MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 275f2f9c90c3d2df4d0353b1ecc812ad68e0abaf29e901a99a7b768efbff12ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	275f2f9c90c3d2df4d0353b1ecc812ad68e0abaf29e901a99a7b768efbff12ad
SHA3-384 hash:	4d484b66b547bde14ff63dd29b61cfb6b1b76eaca35a58c2ccb884cccbdd2688b00b707e3b059b19df1971661e7be51e
SHA1 hash:	ecf155103a2497fae1b1e217465ba76e131a20ee
MD5 hash:	125f033a5176b89ca5485071cf96ee43
humanhash:	muppet-earth-two-ohio
File name:	125f033a5176b89ca5485071cf96ee43.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	397'819 bytes
First seen:	2023-04-27 10:00:23 UTC
Last seen:	2023-05-13 22:40:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	aac51396886833dc961fcd7aab7711e4 (11 x NetSupport, 7 x DCRat, 4 x njrat)
ssdeep	6144:cgZiAEAO0sByNsAal3gVAWgS7/Ohwjzr10JfQyiPYFJ8z:cgZXEAO/BUdG3gVdt7KWr1SWPy8z
Threatray	363 similar samples on MalwareBazaar
TLSH	T167849F01B6C445F1E07229321E757B21AA3B7C200A768D9F9F9C685D9F735C09632B7E
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	72ceaeaeb2968eaa (57 x AgentTesla, 9 x Formbook, 7 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
51.77.78.49:41468

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

125f033a5176b89ca5485071cf96ee43.exe

Verdict:

Suspicious activity

Analysis date:

2023-04-27 10:02:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/78412010-5a04-43e3-a45f-dffa133ee6f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/385186/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.RedLine.22424.32124.27550.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/81621/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/644a47df4923c7a7fda80184/reports/63ac5837-e395-4daf-b8cc-47a63c781ed5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/275f2f9c90c3d2df4d0353b1ecc812ad68e0abaf29e901a99a7b768efbff12ad

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7ea06b25-88e0-4a7f-b623-d8f9b0f60fc8

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1222060

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/275f2f9c90c3d2df4d0353b1ecc812ad68e0abaf29e901a99a7b768efbff12ad/

Threat name:

ByteCode-MSIL.Infostealer.RedLine

Status:

Malicious

First seen:

2023-04-24 14:29:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e5ps7heqypjn6tidkoy6zsasvvuobk5pfhuqdkm2pn3i5677ckwq._file

Verdict:

malicious

RedLineStealer

18ab5e7a8a16ee97cfaf8d710e023a7816f0e0c6e57c1d6ca2f9ca311db0dd12

RedLineStealer

1bbfe2b073baf26174bd282af2a5f91bdfde0ba917af6e0f5408e865e7fe6e39

RedLineStealer

2c66b37d72afdca33b587fcb09b635d4691d832de02f0423053ade3da69242a8

RedLineStealer

35e5460c102ca2f996d61d70d6bb06fb87014f7d2beccf35f3812ea534acd9d5

RedLineStealer

54a9e7cbf35f159c8704b395a519421c8173ffcc5585b3c397760e54fcbaa096

RedLineStealer

a2ddb2901e7b54c98ad8eb17a8b2a019b344a8c459aa15b29b4fda8962931486

RedLineStealer

c9d2a196a3a7209755613e769531990104393b8e96971aa1d757e3ab84696f8b

RedLineStealer

d102af126bcff04b5b089f3872b3add0fef3e755eea0182e8f28324b3c5dcc5f

RedLineStealer

+ 353 additional samples on MalwareBazaar

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:redline family:sectoprat botnet:jimmy discovery infostealer rat spyware stealer trojan

Link:

https://tria.ge/reports/230427-l18fjsgh5x/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Malware Config

C2 Extraction:

51.77.78.49:41468

Unpacked files

SH256 hash:

275f2f9c90c3d2df4d0353b1ecc812ad68e0abaf29e901a99a7b768efbff12ad

MD5 hash:

125f033a5176b89ca5485071cf96ee43

SHA1 hash:

ecf155103a2497fae1b1e217465ba76e131a20ee

Link:

https://www.unpac.me/results/933e15bd-5db2-4e72-b7e6-73e9c13f820c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/275f2f9c90c3d2df4d0353b1ecc812ad68e0abaf29e901a99a7b768efbff12ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/385186/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample