa

RedLineStealer

eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6

RedLineStealer

f345d9b1192b6d8ee0ccd8b578c8e6978c6d08bef2f2c580dd87dded4838ccad

RedLineStealer

f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041

RedLineStealer

ffb0bd5cf5a1716fa50f01a4b4fd98d396842c7c263d3ce03623748430b30a93

RedLineStealer

+ 3'544 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:pubdate discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211101-wxlsgsfdan/

Behaviour

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.56.146.64:65441

Unpacked files

SH256 hash:

f3aa79927b30615e01019b5f94aba8d01e36a1688b8f3b4e7219e54b98918a6f

MD5 hash:

50b186e2f2a4a84585bdff72bf9912f2

SHA1 hash:

ce9bd4eed7d01dbaa5f9304d8bddddbeb3128636

Link:

https://www.unpac.me/results/73cba438-e8e1-4d75-a72d-1f3abc302b14/

SH256 hash:

f634fe711bc64b4e14b36262f552b04db4b217cd63c5d76c89840c3daefe9fa4

MD5 hash:

2e004d992beb0185a8d5ef246f13b9a3

SHA1 hash:

5e11acaa74204c432833a567c1c36c142fc484e9

Link:

https://www.unpac.me/results/73cba438-e8e1-4d75-a72d-1f3abc302b14/

SH256 hash:

1524efca52a61f257ef08940b9764a5fb616e37adc69ba7db938ad1e27105f89

MD5 hash:

7ec77274daf4b22fd1e7191ebf7fcc97

SHA1 hash:

46922459d1ba09528b3b04d611fea7171bb917b1

Link:

https://www.unpac.me/results/73cba438-e8e1-4d75-a72d-1f3abc302b14/

SH256 hash:

20d7a48f836b6c3f9ae4af6e2d9a1d8e2bebae334c43dba287d53873e796d222

MD5 hash:

4e9bcd66c56dc292fd56a639cf486052

SHA1 hash:

f0ebc4ed31c376f0f70c6224c2c52790387778bc

Link:

https://www.unpac.me/results/73cba438-e8e1-4d75-a72d-1f3abc302b14/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20d7a48f836b6c3f9ae4af6e2d9a1d8e2bebae334c43dba287d53873e796d222

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

exe 20d7a48f836b6c3f9ae4af6e2d9a1d8e2bebae334c43dba287d53873e796d222

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1610920/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/201171/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample