MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28485b1285c6246d02f2ac92944ad61e2a0b1f2c3fe2263f1a614bbfcb00425a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28485b1285c6246d02f2ac92944ad61e2a0b1f2c3fe2263f1a614bbfcb00425a
SHA3-384 hash: e9143a72d2f98589e72a0261847fcc7dd241a7ec1d22b9a356b929075c4d5063e23794ef05e552cf33b7ef77ccfa63b9
SHA1 hash: ba014bbfeff7aaa478f32f31b47ac704ade433c3
MD5 hash: c0d6f6ce0a6f3072ed60aebf48e6425c
humanhash: cat-table-summer-helium
File name:c0d6f6ce0a6f3072ed60aebf48e6425c.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:419'328 bytes
First seen:2022-01-19 18:21:37 UTC
Last seen:2022-01-19 19:51:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b599c41ba6f3d2fcbb28babbce596599 (10 x RedLineStealer, 3 x RaccoonStealer, 1 x OnlyLogger)
ssdeep 6144:PBNAJxcIaKO1/JGOoUcMV5q2UVAsWpV9/SsHWo94pueE/n:5OJxcIvO1/JGo5qZjGnSs2O4pu5P
Threatray 4'405 similar samples on MalwareBazaar
TLSH T10594E1203590D832C4EED5319829CF619A7DBC335A618E8773B83B6A6F612C1977631F
File icon (PE):PE icon
dhash icon fcf8b4b4b4d4d9c1 (6 x RedLineStealer, 4 x Smoke Loader, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
185.215.113.10:39759

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.10:39759 https://threatfox.abuse.ch/ioc/299070/

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0d6f6ce0a6f3072ed60aebf48e6425c.exe
Verdict:
Malicious activity
Analysis date:
2022-01-20 03:41:37 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/e5c90600-23a5-43ef-a263-a56ed76d6e27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220762/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.3046.10584.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4777/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e856d9d32385db6309e700/reports/a1b8a845-316f-4d61-a059-904f17d05314/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68722524-3cf4-4c64-9546-6dc66f1426de
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923756
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28485b1285c6246d02f2ac92944ad61e2a0b1f2c3fe2263f1a614bbfcb00425a/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 18:22:11 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbefweufyysg2axsvsjjiswwdyvawhzmh7rcmpy2mff37syaijna._file
Verdict:
malicious
Similar samples:
2aeae97b66dd8ebfea88b7723e883a6e23c9af62fe567b67f337c330bbaf3a0f
RedLineStealer
56b2f8a9ef26e792177e9f73b38fd2d0225a9e75672af55e803b60390297031e
RedLineStealer
854fafb9118a481083c420e6701ecee2b438700c267a3debfa7d75afb44eab8d
RedLineStealer
87c2869f098859952880ea773440cf19d0177db82b5199d6c1fb80b05119ffb7
RedLineStealer
9952d317f84b0ed92b0dd42832f6ed684835a61b01a9241e620f7c72cdd664dd
RedLineStealer
c9fa04893602e4c0d545f8e9ef0dc2ab5ff712e25328b249cb9cc4c32b297a8f
RedLineStealer
+ 4'395 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220119-wzxyjacccq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c7a6f348b773167092b2ed297738bb2b59626b763ca57d5f1d8d638739008c45
MD5 hash:
d10e7015b72a02547055e0ab25c6b42b
SHA1 hash:
890d267b16afbc51a0aa8c19e27668f316114e7b
Link:
https://www.unpac.me/results/eebd6e3f-381e-440a-a54e-fafbdeb8e127/
SH256 hash:
22da836421d0b9a7e53ec600647675c3136e83a6fcac0ee2077a2145e3abfb9c
MD5 hash:
e1bad62323481a431c80d80689c3370e
SHA1 hash:
608db08fd6f8acf951fa3b1a5d8939e7f0009e26
Link:
https://www.unpac.me/results/eebd6e3f-381e-440a-a54e-fafbdeb8e127/
SH256 hash:
e0c05584bbe479fe3ca5bab69b8a771e134f98673318a1410cab0afda9d7191d
MD5 hash:
005ea5464174c96ca4fdbe4caad19c57
SHA1 hash:
3f3c54bbcc8c856c8957187378f0594ba09b70c9
Link:
https://www.unpac.me/results/eebd6e3f-381e-440a-a54e-fafbdeb8e127/
SH256 hash:
28485b1285c6246d02f2ac92944ad61e2a0b1f2c3fe2263f1a614bbfcb00425a
MD5 hash:
c0d6f6ce0a6f3072ed60aebf48e6425c
SHA1 hash:
ba014bbfeff7aaa478f32f31b47ac704ade433c3
Link:
https://www.unpac.me/results/eebd6e3f-381e-440a-a54e-fafbdeb8e127/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/28485b1285c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28485b1285c6246d02f2ac92944ad61e2a0b1f2c3fe2263f1a614bbfcb00425a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 28485b1285c6246d02f2ac92944ad61e2a0b1f2c3fe2263f1a614bbfcb00425a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1979904/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220762/

Comments