MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 229fcb6c30f937c97ee433a5402400f7b83cf1bb79388567c23ef561c19b8652. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 229fcb6c30f937c97ee433a5402400f7b83cf1bb79388567c23ef561c19b8652
SHA3-384 hash: 94c6fcc5350fa4418602bf2580f21e6d0c118dfd5329eabe30c386945109405c22c810b018e666ddfbe1910237a86b40
SHA1 hash: 346d0904e86d554f4d635a0cf5d09405b1a9ab50
MD5 hash: 520038ec0dad178989f17557ba400216
humanhash: crazy-november-july-undress
File name:520038ec0dad178989f17557ba400216.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:352'768 bytes
First seen:2021-09-05 21:17:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b2c249fef864036a8cc857592c5ce556 (5 x RaccoonStealer, 2 x CoinMiner, 1 x RedLineStealer)
ssdeep 6144:PaG/A14jfyRe8O0jRFnm6QNpDauBsj9qkReWBfO:SG/AejfyrO0vKDkj8P0f
Threatray 1'910 similar samples on MalwareBazaar
TLSH T1D974CE5A7E50E873C5B2C2347025C7B5DE3DBC662E60824B7328EB5AAD603D05E6F352
dhash icon b27e7c7d727e6e76 (10 x RaccoonStealer, 5 x RedLineStealer, 5 x Stop)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
520038ec0dad178989f17557ba400216.exe
Verdict:
Malicious activity
Analysis date:
2021-09-05 21:18:09 UTC
Tags:
installer trojan rat redline stealer
Link:
https://app.any.run/tasks/cb76ca1e-7345-493a-b498-3d210d21eb35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185474/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.2835.10805.5345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Creating a file
Stealing user critical data
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/284a664d-bfb4-4ea3-ace6-118c0bb53c85
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/845611
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/229fcb6c30f937c97ee433a5402400f7b83cf1bb79388567c23ef561c19b8652/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 09:58:45 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekp4w3bq7e34s7xegosuajaa664dz4n3pe4ikz6ch32wdqm3qzja._file
Verdict:
malicious
Similar samples:
069834c0109d17508121653ab6d19d1a00bd6e0fb27e2248b0da94dffd517cb4
RedLineStealer
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
RedLineStealer
5b92a06e1a204842d4464554a88c12b02b1de728c22e6509e87ea59d1a2ae8eb
RedLineStealer
5d7e056cab62d45da796272f782b92fdba8c38827e678fa1273c0ccb71aa6d83
RedLineStealer
cc1b3e18520c1f5ae7040cbfd2d74c9d3e5c3c47aa01d44d1037fffcbff96564
RedLineStealer
e463abd6719107c76861a49c45e46f7183f0038264f2e31f328bf4eb3554c8a5
RedLineStealer
e8bdf4c9cc244c3fb0429bf936988196560ae9374b36974bcb8be94b0df69777
RedLineStealer
+ 1'900 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cashservice-222 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210905-z5marschgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.119:15548
Unpacked files
SH256 hash:
dcadf330e029a59730b03585989159636978aeb21811d8b7daf16b0ad5517657
MD5 hash:
2a9d2028eaa956a02fca75aa8b6d15ed
SHA1 hash:
d288019e03f02e5b0a490c736b0caee64de9f9a6
Link:
https://www.unpac.me/results/eccba62b-49b9-435a-8936-45d4066409cf/
SH256 hash:
010e053af75b16e4c6458593cf578e5a8e6aab9e15cf2632d9f539a0f747c5e2
MD5 hash:
d3f3fc93c827e2bc2fa38c3c959515ae
SHA1 hash:
45cc372e5d3eab0abefdada779e1c02d9cdd19d7
Link:
https://www.unpac.me/results/eccba62b-49b9-435a-8936-45d4066409cf/
SH256 hash:
e0aa91503b51562fa8935526c7d5166b94d7b65e14da4c778701e7866e863230
MD5 hash:
1e4babbdcfd6b3529696e113ca0ca8d2
SHA1 hash:
134986aa7427c570ea3e816d86c8569a363ddaf4
Link:
https://www.unpac.me/results/eccba62b-49b9-435a-8936-45d4066409cf/
SH256 hash:
229fcb6c30f937c97ee433a5402400f7b83cf1bb79388567c23ef561c19b8652
MD5 hash:
520038ec0dad178989f17557ba400216
SHA1 hash:
346d0904e86d554f4d635a0cf5d09405b1a9ab50
Link:
https://www.unpac.me/results/eccba62b-49b9-435a-8936-45d4066409cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/229fcb6c30f937c97ee433a5402400f7b83cf1bb79388567c23ef561c19b8652

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 229fcb6c30f937c97ee433a5402400f7b83cf1bb79388567c23ef561c19b8652

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1591434/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185474/

Comments