MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 299f5617e8b97e64b6abb3729eb8bc963da332a62d35d52f6069c627de7868f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 299f5617e8b97e64b6abb3729eb8bc963da332a62d35d52f6069c627de7868f3
SHA3-384 hash: 9db5cec87b6c4c299bdd4d1877a04e9d8a8c53693d2a06446c8d0514c4ee5379fde9a827bc234bf5e68df598e8c9b787
SHA1 hash: 314dc68eca7f1a0cc0914b3808c05a934d6daff3
MD5 hash: 0ba8697527e7e7a6e2563e11eb6118ef
humanhash: romeo-spaghetti-uranus-stream
File name:0ba8697527e7e7a6e2563e11eb6118ef.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'067'232 bytes
First seen:2022-01-12 00:12:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 60ba720a00e0a0ce05b028523a2bf2fa (1 x RedLineStealer)
ssdeep 12288:g54U4V2eu98+3g4U4mb4kjma52c1mm39omXRJ4SNEL4Oz1dx8G9Tpj2Q2PuXPq:mP98+hkjL5l3thmSNizPOATJ2Q2L
TLSH T14D35AE06EF151723F466E57604AA1C1BDE6E7E9B37451A42243EFD7CA2332C362EE016
File icon (PE):PE icon
dhash icon b2f0e4e4f4d8f0ba (1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
91.243.32.97:59763

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.32.97:59763 https://threatfox.abuse.ch/ioc/294078/

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ba8697527e7e7a6e2563e11eb6118ef.exe
Verdict:
Malicious activity
Analysis date:
2022-01-12 00:19:14 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/da1dfc8b-ac4b-438a-849a-4111b32c9404

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218415/
Detection(s):
Win.Malware.Generic-9934865-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware overlay packed shell32.dll virut wacatac
Link:
https://www.filescan.io/uploads/61de1d101883c5ba4ec2a977/reports/39f0bb23-ac0b-4ad2-a296-20f37835d088/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/517a1349-e12b-4c71-9c56-3a3af344dc73
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/918801
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/299f5617e8b97e64b6abb3729eb8bc963da332a62d35d52f6069c627de7868f3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-10 15:57:20 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgpvmf7ixf7gjnvlwnzj5of4sy62gmvgfu25kl3anhdcpxtyndzq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220112-ahrjjaabg9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b2e11e94c68b8b8ddfc0f4e8c1b8f691a03e46020e41a3ef938422532fc7185c
MD5 hash:
3688221460e6df271f534fef0abad687
SHA1 hash:
033c74f0903deaaf35149ca608a6658c0c767ec5
Link:
https://www.unpac.me/results/b7cf2c9d-340b-4305-b62c-cf58cf191e3c/
SH256 hash:
299f5617e8b97e64b6abb3729eb8bc963da332a62d35d52f6069c627de7868f3
MD5 hash:
0ba8697527e7e7a6e2563e11eb6118ef
SHA1 hash:
314dc68eca7f1a0cc0914b3808c05a934d6daff3
Link:
https://www.unpac.me/results/b7cf2c9d-340b-4305-b62c-cf58cf191e3c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/299f5617e8b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/299f5617e8b97e64b6abb3729eb8bc963da332a62d35d52f6069c627de7868f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 299f5617e8b97e64b6abb3729eb8bc963da332a62d35d52f6069c627de7868f3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/218415/
  
URLhaus
https://urlhaus.abuse.ch/url/1828281/
  
Delivery method
Distributed via web download

Comments