MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234e4cc68a33ec5f9b94a393c85bfc91d17e87bc911713f34e39342d29bf5607. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	234e4cc68a33ec5f9b94a393c85bfc91d17e87bc911713f34e39342d29bf5607
SHA3-384 hash:	620c1f5f6e9cb8bdffd1dcd934d2e9fbcc368d2105b7ee27b9948babe45104e64f29b8cc33215a2f18ac33a9e738a167
SHA1 hash:	17033da6178337e20c4354b09f272fc49b32e761
MD5 hash:	3054fb0ce445d3b5f110d8cc459c82d5
humanhash:	victor-september-west-oven
File name:	234e4cc68a33ec5f9b94a393c85bfc91d17e87bc91171.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	453'632 bytes
First seen:	2022-01-26 12:55:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afd7576f854d2aadccbaf37a01b18fbf (3 x RedLineStealer)
ssdeep	12288:VMvKOBj7KlGWycROJAGCuaG/9UECiXGgY3B:GNkAWyc4JLT9C9
Threatray	4'428 similar samples on MalwareBazaar
TLSH	T10EA4BF00BAA1C435F5B752F8167A93BCA53E7AE1672450CB63D52AEE57346E0EC3130B
File icon (PE):
dhash icon	25ec1378319b9b91 (14 x RedLineStealer, 14 x Smoke Loader, 3 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.215.113.29:20819

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.215.113.29:20819	https://threatfox.abuse.ch/ioc/334657/

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

234e4cc68a33ec5f9b94a393c85bfc91d17e87bc91171.exe

Verdict:

Malicious activity

Analysis date:

2022-01-26 13:04:03 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/353c3b17-1024-4a1d-9b1d-74902650cd3f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/223221/

Detection(s):

Win.Dropper.Mikey-9917324-0

Win.Packed.Tofsee-9937387-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5198/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61f144e6d73ca9d4648d4591/reports/3d257022-cbe5-4424-9114-bf6e77608ca6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1507f689-053e-4c23-a5e1-6d4a254809d6

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/928572

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/234e4cc68a33ec5f9b94a393c85bfc91d17e87bc911713f34e39342d29bf5607/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-01-26 12:56:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=enhezrukgpwf7g4uuoj4qw74shix5b54selrh42ohe2c2kn7kydq._file

Verdict:

malicious

RedLineStealer

20dc6e65625512bceeed56e1754a96608ad8eb6e5648ec995a2a6fe6c2f6689f

RedLineStealer

2eecd263f2ccf106ab5ad42ed0bb8c981f9067a1273cc3186cb731aac8fbb702

RedLineStealer

6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b

RedLineStealer

7d8de08a564f08ee20d746a2c445245b75247e772248073431fc30d16a4b9b14

RedLineStealer

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

RedLineStealer

da551b8982f8cb67c55108b405be9ca5e5deb1f2f716adc85d0260d37e74373a

RedLineStealer

+ 4'418 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:sewpalpadin discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220126-p6cslsdda4/

Behaviour

Suspicious use of AdjustPrivilegeToken

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

185.215.113.29:20819

Unpacked files

SH256 hash:

e202c11d527f5d89f97dded104fd276a484b40ae19ab5af32c0539fcefa0d4f5

MD5 hash:

72b793292146793718feee9519111164

SHA1 hash:

ee14d4b283eb63ad305182c5ebbe06bffbf77b21

Link:

https://www.unpac.me/results/2d32c346-ba75-4efb-b5f6-9ca0b028ff74/

SH256 hash:

859ebd7a7e8f8f3f45d94416074fd24b20933c8537f5ebc5e451f89096c41f9e

MD5 hash:

b0bde6717c5ca23c517fc392bd550af5

SHA1 hash:

8da77b12caabd1ad230d2ede9413e52e616e975b

Link:

https://www.unpac.me/results/2d32c346-ba75-4efb-b5f6-9ca0b028ff74/

SH256 hash:

bd1603b229dd4f2ebae6d60528b5ddfd8c153ee45fc6f24de225150728cfffe4

MD5 hash:

c7da4857025812b8ae4ef9e241cc0f00

SHA1 hash:

6e5e378f1eaf5677aa4d096a43cc84c08b368202

Link:

https://www.unpac.me/results/2d32c346-ba75-4efb-b5f6-9ca0b028ff74/

SH256 hash:

234e4cc68a33ec5f9b94a393c85bfc91d17e87bc911713f34e39342d29bf5607

MD5 hash:

3054fb0ce445d3b5f110d8cc459c82d5

SHA1 hash:

17033da6178337e20c4354b09f272fc49b32e761

Link:

https://www.unpac.me/results/2d32c346-ba75-4efb-b5f6-9ca0b028ff74/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/234e4cc68a33ec5f9b94a393c85bfc91d17e87bc911713f34e39342d29bf5607

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/223221/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample