MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22f273effad8f6667cf9b94548412ca4d5e3dbd7592caa8f6ade6d1b3caf2a5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	22f273effad8f6667cf9b94548412ca4d5e3dbd7592caa8f6ade6d1b3caf2a5f
SHA3-384 hash:	2a6688ee7086213b29ec07adafb9d358fca495cb34bb27338ce80a0e73154007c3ca6c6d45de231faf2d5b2f21b9d3e4
SHA1 hash:	0fd52fde96a755edd7e099cee8b4ccda41f694e1
MD5 hash:	41da3fa57ce91cf029b870b3385ea061
humanhash:	zebra-wisconsin-jig-ceiling
File name:	41da3fa57ce91cf029b870b3385ea061.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	310'784 bytes
First seen:	2021-07-24 17:01:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c53e08bb6beec713632928ff71fb4e4b (7 x RedLineStealer, 6 x RaccoonStealer)
ssdeep	6144:/Qrg5rm6cdqTaxz3A0pKL2bILyX83ilrFz:uW9cdMaxzQ0kCsyM3iL
Threatray	3'529 similar samples on MalwareBazaar
TLSH	T12064E1203261D877C4661A3248D7C7A16A6EBD209F6C5A073B912BFF6F322D1623E355
dhash icon	48b9b2b0e8c18890 (4 x RaccoonStealer, 2 x RedLineStealer, 1 x DanaBot)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.114:8887

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.114:8887	https://threatfox.abuse.ch/ioc/162768/

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

41da3fa57ce91cf029b870b3385ea061.exe

Verdict:

Malicious activity

Analysis date:

2021-07-24 17:05:54 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/c447af59-92ce-43ec-ae69-9f9f557ad90d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/173920/

Detection(s):

Win.Malware.Generic-9880784-0

Win.Malware.Generic-9880785-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/58a93612-c3a8-4384-b253-b976bd75f83d

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821271

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22f273effad8f6667cf9b94548412ca4d5e3dbd7592caa8f6ade6d1b3caf2a5f/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-23 14:03:05 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=elzhh3723d3gm7hzxfcuqqjmutk6hw6xlewkvd3k3zwrwpfpfjpq._file

Verdict:

malicious

RedLineStealer

1bef4dd24b236b62deb66c184aacc985628dac5b6d912685049e3acceffa32ec

RedLineStealer

1cb95cc404cfc980c36cb61f53709115b283a35512bf62c09a74d044ca3dbc04

RedLineStealer

39e17327da6e1191b0014ca3e79bf3448bf9062fda18e7c5206e3e07bc96c822

RedLineStealer

6153c614b6aaaddaf1afafcaf5d1499b4c8ce8706fe9b64599d06bca37b7ec7e

RedLineStealer

63952b7b3a1ce94989a33cea3e0eb561d313ba66ae6a018719c38f0edb65573c

RedLineStealer

68c8e3114032fdb5577193db4019aad0be090ecd48fae9b6d2a11e838289862e

RedLineStealer

873e0fcc2e0ebe7488c085d7001ce2cd05b8c4dbcb0e9d6f2d9642f73b5314ff

RedLineStealer

a4ba89389929db2c9baa52e9b858164dad161d53ba61a73712a2c3ba92b49ec5

RedLineStealer

b138c67994648f1784c8263e0af703662e2bd8e55d9d8a1189dcf243f2bff657

RedLineStealer

+ 3'519 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/210724-q15xnen2p6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.114:8887

Unpacked files

SH256 hash:

896327f3b8ffb0108da0ba4bb4177ecf34b2b537c70ba775f3b8d05f7337e480

MD5 hash:

9ef3832f3b00631ed09c7931e494e3e5

SHA1 hash:

bffc8ce4c382f443820d1d089db72c267090bb3d

Link:

https://www.unpac.me/results/62041976-1bc6-433a-b74a-84d4a55dbf28/

SH256 hash:

5a9bcd47b183892a42b3b68a53e442a93c0bb016fb94abbd8d42b6477e982194

MD5 hash:

9d700a739ff25fd446ab24994185abd7

SHA1 hash:

73eaeff4f6ec5d342f9c5ccf045eab616281d7d0

Link:

https://www.unpac.me/results/62041976-1bc6-433a-b74a-84d4a55dbf28/

SH256 hash:

98a398c51f219ad1ad34f1190a276355212cd4228797708ee2fae4c43b1186cf

MD5 hash:

8cf1348cb3c4ea66ef1664c23478b56c

SHA1 hash:

5e79ef8bfed82f2713b589c7cd24b2e241b2a16d

Link:

https://www.unpac.me/results/62041976-1bc6-433a-b74a-84d4a55dbf28/

SH256 hash:

22f273effad8f6667cf9b94548412ca4d5e3dbd7592caa8f6ade6d1b3caf2a5f

MD5 hash:

41da3fa57ce91cf029b870b3385ea061

SHA1 hash:

0fd52fde96a755edd7e099cee8b4ccda41f694e1

Link:

https://www.unpac.me/results/62041976-1bc6-433a-b74a-84d4a55dbf28/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22f273effad8f6667cf9b94548412ca4d5e3dbd7592caa8f6ade6d1b3caf2a5f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173920/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample