MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 275e5d90caef3f41db92c6fcb9164466d612d616852cbcc3df55c4b6a6844b7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 275e5d90caef3f41db92c6fcb9164466d612d616852cbcc3df55c4b6a6844b7a
SHA3-384 hash: 087b60135f8b25b84ad5b1eafc069b10dcc890b089f914cff4146c52643762cf6918478e7e9de8fa0c292aeb9a42122c
SHA1 hash: 764c6b7e14c068e22418d5176f15b6f5e213c8e1
MD5 hash: a6004a220c7703552df71f4c4dccfd15
humanhash: violet-zebra-spring-venus
File name:275e5d90caef3f41db92c6fcb9164466d612d616852cb.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:476'672 bytes
First seen:2021-10-28 17:16:32 UTC
Last seen:2021-10-28 18:15:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e3be90920746cf85dd72a272d7fd9b0 (1 x RedLineStealer)
ssdeep 6144:ADGJVAMTTfZ5/ekjZiueWuJpKMk79uW6hphy5WqIrdKp9Ur92UfEs:RHAAZ9ZjZ4JpK6xphyYqMUpGAUl
Threatray 543 similar samples on MalwareBazaar
TLSH T1D7A48E76F343CC27F11A16B185EB8E60095359E8B020461F65A67B192DF73D2389FF8A
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.243.32.4:4249

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.32.4:4249 https://threatfox.abuse.ch/ioc/239333/

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201006/
Detection(s):
SecuriteInfo.com.Variant.Bulz.870626.22464.6069.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42293751-0b98-43f3-ba59-67203f87f033
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/878770
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/275e5d90caef3f41db92c6fcb9164466d612d616852cbcc3df55c4b6a6844b7a/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 17:17:03 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5pf3egk547udw4sy36lsfsem3lbfvqwquwlzq67kxclnjuejn5a._file
Verdict:
malicious
Similar samples:
351b7b183ee55d280acfffc23886ef74efd76873d508704336bb782d84176f90
RedLineStealer
484989aa0548d25d524e8dcbea3e5117e31ec143d8b77aec8945e392ce7c72c8
RedLineStealer
64f9f7fccc993e73cf2ad970c822c53e4b6830687af349f8d791037ccd8b3a03
RedLineStealer
6ce593e9aa59ebf1c4e6763b626669a4d24a32dc1183b85c6586c8d949a9e024
RedLineStealer
858d2384fe0e2ed91c2e2400e4f58435d59989a0e209747004a0e63f898ba483
RedLineStealer
a014acb67295264a4f9ac982db6b65d858f259ca46dd92d836091ef872f78b7e
RedLineStealer
b93c3342ed056d702f68cda57ccdd6ea92c34addac671f174e7070477cf4c156
RedLineStealer
db6244835cdf712e251cad21cc059c7e838feb17ff6b5c2f2455fc6e163d3154
RedLineStealer
f8eaf4927a573dd810d0d51d0af5b72dfe12045dd7e84535ff9b636ec8f6dfb1
RedLineStealer
+ 533 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:113 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211028-vtnx1aggar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
91.243.32.4:4249
Unpacked files
SH256 hash:
a6693ac5cf5146f17023fa4b5968111fbdd0a006f0101b791d66f74dff881e25
MD5 hash:
4513b2eabe78ac7181b8f96633c236cb
SHA1 hash:
fdcc91080c998e676a9249e1b0e53ffabb9ec628
Link:
https://www.unpac.me/results/4063116e-f02b-4741-9048-7eb2601d72f7/
SH256 hash:
384d3c7964b30d8cea830b704126442616a3fe924da2e4718932352b717edc4e
MD5 hash:
bd5e71109d1c0d6f7c89e1756c0d77da
SHA1 hash:
13a7eb9569c91699c78c16dcba71492b2fca1e8e
Link:
https://www.unpac.me/results/4063116e-f02b-4741-9048-7eb2601d72f7/
SH256 hash:
62a2a092f3289887959a6e1a0f5ff038a2a733b476755eba8094b8bc91b02a8e
MD5 hash:
8b62584263ab0c8cee69699126fbe59a
SHA1 hash:
104808c20e1ebeb0d58f561c1b18a28aa9dd829e
Link:
https://www.unpac.me/results/4063116e-f02b-4741-9048-7eb2601d72f7/
SH256 hash:
275e5d90caef3f41db92c6fcb9164466d612d616852cbcc3df55c4b6a6844b7a
MD5 hash:
a6004a220c7703552df71f4c4dccfd15
SHA1 hash:
764c6b7e14c068e22418d5176f15b6f5e213c8e1
Link:
https://www.unpac.me/results/4063116e-f02b-4741-9048-7eb2601d72f7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/275e5d90caef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/275e5d90caef3f41db92c6fcb9164466d612d616852cbcc3df55c4b6a6844b7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/201006/

Comments