MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2216daf252b5f3b4b00238a097e0df2a57c20780dce0ff49b418e966d63b3059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2216daf252b5f3b4b00238a097e0df2a57c20780dce0ff49b418e966d63b3059
SHA3-384 hash: f522d5c2afc7a4eb8d1d18b49c7518314b6fa47988c843ca3100dd8bc3a703cd41640f0d97e6964c67a4bba6422fe3be
SHA1 hash: 8968209599682737ca080ad3ad038962e54dc02b
MD5 hash: 95a6a36585b43d0a5d2a3b1666fb20c9
humanhash: romeo-oscar-neptune-oregon
File name:2216DAF252B5F3B4B00238A097E0DF2A57C20780DCE0F.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'056'472 bytes
First seen:2021-06-26 06:06:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:x1qUuV1EEAGpIiFUFbqFHeUGhNNs4A8BSMh/HkOnCcP0W:x1qUuNAG6FBqFH5GLGASMhjn7z
Threatray 209 similar samples on MalwareBazaar
TLSH 75250121FB9A01B6CFAE2D7094F5A755DBABAE4007015A87974C350EC92F2C4DBF9183
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
172.67.132.91:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.67.132.91:80 https://threatfox.abuse.ch/ioc/154050/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2216DAF252B5F3B4B00238A097E0DF2A57C20780DCE0F.exe
Verdict:
Malicious activity
Analysis date:
2021-06-26 06:08:36 UTC
Tags:
autoit trojan rat redline
Link:
https://app.any.run/tasks/cd99efbc-9d3a-4ce1-8d56-6843cee000be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168420/
Detection(s):
Win.Trojan.Generic-9874371-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Jacard.184087.14432.10100.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39891932-282e-4b0b-b2d7-100140454fd2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808388
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440799 Sample: 2216DAF252B5F3B4B00238A097E... Startdate: 26/06/2021 Architecture: WINDOWS Score: 100 47 asfowehogewopigh.live 2->47 59 Found malware configuration 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected RedLine Stealer 2->63 65 Found many strings related to Crypto-Wallets (likely being stolen) 2->65 11 2216DAF252B5F3B4B00238A097E0DF2A57C20780DCE0F.exe 7 2->11         started        signatures3 process4 signatures5 83 Contains functionality to register a low level keyboard hook 11->83 14 cmd.exe 1 11->14         started        17 makecab.exe 1 11->17         started        process6 signatures7 85 Submitted sample is a known malware sample 14->85 87 Obfuscated command line found 14->87 89 Uses ping.exe to sleep 14->89 91 Uses ping.exe to check the status of other devices and networks 14->91 19 cmd.exe 3 14->19         started        22 conhost.exe 14->22         started        24 conhost.exe 17->24         started        process8 signatures9 67 Obfuscated command line found 19->67 69 Uses ping.exe to sleep 19->69 26 Padrona.exe.com 19->26         started        28 PING.EXE 1 19->28         started        31 findstr.exe 1 19->31         started        process10 dnsIp11 34 Padrona.exe.com 1 26->34         started        55 127.0.0.1 unknown unknown 28->55 57 192.168.2.1 unknown unknown 28->57 45 C:\Users\user\AppData\...\Padrona.exe.com, Targa 31->45 dropped file12 process13 dnsIp14 49 XvaoPWnapaztbVBj.XvaoPWnapaztbVBj 34->49 43 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 34->43 dropped 71 Writes to foreign memory regions 34->71 73 Injects a PE file into a foreign processes 34->73 39 RegAsm.exe 15 22 34->39         started        file15 signatures16 process17 dnsIp18 51 asfowehogewopigh.live 104.21.4.186, 49730, 49733, 49734 CLOUDFLARENETUS United States 39->51 53 api.ip.sb 39->53 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->75 77 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->77 79 Tries to harvest and steal browser information (history, passwords, etc) 39->79 81 Tries to steal Crypto Currency Wallets 39->81 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2216daf252b5f3b4b00238a097e0df2a57c20780dce0ff49b418e966d63b3059/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-22 15:55:26 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eilnv4sswxz3jmachcqjpyg7fjl4eb4a3tqp6snudduwnvr3gbmq._file
Verdict:
malicious
Similar samples:
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
RedLineStealer
207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3
RedLineStealer
364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9
RedLineStealer
3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
RedLineStealer
49025966d2dd612fc1e423b01620debfd4c97701aefe26a836cea9e2f2d6ab47
RedLineStealer
6da762e6a282e959a607c046a3b33dd71baaf6c7fe5d49c97a8e2de2a60e4c5d
RedLineStealer
830c5c98b459bc47ddb319f2262cb248fb9999a6115182b199bb4421f0897051
RedLineStealer
83c713b4f6938fb03c8ddbbfd0830b90aa9dc33cc8309f8866396860e4b59243
RedLineStealer
90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1
RedLineStealer
ff550d834cbad023b595e724c47cb9fe47ba66af9a22992a9ea89a686fcbb66a
RedLineStealer
+ 199 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:18.1 tunr2.1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210626-lrypp7k1cj/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
asfowehogewopigh.live:80
Unpacked files
SH256 hash:
73dbf88baeefeb9547b72b9bc828296edd488881c0148395a8fcc7c9bede1506
MD5 hash:
23ad0c02ca36426b39bbc5caef669d90
SHA1 hash:
b16557765de83307524d8e939a26f45bdb011884
Link:
https://www.unpac.me/results/5050a64a-16db-4c4f-9bb6-60f1e13367b2/
SH256 hash:
2216daf252b5f3b4b00238a097e0df2a57c20780dce0ff49b418e966d63b3059
MD5 hash:
95a6a36585b43d0a5d2a3b1666fb20c9
SHA1 hash:
8968209599682737ca080ad3ad038962e54dc02b
Link:
https://www.unpac.me/results/5050a64a-16db-4c4f-9bb6-60f1e13367b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2216daf252b5f3b4b00238a097e0df2a57c20780dce0ff49b418e966d63b3059

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168420/

Comments