MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22a58e79e643f6f422a1394de4fe4e78d2638370815eb23ecae037b99693926a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22a58e79e643f6f422a1394de4fe4e78d2638370815eb23ecae037b99693926a
SHA3-384 hash: 7a3c06a8f62405493eec7aab4e43a41a4788137f1a03189b80268613c7a3f62364cc9e1fcec76ebee661e9ae48e68610
SHA1 hash: 616f4aecf818966f8d313d5bfe0040183da9b071
MD5 hash: 7faa48481e048fe66ea85d9343a394e0
humanhash: sweet-tennessee-bakerloo-happy
File name:7faa48481e048fe66ea85d9343a394e0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:404'480 bytes
First seen:2022-01-20 06:36:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 125adc129c50285a2cd4524417d3fdd8 (11 x RedLineStealer, 2 x Smoke Loader, 2 x ArkeiStealer)
ssdeep 12288:JEqV2YbyqMPX6ZxQ35mKsSOZfVjOghpiG:JEvYbjLBhiG
Threatray 4'322 similar samples on MalwareBazaar
TLSH T17684F13D79D0D031C4826930486ADFA05A7DEC7518692B8373A83B6EBF36781663635F
File icon (PE):PE icon
dhash icon fcfcb4b4b494d9c1 (74 x Amadey, 56 x Smoke Loader, 38 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
45.9.20.111:1355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.9.20.111:1355 https://threatfox.abuse.ch/ioc/303028/

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220867/
Detection(s):
Win.Malware.Generic-9936948-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4829/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e90322f81da814af91b577/reports/b6aceb57-18ce-4db0-9baf-5b65dd2b95e7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f84173aa-3b70-475a-b45b-df95b7652fa2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924011
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22a58e79e643f6f422a1394de4fe4e78d2638370815eb23ecae037b99693926a/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 04:35:46 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eksy46pgip3piivbhfg6j7sopdjgha3qqfplepwk4a33tfutsjva._file
Verdict:
malicious
Similar samples:
014d9e246efaad3a91e21a36303842275f2b767245e3989143a75995babb653e
RedLineStealer
02a1be5f6bac2f03f8dc06a3b94f346ab67f18b70703b80d91ca47478f6d8c5f
RedLineStealer
0abb7a8a9e8ae8584f07303c705ae630899b394028e092b72594b3158b4cdc56
RedLineStealer
0e08cc4751863c2150282dae704864e2b80feb930314ee9b3db331ec8fc4043b
RedLineStealer
2e6a515f6f0f4c6afeee0504513de753828975c0a0ee4630ccd4474f0ca8e002
RedLineStealer
4bcc6de7810aa681f8b770e9b3e7ce2aeace7d59165ba534d34e70f12ecec70f
RedLineStealer
5169eb4aac96b3333dcf7c0eb628a340f6997c65c54e8728a0f6c8501ae6742f
RedLineStealer
a981e21aac19c98e126737f1ffeb2e4040cca00f393d4c3a9b705baf9df00986
RedLineStealer
c616122ddb20e0572157aad9871b38b1e395187e9a3d6127d2dd17371194527f
RedLineStealer
+ 4'312 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/220120-hdgsjagdh7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Checks installed software on the system
Reads user/profile data of web browsers
Sets service image path in registry
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
772d46367b04b4b033c7829ae1c2db68b6333c32db053ad5e67eb4183a6fb588
MD5 hash:
0902916958b5fc98b781fd451e149077
SHA1 hash:
fc4bf667733d955b2fb7c930ea887ad67dffdd61
Link:
https://www.unpac.me/results/1922e771-a4ac-412a-b384-83c7a2962317/
SH256 hash:
ccf2a17a23a01fe16ea37413010d2d845aac780c9fb534491ef177c0d67016dc
MD5 hash:
4ed3c840e3f554f5f6c0ac741f4e02b4
SHA1 hash:
b775d1fa3fc54de998025bedd9e24d6f76bd5164
Link:
https://www.unpac.me/results/1922e771-a4ac-412a-b384-83c7a2962317/
SH256 hash:
6f1b3f902f153ac2c41b58cd2faed0698993cf6c38b726e8a3112ecde80c7a68
MD5 hash:
afb109167a037d3bc519538a433f4f6b
SHA1 hash:
51a10bbff21cc9e47535368a77032fa31a09e0f1
Link:
https://www.unpac.me/results/1922e771-a4ac-412a-b384-83c7a2962317/
SH256 hash:
22a58e79e643f6f422a1394de4fe4e78d2638370815eb23ecae037b99693926a
MD5 hash:
7faa48481e048fe66ea85d9343a394e0
SHA1 hash:
616f4aecf818966f8d313d5bfe0040183da9b071
Link:
https://www.unpac.me/results/1922e771-a4ac-412a-b384-83c7a2962317/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/22a58e79e643/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22a58e79e643f6f422a1394de4fe4e78d2638370815eb23ecae037b99693926a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 22a58e79e643f6f422a1394de4fe4e78d2638370815eb23ecae037b99693926a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1978543/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220867/

Comments