MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26f1712b35647e5c63f52f4c9472e9430b76d0a82488e7a1daaff2e99ddabea5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26f1712b35647e5c63f52f4c9472e9430b76d0a82488e7a1daaff2e99ddabea5
SHA3-384 hash: 4710f3b7412a23d95fa4dd04eabd289bfce16c3dee0631b6dfec100625b07ffcc67d53f2a258810499d8614bb96f8121
SHA1 hash: 87fece338ca1d84ce8559dac680e4b1e3498b77f
MD5 hash: 06617e55f4c1a30bf1371adb48cc7ab9
humanhash: zebra-river-violet-delta
File name:06617e55f4c1a30bf1371adb48cc7ab9.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:454'144 bytes
First seen:2022-01-26 12:55:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bcde812b040ca4f517d950272a8fa16 (7 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 12288:I4oQh2KO22xd3gGbW1Y8uRBTAUpQnjsselC/jYX:Hnp4d3gc+rGB1anjfj
Threatray 4'508 similar samples on MalwareBazaar
TLSH T19CA4AF10BBA1C435F5B722F8067A936CA53E7AF15B2451CB63D52AEE46346E0DC3231B
File icon (PE):PE icon
dhash icon 2dac137839939b91 (18 x RedLineStealer, 12 x Smoke Loader, 6 x Amadey)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.29:20819

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.29:20819 https://threatfox.abuse.ch/ioc/334657/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06617e55f4c1a30bf1371adb48cc7ab9.exe
Verdict:
Malicious activity
Analysis date:
2022-01-26 13:03:25 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/2e4b3ce7-8326-4ffb-ab73-6b3644211f93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/223222/
Detection(s):
Win.Dropper.Mikey-9917324-0
Create hunting rule

Win.Packed.Tofsee-9937387-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5199/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61f144e8d73ca9d4648d4593/reports/af6877dc-409f-4cea-915f-3568bcb2d9ec/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abc10a7c-fa12-4953-92c2-6b53c44463cf
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/927945
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26f1712b35647e5c63f52f4c9472e9430b76d0a82488e7a1daaff2e99ddabea5/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-26 13:24:00 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3yxckzvmr7fyy7vf5gji4xjimfxnufieseopio2v7zotho2x2sq._file
Verdict:
malicious
Similar samples:
02a1be5f6bac2f03f8dc06a3b94f346ab67f18b70703b80d91ca47478f6d8c5f
RedLineStealer
0d4ba1ff1ded8ceed68d1af69a463506ea7bfe4c92d4d78082ee5c111077ad98
RedLineStealer
2e6a515f6f0f4c6afeee0504513de753828975c0a0ee4630ccd4474f0ca8e002
RedLineStealer
560f614418ca04cf5caa6eb9c04f36572fa28fa12aa94a1ed0178305e457a40f
RedLineStealer
68a03036f681dd983cce0963051c546806db97d728baaf14b969432229c3b4f4
RedLineStealer
c616122ddb20e0572157aad9871b38b1e395187e9a3d6127d2dd17371194527f
RedLineStealer
ebcd87682a64fc4d285a4ea0ff59ec860cfb6ba19c8d2e165b5fe69ca3adbbc5
RedLineStealer
+ 4'498 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:ruzkikakoyto discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220126-p6cslsdda5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:20819
Unpacked files
SH256 hash:
f039c36f20180642b9d3f743728e7cd3b128ce16a2ec55b31f57035c0358a48d
MD5 hash:
6fe38621a99a27a7158deed26529044a
SHA1 hash:
e33e1b0dcdca8fbf5d8697cd30e1b179409e103b
Link:
https://www.unpac.me/results/7c401a7b-01e5-44d9-9512-47993cd74242/
SH256 hash:
7e19bc9b7a7bec7ea0d39d8c16912006529c968027a29938b3edac98a47e22de
MD5 hash:
fb8321a722de439f6aab2f2c6ce001b2
SHA1 hash:
d678b338cc9600a09d123c9ff2d971d72776aad9
Link:
https://www.unpac.me/results/7c401a7b-01e5-44d9-9512-47993cd74242/
SH256 hash:
9fe77933fae452836671e8b4dd89d5622c96dcb23ad3e886f596fd43a9fa02ee
MD5 hash:
e8c466c124c7cd59a9789539e937c1af
SHA1 hash:
8897495710fa4983e459e30cf18408e9a239e5d0
Link:
https://www.unpac.me/results/7c401a7b-01e5-44d9-9512-47993cd74242/
SH256 hash:
26f1712b35647e5c63f52f4c9472e9430b76d0a82488e7a1daaff2e99ddabea5
MD5 hash:
06617e55f4c1a30bf1371adb48cc7ab9
SHA1 hash:
87fece338ca1d84ce8559dac680e4b1e3498b77f
Link:
https://www.unpac.me/results/7c401a7b-01e5-44d9-9512-47993cd74242/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26f1712b35647e5c63f52f4c9472e9430b76d0a82488e7a1daaff2e99ddabea5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 26f1712b35647e5c63f52f4c9472e9430b76d0a82488e7a1daaff2e99ddabea5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1850153/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/223222/

Comments