MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24ad0dc8467cc51c81137bc9c534111a8bc7dfbb8cde9c649006d8ff80452e84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24ad0dc8467cc51c81137bc9c534111a8bc7dfbb8cde9c649006d8ff80452e84
SHA3-384 hash: 33f3338f8e97863d37cea4401666c4e8ab73e0e9557f0db4cc36d0f3bfce8066d46d9da43cf4129c7a7b031d021336b0
SHA1 hash: a0825d55cf77c78cdb0920fcca9f759e620ed9db
MD5 hash: 711fd5523133f8e810752612b8e36440
humanhash: pip-ten-mango-thirteen
File name:711fd5523133f8e810752612b8e36440
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'631'104 bytes
First seen:2022-01-22 06:05:10 UTC
Last seen:2022-01-22 07:46:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c284fa365c4442728ac859c0f9ed4dc5 (94 x RedLineStealer, 10 x RaccoonStealer, 8 x CoinMiner)
ssdeep 49152:bMs6Ab1k0qg9A18tglhqJuSwyPTq7I9JLbphGmvy3gqeTuLqz/0LDEQso1NSvEMW:bMs/kk9A18tgqJuS7R9xvkewQ0LLbAdw
Threatray 863 similar samples on MalwareBazaar
TLSH T1E4F533A753FA69A7D5C0A2391560573430DD5C48AA6E98D16AB3C2BBB7B1106FC0C3F8
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
711fd5523133f8e810752612b8e36440
Verdict:
Malicious activity
Analysis date:
2022-01-22 06:28:19 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/a19d6681-97f6-4504-86a6-77f50e33584a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221592/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/61eb9ecdd32385db6319aabd/reports/7e2dc391-9b53-4e0f-83b7-27bc348aced2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d17dd88d-1868-44f3-994c-a4c08ad54056
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925573
Signature
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24ad0dc8467cc51c81137bc9c534111a8bc7dfbb8cde9c649006d8ff80452e84/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 11:11:33 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eswq3scgptcrzaitppe4knardkf4px53rtpjyzeqa3mp7acff2ca._file
Verdict:
malicious
Similar samples:
17be6c33020601127b2ac2e87be0dadb64c7af911d38ba70bf4d86d595ca4759
RedLineStealer
2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
RedLineStealer
3d812b2e320667c27f17889ab1ce9710ee126c1e0866a698c0aea3b3c1567a4a
RedLineStealer
44e612077d6910fcd7524c6c87029aff62842eef075f0d6061cf4b84a677df30
RedLineStealer
65823cf321b291cbf0dce215271b8deaa12b92f65a0c3709b137ccf8f96f43ac
RedLineStealer
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
RedLineStealer
b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94
RedLineStealer
cc023c690dd6423feb4187fe06693e15d46698b208568d6ce5a387bfcd893401
RedLineStealer
+ 853 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220122-gtrf8shhc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
1accf8a037ebdfc82fede8d829119baa441932e04b84ad1e40d6a480d77ab808
MD5 hash:
dfa959a0eb1c0aecebb83aee2c4f8b24
SHA1 hash:
70a41cf43e0e8e4d3e3188cd06be548bf5fa46a2
Link:
https://www.unpac.me/results/5cf14d8e-b05f-4c8b-a54e-e0169f71fc8e/
SH256 hash:
65acb6e039073279de7973151aeb4bba0ff95c08b7945a1ad211cec07f8f25ab
MD5 hash:
8be434bc066ab96401b4c8a39a2211d7
SHA1 hash:
da5369e61a94d2be6f4cecaa4c46615ce563a4b9
Link:
https://www.unpac.me/results/5cf14d8e-b05f-4c8b-a54e-e0169f71fc8e/
SH256 hash:
24ad0dc8467cc51c81137bc9c534111a8bc7dfbb8cde9c649006d8ff80452e84
MD5 hash:
711fd5523133f8e810752612b8e36440
SHA1 hash:
a0825d55cf77c78cdb0920fcca9f759e620ed9db
Link:
https://www.unpac.me/results/5cf14d8e-b05f-4c8b-a54e-e0169f71fc8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24ad0dc8467cc51c81137bc9c534111a8bc7dfbb8cde9c649006d8ff80452e84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 24ad0dc8467cc51c81137bc9c534111a8bc7dfbb8cde9c649006d8ff80452e84

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1997354/
Cape
Cape
https://www.capesandbox.com/analysis/221592/

Comments


Avatar
zbet commented on 2022-01-22 06:05:12 UTC

url : hxxp://coin-coin-file-9.com/files/1014_1642705770_5155.exe