MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25b28583b77a28418dffec51670d75833090508f9b9d501d3ba77b2aac97ab96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25b28583b77a28418dffec51670d75833090508f9b9d501d3ba77b2aac97ab96
SHA3-384 hash: 7b95c5e1470e8e75a95e193d1b844a106f1e30aa65a864e78db4de3e599644ca822d01a94ac8750827b716a747cf2704
SHA1 hash: 2895768a3c556cf8f6398da8cd9223f19af6a9f7
MD5 hash: c92bf8d5fc8eb5fe4d7b991f91609807
humanhash: double-georgia-don-snake
File name:c92bf8d5fc8eb5fe4d7b991f91609807.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:252'928 bytes
First seen:2021-08-19 08:34:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d62b54fca512105669e8801d03a30300 (1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 3072:bWmRVl9W6UI87Yiudl9vpcwEvZAVw5ub2KcBqRCXdKJKT0yB3M:bWG9W607XudlcwwZQwEb2FT7
Threatray 5'034 similar samples on MalwareBazaar
TLSH T1F234F1203991D873F467C43D88F5BAE3697AFA015BB4814733483B6F5F621909B2A397
dhash icon 1072c092b0381902 (9 x RedLineStealer, 9 x RaccoonStealer, 4 x CryptBot)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c92bf8d5fc8eb5fe4d7b991f91609807.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 08:36:23 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/12cc6a0a-f374-4ad1-8ec8-7eb7452a63ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180596/
Detection(s):
Win.Packed.Generic-9886938-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a file
Sending a UDP request
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd0af711-c79e-4769-b5a2-a63b8f22bfb7
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/835630
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25b28583b77a28418dffec51670d75833090508f9b9d501d3ba77b2aac97ab96/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 01:11:00 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
13cd56749319620fdb65d1581fd74479b1f37bfee12d254f14f2e08f1396c574
RedLineStealer
17192462ac197a78af64bde024b07e50c60cc9ce49dc8840e78816d2d6625ec3
RedLineStealer
22ec1d3d593ae739da779e653a28507275feb115e007cfe069f53c71247468f3
RedLineStealer
27fb768ba20cf770d9bdc62e1403196784c903333235e0293b398df7647119f6
RedLineStealer
5cce9b6a71a53d6d8f9cb245ee9153618ed3c41b6cf3a9319e6d484c9110fc64
RedLineStealer
a0d3c9a02ee01d4355350b0b21b9f08d9d0690ec9ef7435cf200e3033f82f3c8
RedLineStealer
b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50
RedLineStealer
cd62e4fee322712a02787bcc881712ee41b99f8e8de3e425d90399bf5bf5fe75
RedLineStealer
d116dbae8aeba92891801d5884f81b41a2dfc15bb48b3425da735fed59c0c6a0
RedLineStealer
e3a15791e70635e9247b56955c1677cde1307b814619ae6e4e8f07d3c9e75890
RedLineStealer
+ 5'024 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210819-wd6ww9t9ee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:8889
Unpacked files
SH256 hash:
9478069a6075be715c8522628753d156c10816fc3b5f89eb98aa160b34db92e1
MD5 hash:
792f7ce7b919e8cd99eecd61e6e04c78
SHA1 hash:
c902c51b212fbbc5640b3636a67f04abd7cfc23d
Link:
https://www.unpac.me/results/e5d8141b-6a61-4d3a-9f20-5ae2d56a0b61/
SH256 hash:
c20bf9a202b0a3998821f446a9ba4445ad61f6f9db7ed4f196f4d52babf18169
MD5 hash:
a24c2c9d2094c15460c48f78ad3d4012
SHA1 hash:
aa7f216f323259c42930f67c1d828499f4d71fba
Link:
https://www.unpac.me/results/e5d8141b-6a61-4d3a-9f20-5ae2d56a0b61/
SH256 hash:
6beea74184d76a8101e9eccc429a85ccd579bffe86013c6a72db1666291a9fad
MD5 hash:
6bff04629d81b31018f1f09094b10dc4
SHA1 hash:
1705f121a0ebd3cc6e843423d6507025fdd27fe6
Link:
https://www.unpac.me/results/e5d8141b-6a61-4d3a-9f20-5ae2d56a0b61/
SH256 hash:
25b28583b77a28418dffec51670d75833090508f9b9d501d3ba77b2aac97ab96
MD5 hash:
c92bf8d5fc8eb5fe4d7b991f91609807
SHA1 hash:
2895768a3c556cf8f6398da8cd9223f19af6a9f7
Link:
https://www.unpac.me/results/e5d8141b-6a61-4d3a-9f20-5ae2d56a0b61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25b28583b77a28418dffec51670d75833090508f9b9d501d3ba77b2aac97ab96

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 25b28583b77a28418dffec51670d75833090508f9b9d501d3ba77b2aac97ab96

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/180596/
  
URLhaus
https://urlhaus.abuse.ch/url/1533784/
  
Delivery method
Distributed via web download

Comments