MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26b026ec1b7075e871d3935fa044dcd51304d261c9f57d9d0c40ae716a0c2c63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 4 File information Comments

SHA256 hash:	26b026ec1b7075e871d3935fa044dcd51304d261c9f57d9d0c40ae716a0c2c63
SHA3-384 hash:	5f24f2111eb000fed528aa7c980e10a406b96b57abed8a6a96a33db9754411a5833923901445f755fac1a440889556f3
SHA1 hash:	275682e65f6d55cd160b95d52132fa7a56191215
MD5 hash:	0868c8b2657d243fa7b9657f1906f001
humanhash:	oxygen-march-leopard-robert
File name:	0868c8b2657d243fa7b9657f1906f001.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	2'583'583 bytes
First seen:	2022-07-20 08:20:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e1888d3e3e34368cefc07e8f747b2817 (9 x RedLineStealer, 1 x Formbook, 1 x ArkeiStealer)
ssdeep	24576:LetVSK35ZZYHYpf/CDXCgMNRr7ndaEfc2bQL1ZNfb/oj20Lfju35tFa4Vl3RuQ5j:av35kKRe1ZNfb/oj20WTl3l
TLSH	T131C51B136A8B0E75DDD23BB461CB633AA734ED30CA3A9B7FB608C53559532C46C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
193.233.177.223:31622

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.233.177.223:31622	https://threatfox.abuse.ch/ioc/838802/

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/292860/

Detection(s):

Win.Packed.Generickdz-9956620-0

Win.Packed.Generickdz-9956652-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/26845/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug overlay packed redline spyeye

Link:

https://www.filescan.io/uploads/62d7bb31ef2b0e63a8290de6/reports/e890c511-94fd-44d1-9b0e-928725e5d741/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1037275

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/26b026ec1b7075e871d3935fa044dcd51304d261c9f57d9d0c40ae716a0c2c63/

Threat name:

Win32.Spyware.RedLine

Status:

Suspicious

First seen:

2022-07-17 06:32:00 UTC

File Type:

PE (Exe)

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e2ycn3a3ob26q4otsnp2arg42ujqjutbzh2x3himicxhc2qmfrrq._file

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:@donapol infostealer spyware

Link:

https://tria.ge/reports/220720-j8z32adee8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

RedLine

RedLine payload

Malware Config

C2 Extraction:

193.233.177.223:31622

Unpacked files

SH256 hash:

4626114fe05ea6cd65fcfe5bff546d60de94a7a044081b4779ddd85a6ca23069

MD5 hash:

27e52bb163a5349f940f25d357c51737

SHA1 hash:

816bd11031fa83154e1e912fea1e048f3b86e4c6

Link:

https://www.unpac.me/results/4c1588d1-57fa-49ac-aaff-c7c51e2c97d5/

SH256 hash:

26b026ec1b7075e871d3935fa044dcd51304d261c9f57d9d0c40ae716a0c2c63

MD5 hash:

0868c8b2657d243fa7b9657f1906f001

SHA1 hash:

275682e65f6d55cd160b95d52132fa7a56191215

Link:

https://www.unpac.me/results/4c1588d1-57fa-49ac-aaff-c7c51e2c97d5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/26b026ec1b70/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/26b026ec1b7075e871d3935fa044dcd51304d261c9f57d9d0c40ae716a0c2c63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/292860/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample