MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 239765eab4f95dcf54a2bec368302599784b9f82fa192b79cb0726c53496f644. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	239765eab4f95dcf54a2bec368302599784b9f82fa192b79cb0726c53496f644
SHA3-384 hash:	2c2400db5b072e7465a2042526875eaed75dfaf983facdcfa1119b423a2ac43dfa2e702b849eacc3d4ceb370e3f228d8
SHA1 hash:	b8048b7c27934d7cf290cf759f74ef3829e97375
MD5 hash:	1903d35ebd74a48955d4576c1710c613
humanhash:	two-kansas-november-enemy
File name:	239765eab4f95dcf54a2bec368302599784b9f82fa192.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	407'089 bytes
First seen:	2021-12-18 17:46:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fffb3573e6a31c80ef6af28a69351bf5 (3 x RedLineStealer, 1 x DCRat)
ssdeep	6144:ibsXkAifDileIs174iSmL+w9gAV38Mv/k+8KEF9qxBZZaD2xRza:8VDile5X6AV38W/k+xzbZZIs
Threatray	4'090 similar samples on MalwareBazaar
TLSH	T16A84CF00BBE0D035F5B762F44D7693ADA53E7AA16B34A4CB22C026DA57746E0EC7134B
File icon (PE):
dhash icon	b430f0ccc8f1c9cc (3 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
45.9.20.240:46257

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.9.20.240:46257	https://threatfox.abuse.ch/ioc/277335/

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2531/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/61be1e98ec6c6c14a9e0738b/reports/3440b24d-681d-4742-a738-d3ef09099dd4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/402511a2-d560-4363-82dd-1943e305d16f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/909630

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/239765eab4f95dcf54a2bec368302599784b9f82fa192b79cb0726c53496f644/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2021-12-18 17:47:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eolwl2vu7fo46vfcx3bwqmbftf4exh4c7imsw6ola4tmknew6zca._file

Verdict:

malicious

RedLineStealer

1ddf8e4908e590308dd662cba6ded6bc0edebae1ec9346d2264ec65c420f0449

RedLineStealer

266cc5a5ade7be8cc2fc1de535a1d0368de56696e1c38cc3b5266f6f9f5d582d

RedLineStealer

3a5ee0f38713dc6892d62fc71b443cd939f49a8e8d43b3f541cc78c2d06ce1df

RedLineStealer

3d8c5dc7efc47cdd8128124d09ff1316bf60f4d600b8e7ffa793de9fcd32faf3

RedLineStealer

5ab52cd3ead357359cb259a22121ae7d7cde20c5a830617a45329852ef356348

RedLineStealer

71445cf788e1e48e285c1d485d2f6f6b0f7ba3594afa0967dad16908479639a6

RedLineStealer

d1d8da32bdcfda6a1d10722c39f8db40ef41008f81f6fe5a2dd144f2a3186838

RedLineStealer

d73125d9410206b309952ace95e02552e36cf21df1875f5685eb5ac2b84db10a

RedLineStealer

e5043b4437aa7b89b36d2af4ddb628c4f7321e6d3a442c985536a9c168fc0b90

RedLineStealer

+ 4'080 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:170 discovery infostealer spyware stealer

Link:

https://tria.ge/reports/211218-wcvjwsgcfl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine Payload

Malware Config

C2 Extraction:

45.9.20.240:46257

Unpacked files

SH256 hash:

eeca0dad743736c8a15151b3185e1a4fcd368fde8336d33e9c4b2371fe7efbde

MD5 hash:

9aeb7624a3e9dfe978992a04d786535b

SHA1 hash:

7ada1dc5fc79cfaed7de873e4fd913747fe53184

Link:

https://www.unpac.me/results/934d42f2-fae6-4443-a41a-42c0dc8ca7b6/

SH256 hash:

e7f171237b013f4d91d87d2d50426c8ba911459f7269b4d4f57919748a738c45

MD5 hash:

796975467239e47382d2b30ffc745a7e

SHA1 hash:

4a94d275702f796f502f9f2830c6dc5e4e261e12

Link:

https://www.unpac.me/results/934d42f2-fae6-4443-a41a-42c0dc8ca7b6/

SH256 hash:

bead33b1c8ba6580506505fe7c4e0c01ab9d63fba5cbcee44c6409c08c2c5a59

MD5 hash:

3554fad347ec20642834c2f134c3c11b

SHA1 hash:

13ca25f2935c4dc59ccbfb1dc8141f92deee8194

Link:

https://www.unpac.me/results/934d42f2-fae6-4443-a41a-42c0dc8ca7b6/

SH256 hash:

239765eab4f95dcf54a2bec368302599784b9f82fa192b79cb0726c53496f644

MD5 hash:

1903d35ebd74a48955d4576c1710c613

SHA1 hash:

b8048b7c27934d7cf290cf759f74ef3829e97375

Link:

https://www.unpac.me/results/934d42f2-fae6-4443-a41a-42c0dc8ca7b6/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/239765eab4f9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/239765eab4f95dcf54a2bec368302599784b9f82fa192b79cb0726c53496f644

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/215039/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample