MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21fc16bba4c04e5e4a5bbd520c81e90c4ee36cbde1a4a1edb9ad078cc25a9ac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21fc16bba4c04e5e4a5bbd520c81e90c4ee36cbde1a4a1edb9ad078cc25a9ac5
SHA3-384 hash: 191a9c5b5aa6671a62bc43db74d9036fc5bdaae7d84c02a26a446e7e12b4a03f6a5da34d76ebe2e8f5d843c012bd2490
SHA1 hash: a8012a2d4bfac0e96322c21f18cafd1aad4fdc63
MD5 hash: ad246b844816c184b3aa1a608c100991
humanhash: alpha-music-lake-hamper
File name:ad246b844816c184b3aa1a608c100991
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:572'416 bytes
First seen:2022-03-08 17:25:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 12288:cK2ts9B5HQRpfdjhWUp4eQS03ULaHNqrxlKIQNoNcd/BlZk8g+:bwz5n4ekEaHNYK3Mcd5lg+
Threatray 1'600 similar samples on MalwareBazaar
TLSH T1CDC423E37749B12DC3062BF1E67C478F66C3932DEF88919852FD8AC2998C4E7D529064
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248394/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Packed.Crypterx-9940707-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62279abadfdfa8501c7b7007/reports/abe8a135-6a2f-4b23-9f10-c1015557baad/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b752935-4447-4087-9864-85494de1a3dc
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952917
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21fc16bba4c04e5e4a5bbd520c81e90c4ee36cbde1a4a1edb9ad078cc25a9ac5/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 17:03:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eh6bno5eybhf4ss3xvjazapjbrhog3f54gskd3nzvudyzqs2tlcq._file
Verdict:
malicious
Similar samples:
016c36da3c46c38f9bc18970acf60b437503e15139fd1047f4b73cdad4d6342a
RedLineStealer
1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59
RedLineStealer
24dddac175ec0ecbe3a13040165f0438fca44502c216c96655cdff8f4bc0ddcb
RedLineStealer
5013372389580672743ad71d9ec522caa057a4f7863ae8fc460ebba005121fd8
RedLineStealer
51e9b8fc3cf6581560a4075eb9cc9923aadf3760de21d79639b93b74ff41aab7
RedLineStealer
58c71548ede50a7c277a21b9f38394c03c068a167d858dcbaf82a4f2d975e24c
RedLineStealer
859f29464c7c73a58398857a54e8ee692ef3a9a6209bf463ee5dcb8e344a723e
RedLineStealer
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
RedLineStealer
ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2
RedLineStealer
+ 1'590 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220308-vzvmqshfe5/
Behaviour
Program crash
Unpacked files
SH256 hash:
aaa0de9e1be4467e0dde78f2663a2c13e6ca49669b8f83aab9836d9887b8d0a8
MD5 hash:
1100aaeea0d11a7aa1e17b955d0c53d4
SHA1 hash:
62baf4b02bf3a8f71f7da6a7bef6910567f23cd2
Link:
https://www.unpac.me/results/fde1bed7-532f-4606-b1dc-0fcf133c6dea/
SH256 hash:
17295cad7e7c12515685ee8494f708b1a8a994395526e383707a023df68df827
MD5 hash:
d65bb95c5ee86e5a3a9942b1fdb2d652
SHA1 hash:
b334a952393adb7860721cf72568ceb9bac7b56c
Link:
https://www.unpac.me/results/fde1bed7-532f-4606-b1dc-0fcf133c6dea/
SH256 hash:
21fc16bba4c04e5e4a5bbd520c81e90c4ee36cbde1a4a1edb9ad078cc25a9ac5
MD5 hash:
ad246b844816c184b3aa1a608c100991
SHA1 hash:
a8012a2d4bfac0e96322c21f18cafd1aad4fdc63
Link:
https://www.unpac.me/results/fde1bed7-532f-4606-b1dc-0fcf133c6dea/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/21fc16bba4c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21fc16bba4c04e5e4a5bbd520c81e90c4ee36cbde1a4a1edb9ad078cc25a9ac5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 21fc16bba4c04e5e4a5bbd520c81e90c4ee36cbde1a4a1edb9ad078cc25a9ac5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2084455/
Cape
Cape
https://www.capesandbox.com/analysis/248394/

Comments


Avatar
zbet commented on 2022-03-08 17:25:36 UTC

url : hxxp://file-coin-coin-10.com/files/3911_1646728696_6008.exe