MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22a3ae3ca57de176b84b525bcdd4f73b212684958f9d525cfd7e44f95f5d2dd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	22a3ae3ca57de176b84b525bcdd4f73b212684958f9d525cfd7e44f95f5d2dd7
SHA3-384 hash:	74df72f8532f307a5a5a5aca7c50d4bf26ff782412a085322583219941b95d28c4ed1299b0385f50ad0c3e4c1ed4341d
SHA1 hash:	947a32a5b697b9c7e95156f60d5942b4113c6e39
MD5 hash:	9757b4680a2fd71aba63470146a00e53
humanhash:	helium-dakota-artist-single
File name:	22a3ae3ca57de176b84b525bcdd4f73b212684958f9d5.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	27'064 bytes
First seen:	2021-11-21 15:15:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:GP3pFITfs5QOjX0aoBz8Zqh7yiNbj5L93KURVLhqbKnvgj6Lgcg9LEgvgQgvGB+p:wF4O70XBpfvOcIb018xh2
Threatray	2'308 similar samples on MalwareBazaar
TLSH	T1AFC25C9993544733F96D8BB664F0100087B5AB032466FE2FACD850C99D87B4C53A2FBB
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
95.217.123.66:23117

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.217.123.66:23117	https://threatfox.abuse.ch/ioc/251762/

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

22a3ae3ca57de176b84b525bcdd4f73b212684958f9d5.exe

Verdict:

Malicious activity

Analysis date:

2021-11-21 15:27:49 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/a50d0800-c759-491e-ac7b-ab655da4e092

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.CKI.genEldorado.1100.22641.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Adding an access-denied ACE

Unauthorized injection to a recently created process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Searching for the window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed packed

Link:

https://www.filescan.io/uploads/619a62b7398e2553d2ffdad0/reports/840399f0-c789-4062-9755-912c1a9eb878/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/318f3d40-72b2-4197-8579-326c8b8125d2

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/893311

Signature

Contains functionality to hide a thread from the debugger

Found malware configuration

Hides threads from debuggers

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22a3ae3ca57de176b84b525bcdd4f73b212684958f9d525cfd7e44f95f5d2dd7/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-11-21 15:16:06 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ekr24pffpxqxnoclkjn43vhxhmqsnbevr6ovexh5pzcpsx25fxlq._file

Verdict:

malicious

RedLineStealer

50d77a8a5e5ced0e79891d026a9329744a23b75e80359e4a2b23bab1eaa95188

RedLineStealer

5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4

RedLineStealer

876caa967b75b4fe3a6931efb20c41be49891bab4daf6c869dd41fe892574f06

RedLineStealer

8ec387e2f939562019e489bedf349bb3807713a0168021ec2505aa7d392b04d4

RedLineStealer

a3e0d1640ad8b3cd669fb283acbda05f77280144414de6b88dae5009c55b5872

RedLineStealer

+ 2'298 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@xweloff_lzt discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211121-snf9vseafm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

95.217.123.66:23117

Unpacked files

SH256 hash:

22a3ae3ca57de176b84b525bcdd4f73b212684958f9d525cfd7e44f95f5d2dd7

MD5 hash:

9757b4680a2fd71aba63470146a00e53

SHA1 hash:

947a32a5b697b9c7e95156f60d5942b4113c6e39

Link:

https://www.unpac.me/results/8430c28b-ecd2-4159-97fb-090a7a9cf72a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/22a3ae3ca57d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/22a3ae3ca57de176b84b525bcdd4f73b212684958f9d525cfd7e44f95f5d2dd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/207897/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample