MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 290a9e12ff38ecfc70608d8f29a6a2de61128e4b1df43c85ad735da4032c32df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 290a9e12ff38ecfc70608d8f29a6a2de61128e4b1df43c85ad735da4032c32df
SHA3-384 hash: 1f589d1f39582e9c24d82384bec0ddf1b7ea07d0310bb109bff86d1235405891b6684256946be096ca4f835259fe3510
SHA1 hash: a29e413f89d283acc5a2751159426c83ad3b4764
MD5 hash: 91bf0ee9195a7b21e5d8de66072bad70
humanhash: leopard-triple-undress-uncle
File name:91bf0ee9195a7b21e5d8de66072bad70.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:716'288 bytes
First seen:2021-07-29 13:25:44 UTC
Last seen:2021-07-29 13:45:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 73b858d062a50af526081774b2460fa4 (1 x RedLineStealer)
ssdeep 12288:958b1vdSi7dpJ0LCoSNdNAyKmGnHcIb5R+HXPhB7GRPYgj1YHyNaRjMHfXbJr+1T:IbVdSi5pJ0LCoIdNAyKm2H5b5R+HXJZL
Threatray 815 similar samples on MalwareBazaar
TLSH T1A4E4BEE1E5490696E80D213714690D0C3A525C7883CFB9B773993FAAAA0FB9D119C37F
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
109.234.34.165:22204

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.234.34.165:22204 https://threatfox.abuse.ch/ioc/163783/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
91bf0ee9195a7b21e5d8de66072bad70.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 13:35:14 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/74455ba2-40e4-4c4b-91b5-1b9f3b0cfe70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175032/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.10132.4559.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a94041a1-8c61-4c0f-98e6-492e90ebb5af
Result
Threat name:
Ficker Stealer RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823843
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Ficker Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.RedLineSteal
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 13:26:06 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fefj4ex7hdwpy4darwhstjvc3zqrfdsldx2dzbnnono2iazmglpq._file
Verdict:
malicious
Similar samples:
420b49fe0c671b7cad57dcdee0839d65c565c5e84a00c0470e5fe7380248d452
RedLineStealer
4cb49a8991c4cb4b86302e68dc84ed87fb8890abb4627f8e8a589d4d4b15412c
RedLineStealer
a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe
RedLineStealer
d8b42431b63037e8b1a15670af84ec3c3f03fe1e397425d410b82a1a35c388a9
RedLineStealer
d9886bd374d41e121835cb726da295b753c5c6307949da904b1cf3b69bc1fcb9
RedLineStealer
eff4049dba8118d9feb24762301082096710681ee2310cf8afa404898ae6a133
RedLineStealer
f9f06739d5c7e8d9c5dd2973d62127cb57c5d663266e78557fbb3c8e06b05629
RedLineStealer
fb53c4089e19cca8c8b8602ef0ae9c9614f3428b31cc7db4486a533d84195f84
RedLineStealer
+ 805 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline infostealer spyware
Link:
https://tria.ge/reports/210729-92nw2qj3je/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
109.234.34.165:22204
Unpacked files
SH256 hash:
b6c9f6d913486473670e58592c5c8e796bb33dbc8781a8091602d30c3b2bc493
MD5 hash:
4cf81cb0fe0d127283e8689bb0184175
SHA1 hash:
27f87b16aca839a17acda7239bd67e93191250f6
Link:
https://www.unpac.me/results/876aca3d-2d60-48b2-8db9-5cafd02b498a/
SH256 hash:
290a9e12ff38ecfc70608d8f29a6a2de61128e4b1df43c85ad735da4032c32df
MD5 hash:
91bf0ee9195a7b21e5d8de66072bad70
SHA1 hash:
a29e413f89d283acc5a2751159426c83ad3b4764
Link:
https://www.unpac.me/results/876aca3d-2d60-48b2-8db9-5cafd02b498a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/290a9e12ff38ecfc70608d8f29a6a2de61128e4b1df43c85ad735da4032c32df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 290a9e12ff38ecfc70608d8f29a6a2de61128e4b1df43c85ad735da4032c32df

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1478748/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175032/

Comments