MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21cb721024d63096342753cf825d12ab93d13e6f22c7ecd37fee717e222d2ac8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 1 File information Comments

SHA256 hash:	21cb721024d63096342753cf825d12ab93d13e6f22c7ecd37fee717e222d2ac8
SHA3-384 hash:	21f52d3de901b23ae8ce3d4ed753ec8cbb1cabeebf0845098d9721c3933975bcb325daa7217ce197e8888c9702914b29
SHA1 hash:	a787bc588e2e589ab0b1edbf317cfb7746079fe5
MD5 hash:	e75642b5ab8d1c0760744e7847503d18
humanhash:	tennis-utah-sixteen-kitten
File name:	e75642b5ab8d1c0760744e7847503d18.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	230'912 bytes
First seen:	2022-04-17 12:00:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	6144:XDKW1Lgbdl0TBBvjc/jhxNcn2kAJ/wOqEMX:Th1Lk70Tnvjc7hxw2kAJ/w5
Threatray	5'830 similar samples on MalwareBazaar
TLSH	T11C34CF2071C1C1B2C4B7113141E9CB799A7970720B7A96D7B7DD1BBA6E113E2A3362CE
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
23.88.32.21:32611

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
23.88.32.21:32611	https://threatfox.abuse.ch/ioc/520637/

Intelligence

File Origin

# of uploads :

# of downloads :

332

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

3b7b44dd7b962d287957a7f912218d56b224e743cab832db0114e69fb329387a.exe.malware

Verdict:

Malicious activity

Analysis date:

2022-04-17 12:08:19 UTC

Tags:

evasion trojan socelars stealer loader rat redline opendir ransomware stop phishing vidar arkei

Link:

https://app.any.run/tasks/151f14e7-2a8c-4b5f-9ac0-3a9e75dc2ad2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/264165/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

DNS request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Stealing user critical data

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/14067/overview

Behaviour

MalwareBazaar

CPUID_Instruction

EnumerateProcesses

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker greyware packed

Link:

https://www.filescan.io/uploads/625c017feab80a7a6c2eacda/reports/ef682b9c-84f8-4af3-a94c-a71b9c02ed13/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1815401-35f3-4c60-84ad-47fec08e3ff1

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/977841

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21cb721024d63096342753cf825d12ab93d13e6f22c7ecd37fee717e222d2ac8/

Threat name:

Win32.Trojan.ClipBanker

Status:

Malicious

First seen:

2022-04-17 12:01:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 42 (57.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ehfxeebe2yyjmnbhkphyexisvoj5cptpeld6zu375zyx4irnflea._file

Verdict:

malicious

RedLineStealer

41b4787740c85fe089ae0f8f085c1cf3943dd5d76c6d58bef71d0caf7241de65

RedLineStealer

423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979

RedLineStealer

c93f83abdd864cf1addb61dbab099ab5f9e5fa01b27d9dc74a6175476ca30bc9

RedLineStealer

dcf51fb55020930d3b0349f43e0f53099c3329bb181387419f8fa28040cee35a

RedLineStealer

fe190943733db4d17a62013c2a8028ea4735d47903c08def8e0d4581737919c5

RedLineStealer

+ 5'820 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ruzke discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220417-n6v4hseeaq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

23.88.32.21:32611

Unpacked files

SH256 hash:

2064653c084ed964384967e96d05e357b91fd06cc34eb8aa4a7e00d0e3f0d596

MD5 hash:

91fbc304856fb83b48b057791cd17f7d

SHA1 hash:

731922b14bd2de44b6cec0a1bd2f1bfd75c9846f

Link:

https://www.unpac.me/results/13a9616e-9a2b-4a49-86a3-4671c4265f70/

SH256 hash:

6f4f9d24e79695c6baecedc3f0e80f196dd351299c464bb8c117545c64533a17

MD5 hash:

a98fb3910fbd1ac4398efc8d5c95c7ea

SHA1 hash:

191d3819cdf4f446d2405873f24f9b1018e8c30b

Link:

https://www.unpac.me/results/13a9616e-9a2b-4a49-86a3-4671c4265f70/

SH256 hash:

21cb721024d63096342753cf825d12ab93d13e6f22c7ecd37fee717e222d2ac8

MD5 hash:

e75642b5ab8d1c0760744e7847503d18

SHA1 hash:

a787bc588e2e589ab0b1edbf317cfb7746079fe5

Link:

https://www.unpac.me/results/13a9616e-9a2b-4a49-86a3-4671c4265f70/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/21cb721024d6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21cb721024d63096342753cf825d12ab93d13e6f22c7ecd37fee717e222d2ac8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.