MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28a4fc89b3ecdce491137e550252749c41c1ab97cebfb5241b8910de6aeb11fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28a4fc89b3ecdce491137e550252749c41c1ab97cebfb5241b8910de6aeb11fe
SHA3-384 hash: cae36dede7cec1d53393704d3926565542dbc2a8b70235a9335684759173a41aaf035866df2d0a2c88bce99ecc2eb1ac
SHA1 hash: d01e8c03db4211ecfda44ad5e14914c45d302116
MD5 hash: 9ce85f8a89b702a06139ca95944129b8
humanhash: north-bakerloo-helium-delta
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:140'288 bytes
First seen:2022-10-31 21:07:42 UTC
Last seen:2022-11-01 05:16:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:1YO/ZMTFXXuIQj/9t1egQ+5zV4DF7yRXjh/SSw/:1YMZMBXXuIQf1xQ3MBjh
Threatray 70 similar samples on MalwareBazaar
TLSH T169D35A1827DDAE18D5BF4B79B470615097F0E143F953E32F4AD164EE2E22B80CE216B6
TrID 48.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.6% (.SCR) Windows screen saver (13101/52/3)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 5141494747556d1b (107 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc758634356_652212625?hash=M7WKKxb9PcGZpZumez0PCl1EPXs5WX7SuIAxUq2aP0L&dl=G42TQNRTGQZTKNQ:1667245872:UB5yIKjYmLOziDdmRuquKI8ezGYB5rpKrYhpUKDcQhT&api=1&no_preview=1#redcl

Intelligence

File Origin
# of uploads :
7
# of downloads :
369
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-31 21:10:53 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/4b355b31-2ac9-4e83-9509-9be9a90c1668

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326594/
Detection(s):
Win.Malware.Trojanx-9862538-0
Create hunting rule

Win.Trojan.Redline-9938775-1
Create hunting rule

Win.Packed.Lazy-9958163-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Reading critical registry keys
Creating a file in the system32 subdirectories
Creating a file
Сreating synchronization primitives
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for analyzing tools
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
stealer
Link:
https://www.filescan.io/uploads/63603938a5db8d309cbc15d4/reports/bbd59a40-d739-4ed0-b6ac-45f211c19a76/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b96b5a26-3197-484e-be77-c47a6dca0810
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1102068
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 734728 Sample: file.exe Startdate: 31/10/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Yara detected RedLine Stealer 2->43 45 3 other signatures 2->45 8 file.exe 15 8 2->8         started        process3 dnsIp4 33 80.76.51.172, 19241, 49696 CLOUDCOMPUTINGDE Bulgaria 8->33 35 162.159.130.233, 443, 49698 CLOUDFLARENETUS United States 8->35 37 cdn.discordapp.com 162.159.134.233, 443, 49697 CLOUDFLARENETUS United States 8->37 23 C:\Users\user\...\892947654_protected.exe, PE32+ 8->23 dropped 25 C:\Users\user\AppData\Local\...\892947654.exe, PE32+ 8->25 dropped 27 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->27 dropped 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->49 51 Tries to harvest and steal browser information (history, passwords, etc) 8->51 53 Tries to steal Crypto Currency Wallets 8->53 13 892947654_protected.exe 8->13         started        16 892947654.exe 1 8->16         started        file5 signatures6 process7 dnsIp8 55 Multi AV Scanner detection for dropped file 13->55 57 Query firmware table information (likely to detect VMs) 13->57 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->59 65 3 other signatures 13->65 29 youtube-ui.l.google.com 142.250.147.91, 443, 49699 GOOGLEUS United States 16->29 31 www.youtube.com 16->31 61 Antivirus detection for dropped file 16->61 63 Tries to harvest and steal browser information (history, passwords, etc) 16->63 19 cmd.exe 1 16->19         started        signatures9 process10 process11 21 conhost.exe 19->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28a4fc89b3ecdce491137e550252749c41c1ab97cebfb5241b8910de6aeb11fe/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-31 21:08:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcspzcnt5toojeitpzkqeututra4dk4xz273kja3rein42xlch7a._file
Verdict:
malicious
Similar samples:
1a0e5a1a5df402e3b102af1e2f57ccd905038f7b1b6f361e35eafe31df424d28
RedLineStealer
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
RedLineStealer
2cf662a4d3efa315a348a9fbcaa3a8d4c1915f21d8f8841fc06b5f3c41ffc0c4
RedLineStealer
6a4b9c18783615adb849fdf2951023243f4a7e70d050a912c9dfad60a537fe28
RedLineStealer
6ed5e19aac6c1cf5f1d2cd08f1db7fec2f1455fc79a9ddaa7cc45a8ce43a9fbe
RedLineStealer
88f86bd0c315b807570a8330266fe9c8f04f04cef5c06de8f9f82eda57f10531
RedLineStealer
ffe4c4a59716f349a215096c0c9e4ce0fa3785af7962aa9145d9ddfacefccb20
RedLineStealer
+ 60 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:1 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221031-zywkvsdah6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Malware Config
C2 Extraction:
80.76.51.172:19241
Unpacked files
SH256 hash:
28a4fc89b3ecdce491137e550252749c41c1ab97cebfb5241b8910de6aeb11fe
MD5 hash:
9ce85f8a89b702a06139ca95944129b8
SHA1 hash:
d01e8c03db4211ecfda44ad5e14914c45d302116
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/460651bf-fd0f-4447-b7d2-297ace2f537f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28a4fc89b3ec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28a4fc89b3ecdce491137e550252749c41c1ab97cebfb5241b8910de6aeb11fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/326594/

Comments