MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25b3945211ad368695f5b4d2c42ccaab83f3b42717f11b06b5630d1e39fed4b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25b3945211ad368695f5b4d2c42ccaab83f3b42717f11b06b5630d1e39fed4b5
SHA3-384 hash: 7fc8349614eb3778e31495a0fbf80662126e65d447dc0aec3df842d9bd66de7e02d4bf2d8110408371396941ea89a8e1
SHA1 hash: acdfa74ac1ef7e0f928e6ddb6ec6f96d5d9d89d0
MD5 hash: 75838b7cbfebb34257f557f003d3f86f
humanhash: helium-mobile-blue-india
File name:75838b7cbfebb34257f557f003d3f86f.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'860'056 bytes
First seen:2022-03-03 09:21:29 UTC
Last seen:2022-03-18 20:50:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dfec469ff9e19f9df882decc3c09398f (45 x RedLineStealer, 1 x Formbook, 1 x ArkeiStealer)
ssdeep 98304:hPaMxWeU1hfkW7HrSViszJ85yI+hjzqQv6/4TD90S/1/lSv+aW2j8DKlshN:hiIZUHfkgrxst6d+h/v6WF++QjcCsf
Threatray 1'503 similar samples on MalwareBazaar
TLSH T1AD2633FA92C1F66DC585C27EDF267CD881CC26CD59E99CFA172432ED36410DE82C84A6
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
2.56.57.193:25646

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.56.57.193:25646 https://threatfox.abuse.ch/ioc/392276/

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246875/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f114193-4a58-4527-9b21-92cb6cc219a3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949805
Signature
Allocates memory in foreign processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential dummy code loops (likely to delay analysis)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25b3945211ad368695f5b4d2c42ccaab83f3b42717f11b06b5630d1e39fed4b5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-17 19:13:00 UTC
File Type:
PE (Exe)
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ewzziuqrvu3infpvwtjmilgkvob7hnbhc7yrwbvvmmgr4op62s2q._file
Verdict:
malicious
Similar samples:
0ce285cf68d5bf2dfef9e6e11d398b251085cbca275363691cf94e64de622212
RedLineStealer
2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
RedLineStealer
2e8e2f3b627ec21bc24a14b5ae253a4c18f7f1e6a4e77ddde108620296b03000
RedLineStealer
422d172383682bb5d0d3118e5caf590bbf90e32a60657b478f28076f7d840535
RedLineStealer
82f60aeafe345ffc8fa14f80db1217bbadb6e8d74fe63f6e72cb350af4d5b61c
RedLineStealer
9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d
RedLineStealer
a32437ab62c0ac90c236c6a8e33bd6b57e661cd83aaae7d6c9f371eefca5a7a5
RedLineStealer
a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4
RedLineStealer
aea2cbc32b7925ab28e619b8deb5c540ea8e61ad631b02e348be04b87f44627a
RedLineStealer
+ 1'493 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-lbz3wacaam/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
42e88270b11461b8b87bf9cf9d19fdaa01dd0923cc5a92a01a77bb23662e14cd
MD5 hash:
cf4ea05ad2515b706fee0b6f77d6ed3d
SHA1 hash:
8076b86824d9e49404b3743206e59c9c7af5091b
Link:
https://www.unpac.me/results/7ce2d2c1-6289-4f71-914d-ff4b80c85163/
SH256 hash:
5f17cc5035ed005152e70c22bad7aef3e6a9598465fddcec66f05adb4fbb9e6b
MD5 hash:
97c7b0af8714cb037f4959ecfa077ffe
SHA1 hash:
8eee4cbf34668486892abd817771bd89b689f3c6
Link:
https://www.unpac.me/results/7ce2d2c1-6289-4f71-914d-ff4b80c85163/
SH256 hash:
25b3945211ad368695f5b4d2c42ccaab83f3b42717f11b06b5630d1e39fed4b5
MD5 hash:
75838b7cbfebb34257f557f003d3f86f
SHA1 hash:
acdfa74ac1ef7e0f928e6ddb6ec6f96d5d9d89d0
Link:
https://www.unpac.me/results/7ce2d2c1-6289-4f71-914d-ff4b80c85163/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25b3945211ad368695f5b4d2c42ccaab83f3b42717f11b06b5630d1e39fed4b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 25b3945211ad368695f5b4d2c42ccaab83f3b42717f11b06b5630d1e39fed4b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072391/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246875/

Comments