MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 282a5e5a446839727b309266bd1111783947556ed04d8ed8decbf1c6cc5c21b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 282a5e5a446839727b309266bd1111783947556ed04d8ed8decbf1c6cc5c21b9
SHA3-384 hash: f823bdfc8d2f7acc1b956d97c0138428e5f64722e083f3bc9ef41b081562c8d1641ce7c5f96fd4bda113b59b7e348874
SHA1 hash: 048d0a9a88f2da42f16be2cd117811a90b890bd3
MD5 hash: db368dadb28f394f7fb2aa0afeb6f175
humanhash: idaho-lion-missouri-colorado
File name:db368dadb28f394f7fb2aa0afeb6f175
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:467'968 bytes
First seen:2022-01-25 08:23:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 765db54276051e5495d75c16729dcef1 (1 x RedLineStealer)
ssdeep 6144:RfcswX1pOFOLcDJHuiEUggJKzC3l7ps6NTidXZ7ITsqYigavwVfG:RfcvXLcD1JK23s6pi77u7
Threatray 4'511 similar samples on MalwareBazaar
TLSH T1DCA4E0C17291C872D4913CB09953CBA1CB7BB831CA6C6527F774A76E1E733E0962631A
dhash icon fcfcb4b4b4b4d9c1 (6 x RedLineStealer, 3 x Smoke Loader, 3 x Amadey)
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/222204/
Detection(s):
PUA.Win.Packer.NspackDotnetNor-2
Create hunting rule

PUA.Win.Packer.NspackDotnetNor-1
Create hunting rule

Win.Dropper.Raccoon-9916366-0
Create hunting rule

Win.Malware.Mikey-9917879-0
Create hunting rule

Win.Packed.Lockbit-9919158-0
Create hunting rule

Win.Malware.Generic-9937404-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5044/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit raccoon
Link:
https://www.filescan.io/uploads/61efb3a6f81da814afa2aeeb/reports/d693d6b8-6728-4902-819e-64e2e2d85499/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c56ddbcc-0af0-464a-a7a1-8a8a3465f6b2
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926839
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/282a5e5a446839727b309266bd1111783947556ed04d8ed8decbf1c6cc5c21b9/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 08:24:12 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
29e3821b976a8e1a1c4f39280c3a2c329dac33d773043101f1698dc7dce34aac
RedLineStealer
66386e6f1072b7a44ee498e43663acae727008be8f459c00c1ae1304417d8d5f
RedLineStealer
70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953
RedLineStealer
a512b25da7a4d9e007b1b6a5dc1600f450f2d25bbe8bd0f4843317f144d2be9b
RedLineStealer
b011321c3f977caff0665bb91f5a78ef2486486864c18951ec2dfb19b79f0e47
RedLineStealer
c7b95acf9ae3908db86db5f5eba573c7d48c3188971daad4b311b97d49f417e5
RedLineStealer
+ 4'501 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:sewpalpadin discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220125-kaqblscba6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
45.9.20.112:57175
Unpacked files
SH256 hash:
94b6ba2c5cfd9207ba87ff62c2988d110fc743566e8c3000fd123a1bb41ef5df
MD5 hash:
fd4996489a6f8c81502af3ac64b59244
SHA1 hash:
ca20adca4866e3b65648b54c7162c821446d8150
Link:
https://www.unpac.me/results/81728be0-0fae-45d8-ac64-ece744760d70/
SH256 hash:
57b4f49c1b61d9df6561d5661324a8c2d7dbdf2b2a6517fd0335ab08bec51790
MD5 hash:
cc539fcdc7218ac7dbc8c02206745419
SHA1 hash:
aeab6a0efbd3d2599b1a570fb1cb6881cde13a8a
Link:
https://www.unpac.me/results/81728be0-0fae-45d8-ac64-ece744760d70/
SH256 hash:
8998b0796280660fd860b3ca33bc1a40d6d2e493414e5266829e22e187476b27
MD5 hash:
c82e18659b58192bc0f241e2fc0debd1
SHA1 hash:
a629f769770c335b8e55d5b75dd57ed9424546bb
Link:
https://www.unpac.me/results/81728be0-0fae-45d8-ac64-ece744760d70/
SH256 hash:
282a5e5a446839727b309266bd1111783947556ed04d8ed8decbf1c6cc5c21b9
MD5 hash:
db368dadb28f394f7fb2aa0afeb6f175
SHA1 hash:
048d0a9a88f2da42f16be2cd117811a90b890bd3
Link:
https://www.unpac.me/results/81728be0-0fae-45d8-ac64-ece744760d70/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/282a5e5a4468/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/282a5e5a446839727b309266bd1111783947556ed04d8ed8decbf1c6cc5c21b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 282a5e5a446839727b309266bd1111783947556ed04d8ed8decbf1c6cc5c21b9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/222204/

Comments


Avatar
zbet commented on 2022-01-25 08:23:15 UTC

url : hxxp://5.255.100.227/myblog/posts/sefile.exe