MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27030fccb25c0b89709819c0669ef0855b23195774833d63eac81d9ea22d8e53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27030fccb25c0b89709819c0669ef0855b23195774833d63eac81d9ea22d8e53
SHA3-384 hash: 7aa0540d8e0c0fa6394df9fdeb92cb76814cd00bf552fd32cfdbcce43cf97c8322a92d254d62d99925c7f0d0522652c1
SHA1 hash: 0df2cc72ad31f11f1918d8e41b6d9dd54d4b66ab
MD5 hash: 553ad4b599f7c452b22f00f59413ca44
humanhash: minnesota-romeo-november-whiskey
File name:553ad4b599f7c452b22f00f59413ca44.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:428'032 bytes
First seen:2021-10-18 11:18:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd3694527adf0e2f58ae8cb4e18ad5ae (4 x RaccoonStealer, 3 x RedLineStealer, 1 x CryptBot)
ssdeep 12288:ilPYy+iH/C/Ou/yTNWE/7NlYAdV2capaLCSqL:iO6CO4yTNWYNYcapa
Threatray 1'208 similar samples on MalwareBazaar
TLSH T11B949E10A650C035F5F252F58DBA9368A52E7EA02B2450CF53D92AEE57F76E0EC30B17
File icon (PE):PE icon
dhash icon 5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198126/
Detection(s):
Win.Trojan.Generic-9903173-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616d5828a9d585e6d52bd56b/reports/8535a8b3-312b-434f-bcfc-ce9433bd4739/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3ada270-725a-42c3-9275-6e9e43bace5b
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872256
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/27030fccb25c0b89709819c0669ef0855b23195774833d63eac81d9ea22d8e53/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-17 20:40:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4bq7tfslqfys4eydhagnhxqqvnsggkxosbt2y7kzaoz5irnrzjq._file
Verdict:
malicious
Similar samples:
0aebf2c39b154018f617d939b6da4335b7e69fa281d367568b1c0177fa74da47
RedLineStealer
1bbc078db5d1d7f8003ac55c86d5e925d50cd79ce2b4e1b95cda63b5242f000e
RedLineStealer
62b9a227f035544237037d32dda4613226215ae67d18f344f5d1f7533ef726f4
RedLineStealer
665b0cd8dfe3967ce59155497f7226118f0b840b2c9a8361bd1ae3630698f3a4
RedLineStealer
93cab9c0bb921b19441630eaff516d547c8083dd1e2bd7b8b799ec282af5ef23
RedLineStealer
d0dda5dfd52eedeb0c31cc69428a488f7af8f66e6c3a736ff88c6ea1c8ebed35
RedLineStealer
f2ae124bb124c6428d2c2d4c1211b7770a8a171f1500c04d3bd59a38f91f4b65
RedLineStealer
f934020452d58f327c22060903f625f8b9b39429afad32dc05faf58f4e3f32f9
RedLineStealer
+ 1'198 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mix18.10 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211018-nevzfaddh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:57055
Unpacked files
SH256 hash:
5418ca2071b64f885f2e7d3d526d57ebf0a537ca9430bcc40ef4ce842479e45e
MD5 hash:
a9857b151897c7c50c64c894924989bd
SHA1 hash:
bf086881e9ed12c506fd251cbec1c344a7e38331
Link:
https://www.unpac.me/results/72bb82eb-6f28-4b1b-9367-88e0c868de8a/
SH256 hash:
776e59a3cc3b95e3271ea9d5f0cf1bc467ca25e353a2e1366cd7d31d7262bc5b
MD5 hash:
f2eac7fdd46e206827e37727c6d408bf
SHA1 hash:
99ace92b3a80188871938b75d3d77fb217e83519
Link:
https://www.unpac.me/results/72bb82eb-6f28-4b1b-9367-88e0c868de8a/
SH256 hash:
38d09addf867eea1bf1c6593728cd17b448c77aef95ec5307817fc479286441d
MD5 hash:
1d7394a8945a3fb17d4a8f8aa7d6d8c4
SHA1 hash:
35899b8956e52c87f2d925f07c08b8eff81c220c
Link:
https://www.unpac.me/results/72bb82eb-6f28-4b1b-9367-88e0c868de8a/
SH256 hash:
27030fccb25c0b89709819c0669ef0855b23195774833d63eac81d9ea22d8e53
MD5 hash:
553ad4b599f7c452b22f00f59413ca44
SHA1 hash:
0df2cc72ad31f11f1918d8e41b6d9dd54d4b66ab
Link:
https://www.unpac.me/results/72bb82eb-6f28-4b1b-9367-88e0c868de8a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/27030fccb25c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27030fccb25c0b89709819c0669ef0855b23195774833d63eac81d9ea22d8e53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 27030fccb25c0b89709819c0669ef0855b23195774833d63eac81d9ea22d8e53

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1663299/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198126/

Comments