MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 219fa2180e6724ff3a675aed4499038587e0cf09aa2227f9e7ef3fc1cb08795b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	219fa2180e6724ff3a675aed4499038587e0cf09aa2227f9e7ef3fc1cb08795b
SHA3-384 hash:	7e1a9b1951570951ddc2b7e6579a9dc06d89a86e90503c62531b3c0322714ef6636535c199587a6567e7c511bac13019
SHA1 hash:	9bb248f9de8b37cadbd05e813e2216ec9456bbc5
MD5 hash:	3f6d29bb9a3ddd6cb68799ddc458d147
humanhash:	queen-pluto-winter-blossom
File name:	top.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	387'584 bytes
First seen:	2022-03-29 12:06:32 UTC
Last seen:	2022-03-29 13:00:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	962dcf4a4b969d5194f73601a217ba6f (4 x RedLineStealer, 2 x Stop)
ssdeep	6144:AzAu9Quh5k5HmRWVewNSYhLlNUyyvXns4SG6DvJirONZjAA:AzAubq5HmgVewz5GyyvXH967yONV
Threatray	2'237 similar samples on MalwareBazaar
TLSH	T19384CF10BB90C039E1B71AF44AB993B8B53EBDA19B3554C762D53AEE56346E4EC30307
File icon (PE):
dhash icon	badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter	b3ard3dav3ng3r
Tags:	exe Redline RedLineStealer

b3ard3dav3ng3r

http://dwefrfgqwgq.top/work/

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

219fa2180e6724ff3a675aed4499038587e0cf09aa2227f9e7ef3fc1cb08795b.exe

Verdict:

Malicious activity

Analysis date:

2022-03-29 18:09:27 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/d2e50082-07b3-4219-beb1-a24ca5f09a90

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/259179/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.32664.18329.18263.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11988/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6242f666a19c649412a5bbb0/reports/eba12c3f-89db-40da-be80-ca75de3732bc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a8939ae-bffa-4a1f-b11f-19a60caac905

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/966673

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/219fa2180e6724ff3a675aed4499038587e0cf09aa2227f9e7ef3fc1cb08795b/

Threat name:

Win32.Trojan.Krypter

Status:

Malicious

First seen:

2022-03-28 21:30:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=egp2egaom4sp6othllwujgidqwd6btyjvircp6ph5474dsyipfnq._file

Verdict:

malicious

RedLineStealer

3f41c1f89cee913fea8e68e963abaf222e4761d2f9a89e434cde4a28fd9a7e4d

RedLineStealer

79a45215fb18155b4ce7d6d4cde5351b7da9d25b0850431fd7f1b8373e9041b8

RedLineStealer

a63806a04c7dc23ef99da422feb1192d69b6b627aa39ccc989362ae508af899e

RedLineStealer

b48372b694840f2e042a0ed009bf134c33a7bab3e5041a61dd9119e676169be4

RedLineStealer

cf0f1aa6daa5e46b0a8a0ab76ed31b54a96c6125617ad0d0d508d08df6ec6b9b

RedLineStealer

de50a9cba8f30b0ab1d488fccf4e07d52bbb9cd340435c89a8ef248a1fdde229

RedLineStealer

+ 2'227 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:mix29.03 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220329-paandadfc7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.70:21508

Unpacked files

SH256 hash:

02858d95a20ecb2eb374a053cab992a2f2751f3b11325e09feee92f33f23a7a2

MD5 hash:

dfd88196b6a27b86a21edc64f0e47e3c

SHA1 hash:

f9aff334c6e74596d998e29d6aebf86684d16936

Link:

https://www.unpac.me/results/125e96d4-83f8-4551-be31-7dc2c0134a94/

SH256 hash:

dd5d563ece845c44056522ecf7d791b4b5cf4486606623ee266badd98c727798

MD5 hash:

1028059fd992c337ceb8f49975bb2f53

SHA1 hash:

9b8a9f54160879f228f33c53f12a4128aa5db3b0

Link:

https://www.unpac.me/results/125e96d4-83f8-4551-be31-7dc2c0134a94/

SH256 hash:

4673fe9c352b409b358b9ae0b21e66ca8cf667f84961053198bfe57078a7990d

MD5 hash:

d5baa3c59c65d854691ad04aace589eb

SHA1 hash:

83ba95bf16aded72210dc17e38c2282449600610

Link:

https://www.unpac.me/results/125e96d4-83f8-4551-be31-7dc2c0134a94/

SH256 hash:

219fa2180e6724ff3a675aed4499038587e0cf09aa2227f9e7ef3fc1cb08795b

MD5 hash:

3f6d29bb9a3ddd6cb68799ddc458d147

SHA1 hash:

9bb248f9de8b37cadbd05e813e2216ec9456bbc5

Link:

https://www.unpac.me/results/125e96d4-83f8-4551-be31-7dc2c0134a94/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/219fa2180e67/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/219fa2180e6724ff3a675aed4499038587e0cf09aa2227f9e7ef3fc1cb08795b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.