MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 238999398161690f28d4e97cf0c0f7673fc5e9ad64397fbdf4e7f4e888d87958. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 1 File information Comments

SHA256 hash:	238999398161690f28d4e97cf0c0f7673fc5e9ad64397fbdf4e7f4e888d87958
SHA3-384 hash:	4ab5b71e7622019a3b9b0bb790545c75e46a6701dfd6a6b39901dd3e44290073273528f5d403e7d46fc44d16d7ffa1c4
SHA1 hash:	b6ef7c58833fbbbc17bdd9b2e2ed301a30bdb084
MD5 hash:	cbd082d48e8cbfa9d5b27644a1379e0d
humanhash:	mirror-sixteen-carolina-low
File name:	cbd082d48e8cbfa9d5b27644a1379e0d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	375'296 bytes
First seen:	2022-03-02 02:06:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eabb194c814da30562c2ce7e427fcafb (2 x RedLineStealer, 1 x Tofsee)
ssdeep	6144:MgP7I2lSXMJoyOrvCVTncHZgvL5z7ITsqwoeR:tP1Ptpc5gh7
TLSH	T19984F1C27790C173C83575318766CFF14A7EB9A0D660098B3BB86A5D5E343E1A7B930A
File icon (PE):
dhash icon	c01edecea6ac8ccc (78 x RedLineStealer, 43 x Smoke Loader, 13 x Stop)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.40:43503

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.40:43503	https://threatfox.abuse.ch/ioc/391695/

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

238999398161690f28d4e97cf0c0f7673fc5e9ad64397fbdf4e7f4e888d87958.zip

Verdict:

Malicious activity

Analysis date:

2022-03-02 02:20:15 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/9c121116-db79-4a13-b8a3-ae3a01c9032e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/246089/

Detection(s):

Win.Malware.Filerepmalware-9940328-0

Win.Packed.Generic-9940373-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Sending a TCP request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7818/overview

Behaviour

MeasuringTime

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware hlux mikey

Link:

https://www.filescan.io/uploads/621ed14adfdfa8501c747bd1/reports/516cc59d-f644-4b8f-83b1-dd6ad7b2bc18/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d7a690dc-50db-48c7-8b53-66e6b003bee9

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/948774

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/238999398161690f28d4e97cf0c0f7673fc5e9ad64397fbdf4e7f4e888d87958/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-27 09:58:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eoezsombmfuq6kgu5f6pbqhxm474l2nnmq4x7ppu472orcgypfma._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:proxypub discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220302-cj1jyaccd4/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

45.9.20.40:43503

Unpacked files

SH256 hash:

ec802f048d2d7a82ae323e0c3c1493e98afdba824a7be8a3637f49d101d29a8e

MD5 hash:

3dedf8ef03257a3fe22407a3f0b62a3c

SHA1 hash:

ac3aa0e11ccf8ff911a7ef5aaa73136e2d45e815

Link:

https://www.unpac.me/results/f4b3d549-57f1-4d6b-8122-849f5e5348d5/

SH256 hash:

977613085918b7951b1b3ef8677368b7ec71b8b247ef61be65a1116ef8f422c5

MD5 hash:

ff797a8a0eb9b12fd603e952769e4391

SHA1 hash:

5de4a4fcb772e96a980361596a1b24f2474d8969

Link:

https://www.unpac.me/results/f4b3d549-57f1-4d6b-8122-849f5e5348d5/

SH256 hash:

3e2332ab75f2eb71d4bc9524ea523aad429d00badc33ccb9966000da8ac18932

MD5 hash:

0d49cbb7cb677042b24d220f21e9a65e

SHA1 hash:

250b9eef106fe50043abd7f029652944e82cb018

Link:

https://www.unpac.me/results/f4b3d549-57f1-4d6b-8122-849f5e5348d5/

SH256 hash:

238999398161690f28d4e97cf0c0f7673fc5e9ad64397fbdf4e7f4e888d87958

MD5 hash:

cbd082d48e8cbfa9d5b27644a1379e0d

SHA1 hash:

b6ef7c58833fbbbc17bdd9b2e2ed301a30bdb084

Link:

https://www.unpac.me/results/f4b3d549-57f1-4d6b-8122-849f5e5348d5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/238999398161690f28d4e97cf0c0f7673fc5e9ad64397fbdf4e7f4e888d87958

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/246089/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample