MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 216b9c35ce0b737fd5e636071925b930e15089b93290b0bc81530007b3c77192. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 216b9c35ce0b737fd5e636071925b930e15089b93290b0bc81530007b3c77192
SHA3-384 hash: 4728eb7bb725d8f7f9e6a3709218a0bc4ca34a2dcc29453e699891303c551e4b545b15ba7d7aeea02c1a22e7ee07b981
SHA1 hash: 0c43aeabc503b56c32a4770d9eac699a86104d4b
MD5 hash: 0d874f7de6a99ce85533c2682cf01b9f
humanhash: colorado-quiet-dakota-fanta
File name:0d874f7de6a99ce85533c2682cf01b9f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'876'837 bytes
First seen:2022-03-27 03:36:24 UTC
Last seen:2022-03-27 04:27:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 49152:tqe3f61tbJt64L/zW45WmCe1783ySffPMWrQ0Zka:8Si1hJc4L/CCWDe1I3PnPcMr
Threatray 2'039 similar samples on MalwareBazaar
TLSH T1FCD5F13FF268A13EC45E1B3245B38260897B7A64B81A8C1B17FC394DCF765601E3B656
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
94.140.114.229:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.114.229:80 https://threatfox.abuse.ch/ioc/455450/

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0d874f7de6a99ce85533c2682cf01b9f.exe.vir
Verdict:
Malicious activity
Analysis date:
2022-03-28 01:17:04 UTC
Tags:
installer trojan rat redline
Link:
https://app.any.run/tasks/81ae5023-bdb4-4179-bd9d-d3aebff2edcc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/258119/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
DNS request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11570/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed pandora setupapi.dll shell32.dll wacatac
Link:
https://www.filescan.io/uploads/623fdc099253b276b77fa432/reports/170cc6c4-3caf-4c8b-8833-2627caca1e33/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d57f6cc-6ece-4005-859a-dc17d004c1af
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/965207
Signature
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 597688 Sample: oZdVEauO18.exe Startdate: 27/03/2022 Architecture: WINDOWS Score: 60 37 accounts.google.com 2->37 39 api.ip.sb 2->39 41 3 other IPs or domains 2->41 45 Found malware configuration 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 7 other signatures 2->53 9 oZdVEauO18.exe 2 2->9         started        signatures3 51 May check the online IP address of the machine 37->51 process4 file5 27 C:\Users\user\AppData\...\oZdVEauO18.tmp, PE32 9->27 dropped 57 Obfuscated command line found 9->57 13 oZdVEauO18.tmp 30 20 9->13         started        signatures6 process7 file8 29 C:\Program Files (x86)\...\is-P2F9I.tmp, PE32 13->29 dropped 31 C:\...\Buildd.sfx.exe (copy), PE32 13->31 dropped 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->33 dropped 35 4 other files (none is malicious) 13->35 dropped 16 Buildd.sfx.exe 5 13->16         started        19 gimagex.exe 13->19         started        process9 file10 25 C:\Program Files (x86)\...\Buildd.exe, PE32 16->25 dropped 21 Buildd.exe 2 16->21         started        process11 dnsIp12 43 siucaetide.xyz 94.140.114.229, 49818, 80 NANO-ASLV Latvia 21->43 55 Hides threads from debuggers 21->55 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/216b9c35ce0b737fd5e636071925b930e15089b93290b0bc81530007b3c77192/
Threat name:
ByteCode-MSIL.Backdoor.Pandora
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 03:10:46 UTC
File Type:
PE (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=efvzynoobnzx7vpggydrsjnzgdqvbcnzgkilbpebkmaapm6hogja._file
Verdict:
malicious
Similar samples:
01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9
RedLineStealer
07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e
RedLineStealer
284aaa322178795ef178c6cb02c58b16d32ee3ecf9e06dfcb0dcee8beecec30b
RedLineStealer
6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18
RedLineStealer
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
RedLineStealer
72c4d8867a04bf45963c4de8a847c6b53ecda8f3b39a417faf1cf04700561e20
RedLineStealer
b57dbb7601b0c59ee978d1201f31935c0d869f29c49259a879a627e768cff74c
RedLineStealer
c9578d03c3601352623f7083e52c45d3c59656fc4fbafaf10a8387dc51c89b33
RedLineStealer
+ 2'029 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220327-d6npbscgd7/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
70abaf81199757e49f1bf02fa700e6105e5ab9b64c93eefb79fff3afbf6ef010
MD5 hash:
e74616be6f3abd1e5c5d0f7a399e418f
SHA1 hash:
3677a81af5945d18d4d879f567187a65255d69a7
Link:
https://www.unpac.me/results/edc96d02-7573-47a3-8a65-d6128cf49d0c/
SH256 hash:
fd3467342ea89580344fa1096dd44b9a11dee3310298ba19a9225f56279a7ea4
MD5 hash:
9b9baf68a21a33248994efc9f48d644e
SHA1 hash:
06b714302251537dada4038a424b7022ecb3b7f7
Link:
https://www.unpac.me/results/edc96d02-7573-47a3-8a65-d6128cf49d0c/
SH256 hash:
1e83bbd3badcffd6d5252c3a83ec0ad2265425d94326d783feb47b16f8d8e513
MD5 hash:
737515734a3bef68a9b955fa831b7aaa
SHA1 hash:
330c9b89c5895c7af9db834bc6d124e775ce5c99
Link:
https://www.unpac.me/results/edc96d02-7573-47a3-8a65-d6128cf49d0c/
SH256 hash:
7ebe8381e1a9f1673ab4bb032a14491d8a0a7579c160885db925db6e46efaa51
MD5 hash:
57e3eeec87037ad67d792d3e2094a143
SHA1 hash:
f44cc332a89c5d6daa05d18e846dfaa631558468
Link:
https://www.unpac.me/results/edc96d02-7573-47a3-8a65-d6128cf49d0c/
SH256 hash:
f8731cf47dc73c74a451af5b5937704095ebc9bbd7d6586217515802a232ea4c
MD5 hash:
c85055de74d7ed5a8379caa5c894c34e
SHA1 hash:
26929e22d230bde40adea82b63deb689fa6dbfe5
Link:
https://www.unpac.me/results/edc96d02-7573-47a3-8a65-d6128cf49d0c/
SH256 hash:
216b9c35ce0b737fd5e636071925b930e15089b93290b0bc81530007b3c77192
MD5 hash:
0d874f7de6a99ce85533c2682cf01b9f
SHA1 hash:
0c43aeabc503b56c32a4770d9eac699a86104d4b
Link:
https://www.unpac.me/results/edc96d02-7573-47a3-8a65-d6128cf49d0c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/216b9c35ce0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/216b9c35ce0b737fd5e636071925b930e15089b93290b0bc81530007b3c77192

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258119/

Comments