MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
SHA3-384 hash: f23cd647f0ebd379a8bb9d7c61f9f82999633d4529af118ffa34a7075e25dfc3b8b4b818b67b736e7a09d4a3060bc67a
SHA1 hash: 471081db705143de470d474e503206032a439148
MD5 hash: 273fc85ec0936207047fae24cf7630bf
humanhash: two-paris-football-bacon
File name:273fc85ec0936207047fae24cf7630bf
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:509'848 bytes
First seen:2021-11-10 07:53:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:CYEftFvw5vUJ0XZZCZVj0tOHj95BamAmR5nCitkQMZURR:rETvqU6XZZU0tcj95YmdTmQMOR
Threatray 2'625 similar samples on MalwareBazaar
TLSH T112B40D1C21F3D661DE942977CAE3A9097BF200C2476347C857798AFC8625F212EE1FA5
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204637/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated overlay packed packed redline
Link:
https://www.filescan.io/uploads/618b7a9e175442ca93aa52e8/reports/0ae832d9-67c5-4bbf-ba61-fd38581f7c2a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/734b2a43-ca36-470d-875f-dab77d5730cb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/886532
Signature
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-07 05:13:50 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fd27wbhdh3upgjl3diwg6sw6h4ubwdkhj3vexxpcvptcfinrdgka._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
RedLineStealer
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
RedLineStealer
4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137
RedLineStealer
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
RedLineStealer
94cbc6a1b4cc99bbfb3824eab5720009773c04a2b4e628789d7db4f824a78201
RedLineStealer
979489468d527202ce55a465799013a16fccfcc838d523707a016e064a0e85a1
RedLineStealer
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
RedLineStealer
f89908f8594a0dccfb5e52b295075ff63be86c0f5584f990d39dfe2b2c2f9c08
RedLineStealer
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
RedLineStealer
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
RedLineStealer
+ 2'615 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:34b5c357572382155552cb40207e952f9f95264b discovery infostealer spyware stealer
Link:
https://tria.ge/reports/211110-jrka9agee4/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
185.215.113.109:57626
94.26.230.203:48759
Unpacked files
SH256 hash:
118d95eefb2cffda34e95f699d97c8bbc4a3abf5a416b202748b02baac85be4d
MD5 hash:
72709d6813efcc961fb65028f1fe8a57
SHA1 hash:
90d6cee357b6f2238d0eb3921807a99a43e5a03c
Link:
https://www.unpac.me/results/50c795d5-ac84-4d42-8e66-7c0480c4231b/
SH256 hash:
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
MD5 hash:
273fc85ec0936207047fae24cf7630bf
SHA1 hash:
471081db705143de470d474e503206032a439148
Link:
https://www.unpac.me/results/50c795d5-ac84-4d42-8e66-7c0480c4231b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1771859/
Cape
Cape
https://www.capesandbox.com/analysis/204637/

Comments


Avatar
zbet commented on 2021-11-10 07:53:25 UTC

url : hxxp://host-host-file6.com/files/7525_1636260291_3969.exe