MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21e6bcb2f60daa0e97c0aa6cbe59125ab843fdd08a3ed29a7231fa460eab8f33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	21e6bcb2f60daa0e97c0aa6cbe59125ab843fdd08a3ed29a7231fa460eab8f33
SHA3-384 hash:	4c22a53d511092f6decb33407f3b259c7a32545e545e8cd8c8f577a212b8e3f92750bd9d2f7fe7c5c7dbb263646ff3f3
SHA1 hash:	4053e8447fbd1008d3a008c92a055c58389a3fb5
MD5 hash:	b00904869b4e9fabf0f42b8e03a9ad93
humanhash:	music-emma-colorado-undress
File name:	SecuriteInfo.com.Trojan.Win32.Raccrypt.GT.MTB.1425.9330
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	377'344 bytes
First seen:	2022-06-09 01:46:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d530938e11b87f5dcaab85f14604822a (5 x Amadey, 3 x Smoke Loader, 2 x RedLineStealer)
ssdeep	6144:gORxUeGdsBLUtsO9BibTGaH1mWkPxQEtVXHN0aS72knyLMvgytEkCPT4v:gOhbhUtFribTGSBoDt02kyLM1tEkgY
Threatray	5'905 similar samples on MalwareBazaar
TLSH	T16684BF10BBA0C034F5B752F489BA8368BA3EBAB15B3491CB62D51AED16347D5EC31317
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	25ac137039939b91 (15 x Smoke Loader, 12 x Amadey, 6 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

SecuriteInfo.com.Trojan.Win32.Raccrypt.GT.MTB.1425.9330

Verdict:

Malicious activity

Analysis date:

2022-06-09 01:47:36 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/47f288fd-1d8b-41ab-b773-b9bb4b6eb674

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/277958/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Raccrypt.GT.MTB.1425.9330.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62a151328e867832d9e96f04/reports/b743cac3-26be-4226-adf8-b7ee1c320264/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/03464783-db92-4678-af26-7f5d95f160d5

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1009581

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21e6bcb2f60daa0e97c0aa6cbe59125ab843fdd08a3ed29a7231fa460eab8f33/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-06-09 01:47:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ehtlzmxwbwva5f6avjwl4wislk4eh7oqri7nfgtsgh5emdvlr4zq._file

Verdict:

malicious

RedLineStealer

43656b3aec1f1157f5f3bc34cad394d0653a74417a0203413066e57b39eb940c

RedLineStealer

5b27a94d4bc1f2d123666bcbab54f08c42d736953e9189e9ff917a256c8657a6

RedLineStealer

a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c

RedLineStealer

b180216a50259f6c1602343a6da48ccd1b9bc293e0d6ff4f1336fa212c482ce6

RedLineStealer

b7cea1f983cf8ed41120e2d4a17b7fe2ec6693d2d990172568cdbbd6b9fbd319

RedLineStealer

b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

RedLineStealer

bfd91a316ca48f2a35cf9551e66a1edc5755c4859a3f12a67080e9fbfa80bd9d

RedLineStealer

eb630c0e1afc2b423b0b70023546a85839bc97661ebd71ce3a73f1cae910420a

RedLineStealer

+ 5'895 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:unikalno discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220609-b7jewsahbj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

Malware Config

C2 Extraction:

193.233.48.58:43014

Unpacked files

SH256 hash:

881234eff8f61ae71692d59172a1bc26a40b3da7030046e909b63b619f8340ef

MD5 hash:

07d8fe705e2bccefb056669fc96a1654

SHA1 hash:

d02ba122d60465e8031ba5d1deb1d3075c2fceaa

Link:

https://www.unpac.me/results/71625ec3-6753-4b92-8143-0dfef0d5bd07/

SH256 hash:

0dcd5b4f630c623dc837ac76ab4b6d4eacd9806a6cc95a40299cd188f36b3125

MD5 hash:

be6a7f040bee006985e0a66ebca35f17

SHA1 hash:

a94e379f42d6f2720d3d91ecb79aae2c4b27e8f1

Link:

https://www.unpac.me/results/71625ec3-6753-4b92-8143-0dfef0d5bd07/

SH256 hash:

3368355655b5f5c91b265c66cd73f66091c08e656686102f7831384d89310380

MD5 hash:

ea686363d88e796528eceb716303e421

SHA1 hash:

3f6b344301188aacf37b75ec087862b5db8247b3

Link:

https://www.unpac.me/results/71625ec3-6753-4b92-8143-0dfef0d5bd07/

SH256 hash:

21e6bcb2f60daa0e97c0aa6cbe59125ab843fdd08a3ed29a7231fa460eab8f33

MD5 hash:

b00904869b4e9fabf0f42b8e03a9ad93

SHA1 hash:

4053e8447fbd1008d3a008c92a055c58389a3fb5

Link:

https://www.unpac.me/results/71625ec3-6753-4b92-8143-0dfef0d5bd07/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/21e6bcb2f60d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21e6bcb2f60daa0e97c0aa6cbe59125ab843fdd08a3ed29a7231fa460eab8f33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.